Welcome
The Punch Rescue Public API v1 lets external systems integrate directly with the Rescue platform. Use it to declare emergencies, re-categorize them, mark them resolved, and read an organization’s category catalog and audit log. Every emergency transition fan-outs in real time to the org’s base-station devices and to any registered webhook subscribers — so your integration, our responders, and downstream partners stay in lockstep.Base URL
| Environment | Base URL |
|---|---|
| Production | https://api.punchrescue.com/api/public/v1 |
https://api.punchrescue.com/api/public/v1/openapi.json. It’s the one path on the API that doesn’t require authentication, so you can paste it into Claude or a codegen tool before issuing your first request.
Need a sandbox before going live? Reach out to your Rescue contact — we’ll provision a dev key and share the corresponding base URL out-of-band.
Authentication
All endpoints (exceptGET /openapi.json) require an API key issued by Rescue. Send it as a Bearer token on every request.
- A subject —
partner,enterprise, ororg— which determines the set of organizations the key can act on (every org under the subject’s hierarchy). - An optional
allowedOrgIdswhitelist — when set, further restricts the key to a subset of orgs under its subject. - Permissions — the v1 vocabulary is
readandwrite. Future versions may introduce granular<resource>:<action>permissions additively. - An optional
activeUntilDate— hard expiration checked on every request.
Treat your API key like a password. Never commit it to source control or ship it in client-side code. If a key is leaked, contact Punch Rescue support to revoke (
status=inactive) or rotate it.Core concepts
Organization
Organization
The tenant scope every emergency, category, and audit-log entry belongs to. Reference an organization by its Punch Rescue
orgId (UUID). Your API key must cover that org through its subject (org / enterprise / partner) and any allowedOrgIds whitelist — 403 is returned otherwise.Category
Category
A classification for emergencies (e.g. Medical, Fire, Security). Each category has a stable
categoryId, plus name, color, and severity. Categories are read-only on the public API — they’re authored inside the Punch Rescue admin console.Emergency
Emergency
A real-world incident tracked through three event types:
emergency.declared— created viaPOST /orgs/{orgId}/emergencies.emergency.categorized— re-categorized viaPATCH /orgs/{orgId}/emergencies/{emergencyId}.emergency.resolved— closed viaPOST /orgs/{orgId}/emergencies/{emergencyId}/resolutions.
Webhook delivery
Webhook delivery
Rescue pushes every emergency transition to registered subscribers as a stable
PublicWebhookEnvelope. Subscriptions can be scoped at the partner, enterprise, or org level with an optional allowedOrgIds whitelist — so a single subscription can cover many orgs. See Webhooks for the full envelope, event catalog, delivery semantics, and dedup/ordering rules.A typical integration flow
Discover an org's categories
GET /orgs/{orgId}/emergencies/categories returns the categoryId values available for that org. (Categories are managed inside Rescue — there’s no public CRUD.)Declare an emergency
POST /orgs/{orgId}/emergencies with a categoryId (and an optional externalId for your own correlation). Returns 201 Created with the full emergency record. Rescue resolves the category color and dispatches a real-time alert to every base-station device in the org.Update or re-categorize
PATCH /orgs/{orgId}/emergencies/{emergencyId} to change the category or other mutable attributes. Returns 200 OK and fires an emergency.categorized webhook.Resolve
POST /orgs/{orgId}/emergencies/{emergencyId}/resolutions. Returns 201 Created with the resolution record and fires an emergency.resolved webhook. Idempotent — resolving an already-resolved emergency returns the existing resolution.Receive webhook deliveries
Have your Rescue admin register a webhook subscription scoped to your partner/enterprise/org. You’ll receive every
emergency.declared / emergency.categorized / emergency.resolved event for the orgs your subscription covers. See Webhooks for the envelope shape, the full event catalog, and how to secure and test your endpoint.Endpoint groups
Categories
Read-only listing of an org’s category catalog.
Emergencies
Declare, list, fetch, update, and resolve emergencies.
Webhooks
Receive emergency and device events in real time — envelope, event catalog, and delivery semantics.
Responses & errors
Successful responses use standard HTTP codes —200 OK, 201 Created, 204 No Content. Emergency writes are synchronous: the response reflects committed state. Webhook fan-out happens asynchronously after the response is sent, with retries on transient failures.
Validation failures return 422 Unprocessable Entity with a structured payload pointing at the offending field:
401 Unauthorized— missing, invalid, expired, or revoked API key.403 Forbidden— key is valid but its subject doesn’t cover the requestedorgId(or the org isn’t inallowedOrgIds).
Idempotency-Key isn’t supported yet — when a write returns 5xx with no body, fetch the emergency via GET /orgs/{orgId}/emergencies/{emergencyId} (or look it up by your own externalId on the list endpoint) before retrying to avoid duplicates.
Need help or hitting unexpected behavior? Reach out to your Rescue contact with the request ID returned by the API — it’s the fastest way for us to trace what happened.