Skip to main content
The JavaScript SDK and browser clients send events over HTTP. The HTTP source also works for any REST integration — send JSON or binary payloads. 
[sources.http]
port = 8080

Endpoints

MethodPathFormatDescription
POST/v1/eventsJSONLIngest events
POST/v1/logsJSONLIngest logs
POST/v1/ingestBinaryFlatBuffer batches
GET/healthHealth check
Authenticate with Authorization: Bearer <key> or X-API-Key: <key>: 
curl -X POST https://tell.example.com/v1/events \
  -H "Authorization: Bearer a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -H "Content-Type: application/json" \
  -d '{"type":"track","event":"page_view","device_id":"abc123"}'
Keys are 32 hex characters. See API keys for creating and managing them.

CORS and browser clients

CORS is enabled by default so browser SDKs work without extra setup. To restrict allowed origins: 
[sources.http]
port = 8080
cors_origins = ["https://myapp.com", "https://staging.myapp.com"]

Proxy support

Behind nginx or a load balancer, enable trust_proxy to capture the real client IP from X-Forwarded-For: 
[sources.http]
trust_proxy = true
Only enable this with trusted proxies — clients can forge the header.

Rate limiting

Authentication failures are rate-limited per IP. After 10 failures in 60 seconds, the IP is temporarily blocked with 429 Too Many Requests.

Advanced

Full config reference with defaults: 
[sources.http]
port = 8080
address = "::"              # Bind address
max_payload_size = 16777216  # Max request body (16 MB)
batch_size = 500             # Items per batch
flush_interval = "100ms"     # Partial batch flush interval
request_timeout = "30s"      # HTTP request timeout
cors_enabled = true          # Enable CORS
cors_origins = []            # Allowed origins (empty = all)
request_logging = false      # Log HTTP requests
trust_proxy = false          # Trust X-Forwarded-For