Developers

API reference

Use the platform API to automate scoring workflows, report operations, and integration-driven signal ingestion with strict tenant-scoped access controls.

Client integrations should treat API responses as tenant-scoped data, enforce encrypted transport, and retain immutable report artifacts for downstream governance and compliance evidence.

For job-style ingestion and retry-safe integration guidance, see Ingestion API patterns.

Authentication

API routes require authenticated session context or an API key, plus tenant authorization checks. Transport wrappers return structured error envelopes and avoid leaking sensitive internal state.

  • API keys must be created with explicit scopes and are evaluated per endpoint.
  • Authentication failures are rate-limited and monitored to contain brute-force attempts.
  • Sensitive ingestion management operations require session-based authenticated users.
HeaderExampleNotes
Cookiecrp_session=<session_token>Required for authenticated requests.
AuthorizationBearer crp.<lookup>.<secret>Alternative to session cookies for service-to-service access.
x-api-keycrp.<lookup>.<secret>Equivalent API key header option.
x-tenant-id<tenant_id>Server-resolved tenant selection header.

Core endpoints

MethodPathSummaryPurpose
GET/api/v1/api-keysList API keysList API keys created by the authenticated user for a tenant.
POST/api/v1/api-keysCreate API keyCreate a new API key. The raw key is shown only once in the create response.
DELETE/api/v1/api-keys/[apiKeyId]Documented endpointEndpoint available in public API route catalog.
DELETE/api/v1/assessments/[assessmentId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/assessments/[assessmentId]/calculate-scoreDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assessments/[assessmentId]/downloadDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/assessments/runsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assessments/runs/[id]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/assessments/runs/[id]/responsesDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assessments/runs/[id]/resultDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/assessments/runs/[id]/submitDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assessments/templatesDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/assets/blast-radiusDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/assets/blast-radiusDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/audit/eventsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/audit/events/exportDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/compliance-evidenceDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/compliance-evidenceDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/cra/payments/[paymentRef]/statusDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/cra/payments/initiateDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/cra/payments/payfast/itnDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/cra/payments/payfast/itnDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/cra/unlock-requestsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/cra/unlock-requests/[requestId]Documented endpointEndpoint available in public API route catalog.
GET/api/v1/dashboard/summaryDashboard summaryFetch tenant-scoped dashboard summary metrics.
GET/api/v1/dashboard/trendsDashboard trendsFetch score and exposure trend-series for selected range.
GET/api/v1/frameworks/[frameworkCode]/alignmentDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/frameworks/[frameworkCode]/promptsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/frameworks/[frameworkCode]/promptsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/frameworks/mapping-suggestionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/frameworks/mapping-suggestionsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/appsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/appsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/discord/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/executionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/actionsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/callbackDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/jira/test-connectionDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/microsoft-teams/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/integrations/rulesDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/rulesDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/integrations/rules/[ruleId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/rules/simulateDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/securityscorecard/actions/trigger-correlationDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/securityscorecard/signal-ingestIngest SecurityScorecard signalsIngest and normalize external risk signals.
POST/api/v1/integrations/slack/test-connectionDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/integrations/webhook/test-connectionDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/internal/decision-tracesDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/internal/phase2-healthDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra-submissionsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra-submissions/[id]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra-submissions/[id]/generate-reportDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra/entitlementsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlementsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra/entitlements/[entitlementId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/activateDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/approveDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/bridge-disableDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/bridge-enableDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/expireDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/holdDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/platform-approveDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/rejectDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/request-createdDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/revokeDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/submitDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/entitlements/[entitlementId]/supersedeDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra/unlock-requestsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/operator/cra/unlock-requests/[requestId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/unlock-requests/[requestId]/approveDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/unlock-requests/[requestId]/declineDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/unlock-requests/[requestId]/expireDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/unlock-requests/[requestId]/reviewDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/operator/cra/unlock-requests/[requestId]/supersedeDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/profile/updateDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobsDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobsDocumented endpointEndpoint available in public API route catalog.
DELETE/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
PATCH/api/v1/report-ingestion/jobs/[jobId]Documented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/extractDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/finalizeDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]/previewDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/report-ingestion/jobs/[jobId]/validateDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/jobs/[jobId]/verificationDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/report-ingestion/scope-keysDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/reportsList reportsList report artifacts for the selected tenant context.
GET/api/v1/reports/[reportId]/downloadDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/reports/generateGenerate reportGenerate report snapshot for an assessment context.
GET/api/v1/system/originDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/tenants/[tenantId]/brandingDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/tenants/[tenantId]/brandingDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaignsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/third-party-risk/campaigns/[campaignId]/evidence-exportDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaigns/[campaignId]/responsesDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/campaigns/[campaignId]/workflowDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/third-party-risk/vendorsDocumented endpointEndpoint available in public API route catalog.
GET/api/v1/threat-intelligenceDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/threat-intelligenceDocumented endpointEndpoint available in public API route catalog.
PATCH/api/v1/vulnerabilities/[vulnerabilityId]Documented endpointEndpoint available in public API route catalog.
PATCH/api/v1/vulnerabilities/[vulnerabilityId]/statusDocumented endpointEndpoint available in public API route catalog.
POST/api/v1/vulnerabilities/[vulnerabilityId]/statusDocumented endpointEndpoint available in public API route catalog.

Request/response examples

GET/api/v1/api-keysauth, api-keys

Request

GET /api/v1/api-keys?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "items": []
  }
}
POST/api/v1/api-keysauth, api-keys

Request

POST /api/v1/api-keys
{
  "tenantId": "<tenant_id>",
  "name": "CI runner",
  "scopes": ["read:dashboard"],
  "expiresInDays": 90
}

Response

{
  "success": true,
  "data": {
    "apiKey": "crp.<lookup>.<secret>",
    "apiKeyMeta": {
      "id": "<api_key_id>",
      "name": "CI runner"
    }
  }
}
DELETE/api/v1/api-keys/[apiKeyId]unclassified
DELETE/api/v1/assessments/[assessmentId]unclassified
POST/api/v1/assessments/[assessmentId]/calculate-scoreunclassified
GET/api/v1/assessments/[assessmentId]/downloadunclassified
POST/api/v1/assessments/runsunclassified
GET/api/v1/assessments/runs/[id]unclassified
POST/api/v1/assessments/runs/[id]/responsesunclassified
GET/api/v1/assessments/runs/[id]/resultunclassified
POST/api/v1/assessments/runs/[id]/submitunclassified
GET/api/v1/assessments/templatesunclassified
GET/api/v1/assets/blast-radiusunclassified
POST/api/v1/assets/blast-radiusunclassified
GET/api/v1/audit/eventsunclassified
GET/api/v1/audit/events/exportunclassified
GET/api/v1/compliance-evidenceunclassified
POST/api/v1/compliance-evidenceunclassified
GET/api/v1/cra/payments/[paymentRef]/statusunclassified
POST/api/v1/cra/payments/initiateunclassified
GET/api/v1/cra/payments/payfast/itnunclassified
POST/api/v1/cra/payments/payfast/itnunclassified
POST/api/v1/cra/unlock-requestsunclassified
GET/api/v1/cra/unlock-requests/[requestId]unclassified
GET/api/v1/dashboard/summarydashboard

Request

GET /api/v1/dashboard/summary?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "overallScore": 72,
    "riskLevel": "Moderate"
  }
}
GET/api/v1/dashboard/trendsdashboard

Request

GET /api/v1/dashboard/trends?tenantId=<tenant_id>&range=3y

Response

{
  "success": true,
  "data": {
    "range": "3y",
    "scoreSeries": []
  }
}
GET/api/v1/frameworks/[frameworkCode]/alignmentunclassified
GET/api/v1/frameworks/[frameworkCode]/promptsunclassified
POST/api/v1/frameworks/[frameworkCode]/promptsunclassified
GET/api/v1/frameworks/mapping-suggestionsunclassified
POST/api/v1/frameworks/mapping-suggestionsunclassified
GET/api/v1/integrations/appsunclassified
POST/api/v1/integrations/appsunclassified
POST/api/v1/integrations/discord/test-connectionunclassified
GET/api/v1/integrations/executionsunclassified
POST/api/v1/integrations/jira/actionsunclassified
POST/api/v1/integrations/jira/callbackunclassified
POST/api/v1/integrations/jira/test-connectionunclassified
POST/api/v1/integrations/microsoft-teams/test-connectionunclassified
GET/api/v1/integrations/rulesunclassified
POST/api/v1/integrations/rulesunclassified
PATCH/api/v1/integrations/rules/[ruleId]unclassified
POST/api/v1/integrations/rules/simulateunclassified
POST/api/v1/integrations/securityscorecard/actions/trigger-correlationunclassified
POST/api/v1/integrations/securityscorecard/signal-ingestintegrations, securityscorecard

Request

POST /api/v1/integrations/securityscorecard/signal-ingest
{
  "tenantId": "<tenant_id>",
  "signals": []
}

Response

{
  "success": true,
  "data": {
    "ingested": 0,
    "linked": 0
  }
}
POST/api/v1/integrations/slack/test-connectionunclassified
POST/api/v1/integrations/webhook/test-connectionunclassified
GET/api/v1/internal/decision-tracesunclassified
GET/api/v1/internal/phase2-healthunclassified
GET/api/v1/operator/cra-submissionsunclassified
GET/api/v1/operator/cra-submissions/[id]unclassified
POST/api/v1/operator/cra-submissions/[id]/generate-reportunclassified
GET/api/v1/operator/cra/entitlementsunclassified
POST/api/v1/operator/cra/entitlementsunclassified
GET/api/v1/operator/cra/entitlements/[entitlementId]unclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/activateunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/approveunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/bridge-disableunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/bridge-enableunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/expireunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/holdunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/platform-approveunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/rejectunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/request-createdunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/revokeunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/submitunclassified
POST/api/v1/operator/cra/entitlements/[entitlementId]/supersedeunclassified
GET/api/v1/operator/cra/unlock-requestsunclassified
GET/api/v1/operator/cra/unlock-requests/[requestId]unclassified
POST/api/v1/operator/cra/unlock-requests/[requestId]/approveunclassified
POST/api/v1/operator/cra/unlock-requests/[requestId]/declineunclassified
POST/api/v1/operator/cra/unlock-requests/[requestId]/expireunclassified
POST/api/v1/operator/cra/unlock-requests/[requestId]/reviewunclassified
POST/api/v1/operator/cra/unlock-requests/[requestId]/supersedeunclassified
POST/api/v1/profile/updateunclassified
GET/api/v1/report-ingestion/jobsunclassified
POST/api/v1/report-ingestion/jobsunclassified
DELETE/api/v1/report-ingestion/jobs/[jobId]unclassified
GET/api/v1/report-ingestion/jobs/[jobId]unclassified
PATCH/api/v1/report-ingestion/jobs/[jobId]unclassified
POST/api/v1/report-ingestion/jobs/[jobId]/extractunclassified
POST/api/v1/report-ingestion/jobs/[jobId]/finalizeunclassified
GET/api/v1/report-ingestion/jobs/[jobId]/previewunclassified
POST/api/v1/report-ingestion/jobs/[jobId]/validateunclassified
GET/api/v1/report-ingestion/jobs/[jobId]/verificationunclassified
GET/api/v1/report-ingestion/scope-keysunclassified
GET/api/v1/reportsreports

Request

GET /api/v1/reports?tenantId=<tenant_id>

Response

{
  "success": true,
  "data": {
    "items": []
  }
}
GET/api/v1/reports/[reportId]/downloadunclassified
POST/api/v1/reports/generatereports

Request

POST /api/v1/reports/generate
{
  "tenantId": "<tenant_id>",
  "assessmentId": "<assessment_id>",
  "reportType": "BOARD_PACK"
}

Response

{
  "success": true,
  "data": {
    "reportId": "<report_id>",
    "status": "AVAILABLE"
  }
}
GET/api/v1/system/originunclassified
GET/api/v1/tenants/[tenantId]/brandingunclassified
PATCH/api/v1/tenants/[tenantId]/brandingunclassified
POST/api/v1/third-party-risk/campaignsunclassified
GET/api/v1/third-party-risk/campaigns/[campaignId]/evidence-exportunclassified
POST/api/v1/third-party-risk/campaigns/[campaignId]/responsesunclassified
POST/api/v1/third-party-risk/campaigns/[campaignId]/workflowunclassified
POST/api/v1/third-party-risk/vendorsunclassified
GET/api/v1/threat-intelligenceunclassified
POST/api/v1/threat-intelligenceunclassified
PATCH/api/v1/vulnerabilities/[vulnerabilityId]unclassified
PATCH/api/v1/vulnerabilities/[vulnerabilityId]/statusunclassified
POST/api/v1/vulnerabilities/[vulnerabilityId]/statusunclassified

Error envelope

Failed requests return a stable envelope containing status, machine-readable code, and user-safe message.

{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "You are not authorized for this tenant context."
  }
}

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA ManualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure