REST API Reference

The Lab Atlas public REST API lets external clients — scripts, integrations, internal tooling, and partner systems — interact with the same projects, studies, assays, and supporting resources that the Lab Atlas web client uses. This guide explains how to obtain credentials, authenticate requests, and call each endpoint.

Quick start

# Set your tenant base URL and API key
export LA_BASE=https://your-tenant.labatlas.com
export LA_KEY=lak_xxxxxxxx.xxxxxxxxxxxxxxxxxxxx

# List the projects visible to your account
curl -s "$LA_BASE/api/beta/projects" \
     -H "Authorization: ApiKey $LA_KEY" | jq .

# Create a new project
curl -s -X POST "$LA_BASE/api/v1/projects" \
     -H "Authorization: ApiKey $LA_KEY" \
     -H "Content-Type: application/json" \
     -d '{
       "code": "MYPROJ",
       "name": "My Project",
       "description": "Created via the public API.",
       "visibility": "PRIVATE"
     }'

Getting an API key

API keys are issued from inside the Lab Atlas web application. Each key is owned by a specific organization user, and every request made with that key executes under that user's permissions — there is no separate service account.

To create a key:

1. Sign in to your Lab Atlas tenant.

2. Open the user menu in the top-right corner and choose Account settings.

3. Select the API keys tab.

4. Click Create new key.

5. Give the key a memorable display name (for example, lims-importer, nightly-backup) and choose how long it should remain valid.

6. Copy the key value from the modal that appears. This is the only time the full key value is shown. Store it somewhere safe — a secret manager, your CI's environment variables, or an encrypted note.

You can also list, rotate, or revoke your existing keys from the same screen. Revoking a key takes effect immediately; any request presenting the revoked key will fail with 401 Unauthorized.

Heads up: the API-key UI is only available when your Lab Atlas tenant has the Enterprise feature flag enabled. If you do not see the API keys tab, contact your administrator.

A key value looks like lak_<keyId>.<secret>. The lak_ prefix and keyId segment are stable identifiers; the segment after the dot is the secret material.

Per-user, per-organization

Each key is bound to exactly one (user, organization) pairing. If you belong to two organizations, you need a separate key for each. Switching your active organization in the web UI does not change the org a previously-issued key is scoped to.

Key lifecycle

Authentication

Every request to /api/beta/** must present a valid API key. Two header formats are accepted; pick whichever fits your client best:

Do not use Authorization: Bearer …. Bearer tokens are reserved for the internal /api/i/** API and will be rejected on the public endpoints.

Missing, expired, malformed, or revoked keys return 401 Unauthorized with no response body. Keys that are valid but lack the permission required for the action return 403 Forbidden.

Required transport

All requests must be made over HTTPS. The API enforces HSTS and will reject plain-HTTP traffic at the load balancer.

CORS

The public API is intended for server-to-server use. Cross-origin browser requests are not enabled by default. If you need to call the API from a browser-based application, deploy a thin server-side proxy in front of it.

Permissions model

Because every key is bound to an organization user, authorization decisions follow the same rules used by the web UI:

• Visibility — findAll and findById endpoints only return resources the key's owning user can view. For projects this is determined by the project's visibility setting (PUBLIC, PROTECTED, PRIVATE) plus the user's role and team memberships.

• Contribute — create, update, delete, status, and archive endpoints require the user to be a project member (or higher). Calls that fail this check return 403 Forbidden. Looking up a record the user cannot view returns 404 Not Found instead — this is intentional and avoids leaking the existence of records the user has no business knowing about.

• Admin-only operations — Team writes and Assay-Type writes additionally require the ORGANIZATION_ADMIN role on the owning user. A non-admin key on these endpoints returns 403.

If you revoke a user's admin role, every key they own immediately loses access to admin-only endpoints.

Conventions

Base URL & versioning

Content types

All requests and responses use application/json with UTF-8 encoding.

Resource identifiers

Identifiers are UUIDs (version 4), serialised as canonical lowercase strings with hyphens — e.g. b1d1b15a-19e0-4d6f-8d33-7a3d3aef6cba.

Dates

Dates are ISO 8601 strings in UTC. Both date-only (2026-05-06) and date-time (2026-05-06T14:32:11.000+00:00) formats are accepted on input.

Pagination

List endpoints return a page object compatible with Spring Data's Page<T> envelope:

You can request a specific page and size using query parameters:

Status codes

Endpoint reference

The tables below list every public endpoint. Path-prefix is https://<tenant>/api/beta. Where an endpoint requires ORGANIZATION_ADMIN, this is noted in the right-most column.

Projects

Projects are the top-level container for studies and assays.

Create example

Project status values: CREATED, INITIALIZING, INITIALIZATION_FAILED, ACTIVE, COMPLETE, ON_HOLD, DEACTIVATED.

Visibility values: PUBLIC, PROTECTED, PRIVATE.

Choosing storage (optional)

By default a new project's files are provisioned in your organization's default cloud storage. To place the project's primary folder elsewhere, include an optional storage object on the create payload:

Omit the storage object entirely to use the default cloud location. Each project has exactly one primary folder at creation; attach additional folders afterward via POST /projects/{id}/storage-folders (see Storage folders).

Choosing an ELN notebook (optional)

If your organization has a connected Electronic Lab Notebook (ELN), you can link the new project to an existing notebook folder at creation time. Each platform has its own block; include the one matching your integration. Omit both to leave ELN provisioning off. The folder must already exist — the API links it as the project's primary notebook folder, it does not create a new one.

Benchling — benchling object:

CDD Vault — cddVault object (CDD Vault has no nested folders, so you link an existing project container):

Choosing a default Git group (optional)

If your organization has a connected GitLab integration, you can give the project a default Git group via a defaultGitGroup object on create/update. It is a convenience pre-fill only: when Git repositories are created for studies or assays under this project, this group is pre-selected — callers may always choose a different group, and no repository is created for the project itself. Omit it for no default.

A stored default that no longer resolves (group removed, integration disconnected) is simply ignored when pre-filling — it never blocks repository creation.

Studies

Studies belong to projects and group together related experiments.

Create example

Study status values: CREATED, INITIALIZING, INITIALIZATION_FAILED, ACTIVE, COMPLETE, ON_HOLD, DEACTIVATED.

Choosing an ELN notebook (optional)

If the parent project is linked to an ELN, you can provision notebook content for the study at creation time. Unlike a project (which links an existing folder), a study inherits the project's ELN integration and gets its own child content. Omit both fields to leave ELN provisioning off.

Benchling — benchling object: creates a notebook folder under the project's Benchling folder and a notebook entry in it.

CDD Vault — useCddVault boolean: when true, creates a notebook entry under the project's CDD Vault container. CDD Vault has no nested folders, so there is nothing else to configure per study.

Assays

Assays are the lowest-level experimental unit; each assay belongs to one study and has a defined assay type.

Create example

Choosing an ELN notebook (optional)

If the assay's project is linked to an ELN, you can provision notebook content for the assay at creation time. Like a study, an assay inherits the project's ELN integration and gets its own child content. Omit both fields to leave ELN provisioning off.

Benchling — benchling object: creates a notebook folder under the parent study's Benchling folder and a notebook entry in it.

CDD Vault — useCddVault boolean: when true, creates a notebook entry under the project's CDD Vault container. CDD Vault has no nested folders, so there is nothing else to configure per assay.

Notes

Notes are free-text annotations attached to a project, study, assay, or your organization. The v1 API exposes the current content of a note; full version history is internal-only. Note endpoints are read-only on the public API — create, update, and archive are performed through the Lab Atlas web UI.

Archived notes are not returned by either the list or get-by-id endpoints. The id returned by a list is the note's id and resolves directly via the matching get-by-id endpoint.

Note representation

A note's type is one of NOTE, COMMENT, CONCLUSION, TEMPLATE; its format is one of TIPTAP, MARKDOWN, TEXT, QUILL. The content field holds the current version's body.

Tasks

Tasks are checklist items attached to a study or assay.

Task input body

Status values: TODO, COMPLETE, INCOMPLETE.

External links

External links are URL references attached to a project, study, or assay.

External-link input body

Collaborators

Collaborators model the external organizations (CROs, partner labs, vendors) you work with. They are organization-scoped — every collaborator belongs to one Lab Atlas organization.

Collaborator input body

Teams

Teams are reusable groups of organization users that can be granted access to projects in one step. Team writes require ORGANIZATION_ADMIN.

Keywords

Keywords are simple tag strings shared across an organization.

Keyword values are case-sensitive and must be unique within an organization.

Assay types

Assay types define the metadata schema (fields and standard tasks) for assays. Assay-type writes require ORGANIZATION_ADMIN.

Status values: DRAFT, ACTIVE, INACTIVE, ARCHIVED, DELETED.

Study collections

Study collections are named groupings of studies, useful for ad-hoc reporting or cross-project comparisons.

Create body

Study relationships

Study relationships record links between studies — e.g. "is parent of", "is blocked by", "is related to".

Create body

Relationship types: IS_RELATED_TO, IS_PARENT_OF, IS_CHILD_OF, IS_BLOCKING, IS_BLOCKED_BY, IS_PRECEDED_BY, IS_SUCCEEDED_BY.

When you create a relationship, the inverse relationship is automatically created on the target study.

Activity

Activity records describe events that have happened in the organization — study status changes, assay creation, note edits, and so on. Activity is read-only; events are generated by Lab Atlas itself as side effects of other API calls.

Visibility follows the same rules as the underlying resources: a caller can only see activity for projects, studies, and assays they are allowed to view. Cross-organization lookups return 404.

Activity DTO shape

The eventType field is a dotted string (e.g. study.created, assay.status_changed, note.updated). The shape of data depends on the event type — treat it as an opaque map of strings to JSON values when consuming generically.

Storage folders

Storage folders link a project, study, or assay to a folder on a connected storage drive. Each record can have several attached folders, one of which is the primary folder. {folderId} is the id of the attachment (the join record), not the underlying drive folder. Responses contain folder metadata only — the API never lists the folder's subfolders or files.

All write operations require contribute permission on the parent project/study/assay.

Attach body

The folder at path must already exist on the drive. Set-primary body is {"primary": true}.

Read-only resources

The following resources are exposed for reads only in the public API. Create/update/delete must be performed through the Lab Atlas web UI.

Errors

Errors are returned as a JSON envelope:

For validation failures (400), additional fields are included describing each invalid field:

The statusCode field carries the HTTP status as an integer (separate from the per-resource status enum some response bodies carry). The details field is a one-line human-readable summary of all field violations — handy for log lines and quick triage; for programmatic handling, iterate errors[].

A request that authenticates successfully but is denied at the controller layer (e.g. an admin endpoint called by a non-admin key) returns 403 Forbidden with an empty body. A request that targets a resource the caller cannot view returns 404 Not Found rather than 403 — this avoids leaking the existence of records the caller has no business knowing about.

OpenAPI / Swagger

The full machine-readable specification is available at:

• Swagger UI: https://<your-tenant>.labatlas.com/docs/swagger-ui (select the public-v1 group)

• OpenAPI JSON: https://<your-tenant>.labatlas.com/docs/api-docs/public-v1

The Swagger UI is gated behind the same API-key check as the API itself — paste your key into the Authorize dialog (header name X-API-KEY) to try requests inline.

If you generate client SDKs from the OpenAPI document, regenerate after each Lab Atlas release; field additions are backwards-compatible but new endpoints may appear.

Support

If you hit a bug, need an endpoint that isn't listed here, or want to raise a security concern, email support@labatlas.com and include:

• The full URL of the failing request

• The HTTP status code returned

• The response body (with any sensitive data redacted)

• A timestamp (UTC) so support can correlate against server logs

• The key id portion of the API key in use (the lak_xxxxxxxx prefix is safe to share; never share the secret after the dot)