Developers

API reference

Use the platform API to automate scoring workflows, report operations, and integration-driven signal ingestion with strict tenant-scoped access controls.

Client integrations should treat API responses as tenant-scoped data, enforce encrypted transport, and retain immutable report artifacts for downstream governance and compliance evidence.

For job-style ingestion and retry-safe integration guidance, see Ingestion API patterns.

Authentication

API routes require authenticated session context or an API key, plus tenant authorization checks. Transport wrappers return structured error envelopes and avoid leaking sensitive internal state.

  • API keys must be created with explicit scopes and are evaluated per endpoint.
  • Authentication failures are rate-limited and monitored to contain brute-force attempts.
  • Sensitive ingestion management operations require session-based authenticated users.
HeaderExampleNotes
Cookiecrp_session=<session_token>Required for authenticated requests.
AuthorizationBearer crp.<lookup>.<secret>Alternative to session cookies for service-to-service access.
x-api-keycrp.<lookup>.<secret>Equivalent API key header option.
x-tenant-id<tenant_id>Server-resolved tenant selection header.

Core endpoints

MethodPathSummaryPurpose
GET/api/v1/api-keysList API keysList API keys created by the authenticated user for a tenant.
POST/api/v1/api-keysCreate API keyCreate a new API key. The raw key is shown only once in the create response.
DELETE/api/v1/api-keys/[apiKeyId]Documented endpointEndpoint available in public API route catalog.
DELETE/api/v1/assessments/[assessmentId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/assessments/[assessmentId]/calculate-scoreDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assessments/[assessmentId]/downloadDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assets/blast-radiusDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/assets/blast-radiusDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/audit/eventsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/audit/events/exportDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/compliance-evidenceDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/compliance-evidenceDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/dashboard/summaryDashboard summaryFetch tenant-scoped dashboard summary metrics.
GET/api/v1/dashboard/trendsDashboard trendsFetch score and exposure trend-series for selected range.
GET/api/v1/frameworks/[frameworkCode]/alignmentDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/frameworks/[frameworkCode]/promptsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/frameworks/[frameworkCode]/promptsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/frameworks/mapping-suggestionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/frameworks/mapping-suggestionsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/appsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/appsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/discord/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/executionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/actionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/callbackDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/test-connectionDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/microsoft-teams/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/rulesDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/rulesDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/integrations/rules/[ruleId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/rules/simulateDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/securityscorecard/actions/trigger-correlationDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/securityscorecard/signal-ingestIngest SecurityScorecard signalsIngest and normalize external risk signals.
POST/api/v1/integrations/slack/test-connectionDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/webhook/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/internal/decision-tracesDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/internal/phase2-healthDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/profile/updateDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobsDocumented endpointEndpoint available in public API route catalog.
DELETE/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
PATCH/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/extractDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/finalizeDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]/previewDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/validateDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]/verificationDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/scope-keysDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/reportsList reportsList report artifacts for the selected tenant context.
GET/api/v1/reports/[reportId]/downloadDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/reports/generateGenerate reportGenerate report snapshot for an assessment context.
GET/api/v1/system/originDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/tenants/[tenantId]/brandingDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/tenants/[tenantId]/brandingDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaignsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/third-party-risk/campaigns/[campaignId]/evidence-exportDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaigns/[campaignId]/responsesDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaigns/[campaignId]/workflowDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/vendorsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/threat-intelligenceDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/threat-intelligenceDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/vulnerabilities/[vulnerabilityId]Documented endpointEndpoint available in public API route catalog.
PATCH/api/v1/vulnerabilities/[vulnerabilityId]/statusDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/vulnerabilities/[vulnerabilityId]/statusDocumented endpointEndpoint available in public API route catalog.

Request/response examples

GET/api/v1/api-keysauth, api-keys

Request

GET /api/v1/api-keys?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "items": []
  }
}
POST/api/v1/api-keysauth, api-keys

Request

POST /api/v1/api-keys
{
  "tenantId": "<tenant_id>",
  "name": "CI runner",
  "scopes": ["read:dashboard"],
  "expiresInDays": 90
}

Response

{
  "success": true,
  "data": {
    "apiKey": "crp.<lookup>.<secret>",
    "apiKeyMeta": {
      "id": "<api_key_id>",
      "name": "CI runner"
    }
  }
}
DELETE/api/v1/api-keys/[apiKeyId]unclassified
DELETE/api/v1/assessments/[assessmentId]unclassified
POST/api/v1/assessments/[assessmentId]/calculate-scoreunclassified
GET/api/v1/assessments/[assessmentId]/downloadunclassified
GET/api/v1/assets/blast-radiusunclassified
POST/api/v1/assets/blast-radiusunclassified
GET/api/v1/audit/eventsunclassified
GET/api/v1/audit/events/exportunclassified
GET/api/v1/compliance-evidenceunclassified
POST/api/v1/compliance-evidenceunclassified
GET/api/v1/dashboard/summarydashboard

Request

GET /api/v1/dashboard/summary?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "overallScore": 72,
    "riskLevel": "Moderate"
  }
}
GET/api/v1/dashboard/trendsdashboard

Request

GET /api/v1/dashboard/trends?tenantId=<tenant_id>&range=3y

Response

{
  "success": true,
  "data": {
    "range": "3y",
    "scoreSeries": []
  }
}
GET/api/v1/frameworks/[frameworkCode]/alignmentunclassified
GET/api/v1/frameworks/[frameworkCode]/promptsunclassified
POST/api/v1/frameworks/[frameworkCode]/promptsunclassified
GET/api/v1/frameworks/mapping-suggestionsunclassified
POST/api/v1/frameworks/mapping-suggestionsunclassified
GET/api/v1/integrations/appsunclassified
POST/api/v1/integrations/appsunclassified
POST/api/v1/integrations/discord/test-connectionunclassified
GET/api/v1/integrations/executionsunclassified
POST/api/v1/integrations/jira/actionsunclassified
POST/api/v1/integrations/jira/callbackunclassified
POST/api/v1/integrations/jira/test-connectionunclassified
POST/api/v1/integrations/microsoft-teams/test-connectionunclassified
GET/api/v1/integrations/rulesunclassified
POST/api/v1/integrations/rulesunclassified
PATCH/api/v1/integrations/rules/[ruleId]unclassified
POST/api/v1/integrations/rules/simulateunclassified
POST/api/v1/integrations/securityscorecard/actions/trigger-correlationunclassified
POST/api/v1/integrations/securityscorecard/signal-ingestintegrations, securityscorecard

Request

POST /api/v1/integrations/securityscorecard/signal-ingest
{
  "tenantId": "<tenant_id>",
  "signals": []
}

Response

{
  "success": true,
  "data": {
    "ingested": 0,
    "linked": 0
  }
}
POST/api/v1/integrations/slack/test-connectionunclassified
POST/api/v1/integrations/webhook/test-connectionunclassified
GET/api/v1/internal/decision-tracesunclassified
GET/api/v1/internal/phase2-healthunclassified
POST/api/v1/profile/updateunclassified
GET/api/v1/report-ingestion/jobsunclassified
POST/api/v1/report-ingestion/jobsunclassified
DELETE/api/v1/report-ingestion/jobs/[jobId]unclassified
GET/api/v1/report-ingestion/jobs/[jobId]unclassified
PATCH/api/v1/report-ingestion/jobs/[jobId]unclassified
POST/api/v1/report-ingestion/jobs/[jobId]/extractunclassified
POST/api/v1/report-ingestion/jobs/[jobId]/finalizeunclassified
GET/api/v1/report-ingestion/jobs/[jobId]/previewunclassified
POST/api/v1/report-ingestion/jobs/[jobId]/validateunclassified
GET/api/v1/report-ingestion/jobs/[jobId]/verificationunclassified
GET/api/v1/report-ingestion/scope-keysunclassified
GET/api/v1/reportsreports

Request

GET /api/v1/reports?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "items": []
  }
}
GET/api/v1/reports/[reportId]/downloadunclassified
POST/api/v1/reports/generatereports

Request

POST /api/v1/reports/generate
{
  "tenantId": "<tenant_id>",
  "assessmentId": "<assessment_id>",
  "reportType": "BOARD_PACK"
}

Response

{
  "success": true,
  "data": {
    "reportId": "<report_id>",
    "status": "AVAILABLE"
  }
}
GET/api/v1/system/originunclassified
GET/api/v1/tenants/[tenantId]/brandingunclassified
PATCH/api/v1/tenants/[tenantId]/brandingunclassified
POST/api/v1/third-party-risk/campaignsunclassified
GET/api/v1/third-party-risk/campaigns/[campaignId]/evidence-exportunclassified
POST/api/v1/third-party-risk/campaigns/[campaignId]/responsesunclassified
POST/api/v1/third-party-risk/campaigns/[campaignId]/workflowunclassified
POST/api/v1/third-party-risk/vendorsunclassified
GET/api/v1/threat-intelligenceunclassified
POST/api/v1/threat-intelligenceunclassified
PATCH/api/v1/vulnerabilities/[vulnerabilityId]unclassified
PATCH/api/v1/vulnerabilities/[vulnerabilityId]/statusunclassified
POST/api/v1/vulnerabilities/[vulnerabilityId]/statusunclassified

Error envelope

Failed requests return a stable envelope containing status, machine-readable code, and user-safe message.

{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "You are not authorized for this tenant context."
  }
}

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure