The Context Layer is a per-tenant graph of your operations — entities and the relationships
between them — built read-only from the telemetry you already send. It exists to make
investigations faster: use the graph to narrow the search, the underlying telemetry to confirm.
Every endpoint is gated behind the context:read scope.
The context engine runs on a schedule and derives the graph from traces, logs, monitors, incidents, on-call, assets, and your audit log. You send telemetry the way you already do; the graph builds itself and stays current.
service · host · incident · case · asset · identity · on-call person · AI agent · IOC · change · monitor.
calls · runs_on · impacts · groups · owns · responsible_for · changed · matched. Every edge carries a confidence, a recency, and evidence — a deep-link into the exact trace, log, incident, or audit record that proves it. No black-box inference.
All require a token with the context:read scope. The org is always taken from the
token — clients never pass an org id.
/api/v1/context/lookup?type=service&key=api.example.com Resolve a name to an entity id so you can walk its graph.
curl "https://api.24observe.com/api/v1/context/lookup?type=service&key=api.example.com" \
-H "Authorization: Bearer obs_<your_token>"
# → { "entity": { "id": 481, "type": "service", "canonicalKey": "api.example.com", ... } }/api/v1/context/entity/{id}/neighborhood?types=calls,impacts,matched One hop out from any entity, ranked by edge strength + recency. Filter by edge type.
curl "https://api.24observe.com/api/v1/context/entity/481/neighborhood" \
-H "Authorization: Bearer obs_<your_token>"
# → { "entityId": 481, "edges": [
# { "edgeType": "impacts", "direction": "in",
# "neighbor": { "type": "incident", "canonicalKey": "inc-91", ... },
# "confidence": 1, "strength": 4,
# "evidence": { "kind": "incident", "deepLink": "/api/v1/incidents/91" } }, ... ] }/api/v1/context/incident/{incidentKey}/summary The wedge: blast-radius + owners + recent changes for an incident, every item evidence-linked.
curl "https://api.24observe.com/api/v1/context/incident/inc-91/summary" \
-H "Authorization: Bearer obs_<your_token>"
# → { "incident": { ... },
# "impacted": [ { "neighbor": { "canonicalKey": "api.example.com" }, "evidence": {...} } ],
# "owners": [ { "owner": "[email protected]", "via": "responsible_for" } ],
# "recentChanges": [ { "change": "UPDATE_MONITOR", "evidence": { "kind": "audit" } } ] }/api/v1/context/entity/{id} Fetch a single entity by id (type, canonical key, display name, attrs, first/last seen).
curl "https://api.24observe.com/api/v1/context/entity/481" \
-H "Authorization: Bearer obs_<your_token>"
The four read endpoints are published as Model Context Protocol tools
(context_lookup_entity, context_get_entity,
context_entity_neighborhood, context_incident_summary) and in the
OpenAI / Anthropic / LangChain tool catalogues, so an investigation agent can traverse
topology and blast-radius the way a responder does — with the evidence to back every step.
Read-only and org-scoped, exactly like the API.
One call returns the blast-radius — impacted services, owners, and recent changes.