-
Notifications
You must be signed in to change notification settings - Fork 0
API Reference
hailsDotGO exposes a read-only JSON API for the game data it aggregates, a set of session-authenticated endpoints used by the site frontend, and a private API tier for trusted consumers. This page documents the endpoints, rate limits, and authentication rules. A live, always-current version of the public and private API tables is on the site itself: open https://pogo.hails.live/credits and switch to the API tab.
All endpoints are relative to the site root (for the production instance, https://pogo.hails.live). Errors are returned as JSON objects of the form {"error": "message"} with an appropriate HTTP status.
No authentication required. All responses carry Cache-Control: public, max-age=300.
| Endpoint | Method | Returns | Rate limit (per IP) |
|---|---|---|---|
/api/data |
GET | Combined bundle: Pokemon stats, moves, raids, Max Battles, shinies, shadow list, type chart, CP multipliers, types, localized names | 10 per 2 minutes |
/api/raids |
GET | Current raid bosses grouped by tier ("1", "3", "5", "6" for Mega; Shadow bosses fold into their tier with a Shadow name prefix) |
10 per 2 minutes |
/api/maxbattles |
GET | Current Max Battle bosses grouped by tier ("1", "2", "3") |
10 per 2 minutes |
/api/events |
GET | Current and upcoming events (ScrapedDuck feed) | 10 per 2 minutes |
/api/events/{id} |
GET | Sanitized HTML detail for one event; id must match ^[a-z0-9-]{1,128}$
|
30 per 2 minutes |
/api/pokemon |
GET | Pokemon base stats | 10 per 2 minutes |
/api/moves |
GET |
{"fast": [...], "charged": [...]} move data |
10 per 2 minutes |
On top of the request limits, the public data endpoints share a per-IP bandwidth budget: 15 MB per rolling 5-minute window, counted across all of the endpoints above. Exceeding it blocks the IP from these endpoints for 30 minutes and returns 429 with {"error":"bandwidth limit exceeded, try again later"}. Logged-in site users are unaffected because the frontend uses the session endpoint below.
Where the data comes from and how often it refreshes is documented in Data Sources.
These are the endpoints the site frontend uses. Authentication is the hgo_session cookie; there are no API keys. Mutating requests from a browser must also send the CSRF token in the X-CSRF-Token header (the token is rendered into every page; gorilla/csrf pairs it with the _gorilla_csrf cookie). The PayPal webhook is the only CSRF-exempt route.
| Endpoint | Method | Purpose |
|---|---|---|
/api/app/data |
GET | Same payload as /api/data, but session-authenticated and not subject to the public rate limits |
/api/weather |
GET | Current in-game weather and boosted types for the user's saved location (see Accounts and Roles) |
/api/shinies |
GET | The user's shiny collection |
/api/shinies |
POST | Add a shiny |
/api/shinies/{id} |
PUT | Update a shiny entry |
/api/shinies/{id} |
DELETE | Remove a shiny entry |
The full lobby lifecycle behind these is described in Raid Finder.
| Endpoint | Method | Auth | Purpose |
|---|---|---|---|
/api/raid/overview |
GET | none | Public overview: per-boss open lobby and queue counts plus open custom lobbies (slow poll) |
/api/raid/state |
GET | session | The caller's full raid state: queue position, lobby, deadlines, feedback owed (fast poll; doubles as the queue heartbeat) |
/api/raid/queue |
POST | session | Join the matchmaking queue for a boss |
/api/raid/queue |
DELETE | session | Leave the queue |
/api/raid/lobbies |
POST | session | Create a lobby (host) |
/api/raid/lobbies/{id} |
DELETE | session | Cancel a lobby (host or staff) |
/api/raid/lobbies/{id}/confirm |
POST | session | Member confirms within the confirm window |
/api/raid/lobbies/{id}/leave |
POST | session | Member leaves the lobby |
/api/raid/lobbies/{id}/kick |
POST | session | Host or staff removes a member |
/api/raid/lobbies/{id}/invited |
POST | session | Host confirms in-game invites were sent |
/api/raid/lobbies/{id}/report |
POST | session | Host's post-raid attendance report |
/api/raid/lobbies/{id}/feedback |
POST | session | Member's post-raid feedback (raid success, commend or dislike) |
See Trust and Awards for granting rules.
| Endpoint | Method | Auth | Purpose |
|---|---|---|---|
/api/awards |
GET | none | Active award catalog |
/api/awards/of/{username} |
GET | none | Awards a user has received |
/api/awards/{id}/grant |
POST | session | Grant an award by username (staff always; community granting behind a feature flag plus a minimum trust score) |
/api/shinies/of/{username} |
GET | none | A user's public shiny collection; includes sprite_url (shiny variant, pre-resolved). Returns [] when the user does not exist, has a private profile, or has enabled Hide shiny collection in Settings |
The private tier mirrors the public data endpoints without the public rate limits and bandwidth cap, and adds a refresh trigger. It requires the api_access account flag, which only the superadmin can grant and which only takes effect on admin accounts (the superadmin always has access). Requests still authenticate with the session cookie. Contact the site operator to request access.
| Endpoint | Method | Notes |
|---|---|---|
/api/private/data |
GET | Mirror of /api/data
|
/api/private/raids |
GET | Mirror of /api/raids
|
/api/private/maxbattles |
GET | Mirror of /api/maxbattles
|
/api/private/events |
GET | Mirror of /api/events
|
/api/private/events/{id} |
GET | Mirror of /api/events/{id}
|
/api/private/pokemon |
GET | Mirror of /api/pokemon
|
/api/private/moves |
GET | Mirror of /api/moves
|
/api/refresh |
POST | Triggers an immediate background re-fetch of all PoGoAPI data; globally limited to 2 requests per 10 minutes across all callers |
| Endpoint | Method | Notes |
|---|---|---|
/api/store/webhook |
POST | PayPal server-to-server webhook (CHECKOUT.ORDER.APPROVED). CSRF-exempt; authenticity is checked by verifying the transmission signature against PAYPAL_WEBHOOK_ID through PayPal's verification API. Always answers 200 so PayPal does not retry. See Store. |
Login, registration, settings, translation, and the admin toolset are session-flow routes rather than a stable API surface and are intentionally not exhaustively documented here. The login endpoint is limited to 10 attempts per minute per IP and registration to 5 per minute per IP. For the full admin route set and the role each action requires, see the Admin Guide; for the translation endpoints see Translator Workspace.
Repository | Live site | hailsDotGO is a fan-made project, not affiliated with, endorsed by, or connected to Niantic or The Pokémon Company. Game data comes from community sources credited on the Data Sources page.
Start Here
Features
- Raids and Counters
- DPS Calculator
- IV Calculator
- PvP IV Ranker
- Events
- Shiny Tracking
- Trainer Directory
- Raid Finder
- Social Features
- Trust and Awards
- Bug Reports
- Player Reports
- Store
- Accounts and Roles
- Admin Guide
Self-Hosting
Development
Translations