Resources/The Agent API Atlas/Analytics/Matomo

Everything an AI agent can do with the Matomo API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints27

API versionMatomo 5

Last updated23 June 2026

Orientation

How the Matomo API works.

The Matomo API is how an app or AI agent works with a Matomo analytics install: reading visit and page reports, pulling real-time and raw per-visit detail, managing goals, and adding or configuring tracked sites. Access is granted through a per-user token whose role on each site, from view through admin to Superuser, decides what every call can read or change, and an agent is limited to the sites and methods that user can reach. Matomo does not push events, so real-time figures come from polling rather than callbacks.

27Endpoints

8Capability groups

18Read

9Write

3Permissions

Authentication

Calls authenticate with a token_auth, created per Matomo user, which inherits that user's permissions. Matomo advises sending it in the POST body rather than the query string so it is not exposed in server logs or shared URLs, since anyone holding the token can read and change whatever its user can. Where OAuth 2.0 is installed, a bearer token with granted scopes can be used instead. Basic visit tracking needs no token at all.

Permissions

Access is governed by the requesting user's role on each site, which is a real per-token scoping rather than a list of API scopes. The levels are noaccess, view, write, admin, and Superuser. Reading reports needs view on the site; managing goals or updating a site needs admin; adding or deleting sites and managing users needs Superuser. UsersManager.setUserAccess is the method that assigns these levels, so a token that can call it can widen any other token's reach.

Versioning

Matomo does not version the HTTP API by URL. It ships dated platform releases, currently the Matomo 5 line, and the method names and parameters stay stable across point releases. Notable changes are announced in the platform changelog rather than by minting a new API version, for example the stricter idSite validation in 5.7.1 and the conflicting-authentication 400 in 5.8.0.

Data model

The Reporting API is a single entry point, index.php?module=API, where the method parameter names a module and action, such as VisitsSummary.get, Actions.getPageUrls, or SitesManager.addSite. Reports are requested for an idSite over a period and date, with format choosing JSON, XML, CSV, or others. Visit tracking uses a separate endpoint, matomo.php. Matomo does not push events, so real-time data comes from polling the Live module.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Matomo determines what it can reach. The reporting and management methods run through one HTTP entry point, while visit tracking has its own, and each call carries an authentication token whose user permissions set the boundary.

Ways to connect

Reporting HTTP API

The Reporting API answers at one entry point, index.php?module=API, with the report or management method named in the method parameter, such as VisitsSummary.get or SitesManager.addSite. It returns JSON, XML, CSV, or other formats chosen by the format parameter.

Best forReading analytics and managing sites, goals, and users.

Governed byThe token's user permissions, view, write, admin, or Superuser, per site.

Docs ↗

Tracking HTTP API

The Tracking API answers at a separate endpoint, matomo.php, and records pageviews and events into a site's logs. Most tracking needs no token, and a JSON body with a requests array sends many hits in one call.

Best forRecording visits and events from a server or app.

Governed byOpen for basic tracking; a token's permissions for privileged fields.

Docs ↗

MCP server (Model Context Protocol)

Matomo's first-party MCP server lets an AI tool query analytics in plain language through the Model Context Protocol. It is included with Matomo Cloud and available for On-Premise through the McpServer plugin, and must be enabled by a Superuser. It mediates read requests to the Reporting API and returns structured data; all reasoning happens in the AI tool.

Best forConnecting an AI assistant to Matomo analytics.

Governed byAn API token, which inherits its user's permissions, or OAuth 2.0 scopes.

Docs ↗

Authentication

API authentication token

A token_auth is created per Matomo user and inherits that user's permissions on each site. It is sent with the request, and Matomo advises sending it in the POST body rather than the URL so it is not exposed in logs or shared links.

Tokentoken_auth

Best forServer-to-server and agent access

Docs ↗

OAuth 2.0 bearer token

Where OAuth 2.0 is installed, an app can authenticate with a bearer token whose granted scopes set what it can reach, instead of using a token_auth.

TokenOAuth 2.0 bearer token

Best forApps that authenticate users through OAuth

Docs ↗

Capability map

What an AI agent can do in Matomo.

The Matomo API is split into modules an agent names in the method parameter, such as VisitsSummary, Actions, Referrers, Live, Goals, Events, SitesManager, and UsersManager. Each module exposes its own methods, and some reach far more than visit reports, including site configuration and user access.

Visits & summary

3 endpoints

Read the headline visit metrics for a site and time range, such as visits, unique visitors, actions, and bounce rate.

These methods read aggregated visitor statistics.

View endpoints →

Actions (pages & content)

4 endpoints

Read page URL, page title, entry and exit page, download, outlink, and site-search reports.

These methods read what visitors viewed and clicked.

View endpoints →

Referrers (acquisition)

3 endpoints

Read where visits came from, including referrer type, search engines, keywords, social networks, and external websites.

These methods read traffic-source reports.

View endpoints →

Live (real-time visits)

3 endpoints

Read real-time counters and raw, per-visit detail including IP, location, device, referrer, and every action in a visit.

Live detail returns individual visitor records, including IP address and location.

View endpoints →

Goals & events

4 endpoints

Read goal conversion and event reports, and create, update, or delete the goals a site tracks.

Writes here change the goals a site measures conversions against.

View endpoints →

Sites (SitesManager)

5 endpoints

Read site configuration, and add, update, or delete the websites tracked in Matomo.

Writes here create or remove tracked websites and change tracking configuration.

View endpoints →

Users (UsersManager)

4 endpoints

Read the user list, and create, update, or delete users and set their per-site access level.

Writes here change who can sign in to Matomo and what each person can reach.

View endpoints →

Tracking

1 endpoint

Record a pageview or an event into a site's analytics through the separate Tracking endpoint.

Writes here insert raw visit and event data into a site's logs.

View endpoints →

Endpoint reference

Every Matomo API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Visits & summary Read the headline visit metrics for a site and time range, such as visits, unique visitors, actions, and bounce rate.3
GET	`/index.php?module=API&method=VisitsSummary.get`	Get the core visit metrics for a site and period, including visits, unique visitors, actions, and bounce rate.	read	`view`	Current
Reading reports needs at least view access on the requested idSite. The method name is passed in the method query parameter to the single API entry point. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=VisitsSummary.getVisits`	Get the number of visits for a site and period.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=VisitTime.getByDayOfWeek`	Get visit counts broken down by day of the week.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Actions (pages & content) Read page URL, page title, entry and exit page, download, outlink, and site-search reports.4
GET	`/index.php?module=API&method=Actions.getPageUrls`	Get the page URL report, with metrics per page visited.	read	`view`	Current
Needs at least view access on the idSite. The page report can be flattened or requested as a hierarchy. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Actions.getPageTitles`	Get the page title report, with metrics per page title.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Actions.getDownloads`	Get the report of files downloaded from the site.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Actions.getSiteSearchKeywords`	Get the keywords visitors typed into the site's internal search.	read	`view`	Current
Needs at least view access on the idSite, and site search must be configured for the site. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Referrers (acquisition) Read where visits came from, including referrer type, search engines, keywords, social networks, and external websites.3
GET	`/index.php?module=API&method=Referrers.getReferrerType`	Get visits split by referrer type, such as direct entry, search engines, websites, social networks, and campaigns.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Referrers.getAll`	Get a flattened report of all referrers, including search keywords, social networks, and external website URLs together.	read	`view`	Current
Needs at least view access on the idSite. This combines the separate referrer reports into one flat list. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Referrers.getSearchEngines`	Get the report of search engines that referred visits.	read	`view`	Current
Needs at least view access on the idSite. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Live (real-time visits) Read real-time counters and raw, per-visit detail including IP, location, device, referrer, and every action in a visit.3
GET	`/index.php?module=API&method=Live.getCounters`	Get real-time counts of visits, actions, and visitors over the last lastMinutes minutes.	read	`view`	Current
Needs at least view access on the idSite. The lastMinutes parameter sets the real-time window. Real-time figures come from polling this method, as Matomo has no push. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Live.getLastVisitsDetails`	Get raw per-visit detail, including each visit's pages, events, IP address, location, device, referrer, and goal conversions.	read	`view`	Current
Returns individual visitor records rather than aggregates, including the visitor IP address and full location. Reading these needs at least view access on the idSite. Acts onvisit Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Live.getVisitorProfile`	Get the full profile of a single visitor by visitorId, summarising every visit and action recorded for that person.	read	`view`	Current
The visitorId parameter selects the person. Returns individual visitor detail, so it needs at least view access on the idSite. Acts onvisit Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Goals & events Read goal conversion and event reports, and create, update, or delete the goals a site tracks.4
GET	`/index.php?module=API&method=Events.getCategory`	Get the event report grouped by event category.	read	`view`	Current
Needs at least view access on the idSite. Events.getAction and Events.getName give the same data grouped by action or name. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=Goals.get`	Get goal conversion metrics for a site and period, such as conversions and conversion rate.	read	`view`	Current
Needs at least view access on the idSite. An idGoal parameter narrows to one goal. Acts onreport Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=Goals.addGoal`	Create a goal for a site, defining how a conversion is matched.	write	`admin`	Current
Managing goals needs admin access on the idSite. Parameters include name, matchAttribute, pattern, patternType, and revenue. Acts ongoal Permission (capability)`admin` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=Goals.updateGoal`	Update an existing goal's matching rules or settings.	write	`admin`	Current
Needs admin access on the idSite. The idGoal parameter selects the goal to change. Acts ongoal Permission (capability)`admin` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Sites (SitesManager) Read site configuration, and add, update, or delete the websites tracked in Matomo.5
GET	`/index.php?module=API&method=SitesManager.getSiteFromId`	Get the configuration of a single site, such as its name, main URL, time zone, and currency.	read	`view`	Current
Reading site configuration needs at least view access on the idSite. Acts onsite Permission (capability)`view` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/index.php?module=API&method=SitesManager.getAllSites`	Get the configuration of every site in the Matomo install.	read	`superuser`	Current
Listing every site needs Superuser access. SitesManager.getSitesWithAtLeastViewAccess returns only the sites the token's user can reach. Acts onsite Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=SitesManager.addSite`	Create a new tracked website, with its name, URLs, time zone, currency, and other settings.	write	`superuser`	Current
Adding a site needs Superuser access. The urls parameter accepts an array of URLs for the site. Acts onsite Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=SitesManager.updateSite`	Update an existing site's configuration.	write	`admin`	Current
Updating a site needs admin access on the idSite. Acts onsite Permission (capability)`admin` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=SitesManager.deleteSite`	Delete a website from Matomo by its ID.	write	`superuser`	Current
Deleting a site needs Superuser access. This removes the site configuration; existing logs and archives are handled separately. Acts onsite Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Users (UsersManager) Read the user list, and create, update, or delete users and set their per-site access level.4
GET	`/index.php?module=API&method=UsersManager.getUsers`	Get the list of Matomo users.	read	`admin`	Current
Reading the user list needs admin access, since it returns who can sign in to Matomo. Acts onuser Permission (capability)`admin` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=UsersManager.addUser`	Create a new Matomo user.	write	`superuser`	Current
Creating a user needs Superuser access. Acts onuser Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=UsersManager.setUserAccess`	Set a user's access level on one or more sites, from no access through view, write, and admin.	write	`superuser`	Current
Granting access needs Superuser access. The access parameter takes noaccess, view, write, or admin. This is the method that controls what every other token can reach. Acts onuser Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/index.php?module=API&method=UsersManager.deleteUser`	Delete a Matomo user.	write	`superuser`	Current
Deleting a user needs Superuser access. Acts onuser Permission (capability)`superuser` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Tracking Record a pageview or an event into a site's analytics through the separate Tracking endpoint.1
POST	`/matomo.php`	Record a pageview or an event into a site's logs through the separate Tracking endpoint, using parameters such as idsite, rec, action_name, url, and the event fields e_c, e_a, e_n.	write	—	Current
Basic tracking needs no token. A token_auth is required only for privileged tracking, such as overriding the visitor IP, location, or timestamp, or sending data older than 24 hours. A POST body with a requests array sends many events at once. Acts onvisit Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Matomo does not push events to a receiver. An app or AI agent gets data by calling a reporting method, and real-time figures come from polling the Live module rather than from a callback.

Event	What it signals	Triggered by

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Matomo sets no fixed request quota on a self-hosted install, where throughput is bounded by the server. Result size is controlled per call through the filter_limit and filter_offset parameters rather than a global page size.

Request rate

Matomo sets no fixed request quota on a self-hosted install. How fast an app or AI agent can call is bounded by the server it runs on, and heavy methods such as Live.getCounters on a large database can be slow because of the work they do. Matomo Cloud applies its own limits to protect shared infrastructure. Result size per call is controlled by filter_limit, so a smaller limit returns faster.

Pagination

Reporting methods page through results with filter_limit, which sets how many rows to return and defaults to 100, and filter_offset, which sets the starting row. Setting filter_limit to -1 returns every row, which should be used with care on large reports.

Request size

There is no single documented payload size limit. The format parameter selects JSON, XML, CSV, TSV, HTML, or the original data structure, and filter_limit bounds how many rows a report returns. Live.getLastVisitsDetails can return large per-visit payloads, so a date range and filter_limit keep responses manageable.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
200	`result=error`	Matomo signals API errors inside a normal HTTP 200 response. The body carries result set to error and a message field describing what went wrong, such as a missing parameter or an access denial.	Parse the body and check the result field rather than relying on the HTTP status, then read the message to see what to fix.
400	`Bad Request`	From Matomo 5.7.1, an invalid idSite that was previously ignored can return 400. From Matomo 5.8.0, conflicting token_auth or force_api_session values across request sources also fail with 400.	Send a valid integer idSite and a single, consistent authentication value per request.
401	`Access denied`	The token is missing, invalid, or its user lacks the permission the method needs, such as admin for managing goals or Superuser for managing sites and users.	Send a valid token whose user has the required access level on the requested site.

Versioning & freshness

Version history.

Matomo ships dated platform releases rather than versioning the HTTP API by URL. The current line is Matomo 5, and the method names and parameters stay stable across point releases, with changes announced in the platform changelog.

Version history

What changed, and when

Latest versionMatomo 5

Matomo 5Current version

Matomo 5 line (current)

Matomo 5 is the current major line. The HTTP API is not versioned by URL, so method names and parameters stay stable across point releases, and notable changes ship through the platform changelog. Recent point releases tightened API input handling and added the first-party MCP server.

What changed

5.11.0 (8 June 2026): reporting, security, and dashboard improvements; CSV and TSV exports now replace carriage returns in values with spaces
5.10.0 (3 May 2026): refreshed interface with Dark Mode
First-party MCP server made available for connecting AI tools to Matomo analytics
5.8.0: conflicting token_auth or force_api_session values across request sources now fail with 400 Bad Request
5.7.1: HTTP APIs that accept idSite validate it more strictly, and an invalid value can return 400

Matomo 5.0.0

Start of the Matomo 5 line

Matomo 5.0.0 opened the current major line, released in December 2023. It kept the same single-entry-point HTTP API model, with methods named in the method parameter, so existing integrations continued to call the same method names.

What changed

5.0.0 released in December 2023, starting the Matomo 5 line
Retained the index.php?module=API entry point and Module.action method naming

An integration calls the same method names across Matomo 5 point releases; breaking changes are flagged in the changelog.

Matomo platform changelog ↗

Questions

Matomo API, answered.

How is a Matomo API method called?+

Every reporting and management method goes through one entry point, index.php?module=API, with the method named in the method parameter, such as method=VisitsSummary.get or method=SitesManager.addSite. A report call also takes idSite, period, and date, and the format parameter chooses JSON, XML, CSV, TSV, HTML, or the original data structure. The module and action together, like Actions.getPageUrls, identify exactly which report or action runs.

How does authentication work, and where should the token go?+

Calls authenticate with a token_auth tied to a Matomo user. Matomo advises sending it in the POST body rather than the URL query string, because a token in a URL ends up in server logs and browser history and could be reused by anyone who sees it. The token inherits its user's permissions, so it can do exactly what that person can. Where OAuth 2.0 is installed, an app can send a bearer token instead.

What permissions does a token need?+

Matomo permissions are per user and per site, not a separate list of API scopes. The levels are noaccess, view, write, admin, and Superuser. Reading reports needs view on the site, managing a site's goals or settings needs admin, and adding or deleting sites or managing users needs Superuser. A method denied to the token returns an access-denied error, so an agent should be given a user whose access matches only the methods it needs.

What are the rate limits?+

A self-hosted Matomo has no fixed request quota; throughput depends on the server, and some methods such as Live.getCounters on a large database are heavy because of the work they do. Matomo Cloud applies its own limits to protect shared infrastructure. Result size is controlled per call with filter_limit and filter_offset, so a smaller limit returns faster and offset walks through a large report.

How does Matomo report errors?+

Most API errors come back inside a normal HTTP 200 response, with the body holding result set to error and a message describing the problem, so a caller should check the result field rather than the status code alone. Some validation failures do return an HTTP status: an invalid idSite can return 400 from Matomo 5.7.1, and conflicting authentication values return 400 from 5.8.0.

Does Matomo push events, or send webhooks?+

No. Matomo does not push events to a receiver URL, so there are no webhooks to subscribe to for visit data. An app or AI agent gets data by calling reporting methods, and real-time figures come from polling the Live module, such as Live.getCounters for the last few minutes or Live.getLastVisitsDetails for raw per-visit records.

Does Matomo have an official MCP server for AI agents?+

Yes. Matomo ships a first-party MCP server that lets an AI tool query analytics in plain language through the Model Context Protocol. It is included with Matomo Cloud and available for On-Premise through the McpServer plugin, and a Superuser must enable it. It forwards read requests to the Reporting API and returns structured data, while the AI tool does all the interpretation. It authenticates with an API token that inherits its user's permissions, or with OAuth 2.0 scopes.

What is Bollard AI?

Control what every AI agent can do in Matomo.

Bollard AI sits between a team's AI agents and Matomo. Grant each agent exactly the access it needs, read or write, report by report, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Matomo token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Matomo access in Bollard Browse all APIs →

Matomo

Analytics Agent

Read visit and page reports ResourceOffReadFull use

Read live visitor detail ResourceOffReadFull use

Add and update sites ActionOffReadFull use

Manage users and access ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Matomo

How the Matomo API works.

Connection & authentication methods.

Reporting HTTP API

Tracking HTTP API

MCP server (Model Context Protocol)

API authentication token

OAuth 2.0 bearer token

What an AI agent can do in Matomo.

Visits & summary

Actions (pages & content)

Referrers (acquisition)

Live (real-time visits)

Goals & events

Sites (SitesManager)

Users (UsersManager)

Tracking

Every Matomo API method.

Visits & summary

Actions (pages & content)

Referrers (acquisition)

Live (real-time visits)

Goals & events

Sites (SitesManager)

Users (UsersManager)

Tracking

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Matomo API, answered.

More analytics API guides for agents

Tableau

Power BI

Metabase

Fullstory

Google Analytics

Segment

Control what every AI agent can do in Matomo.