Skip to content

API Reference

CertifyClouds exposes a REST API that the web UI itself uses. Customers can automate the same operations programmatically.

Authoritative contract - your deployment's /docs

Every CertifyClouds deployment ships interactive Swagger UI at https://<your-deployment>/docs, plus the raw OpenAPI spec at /openapi.json. That's the source of truth for request and response shapes, schemas, error codes, and rate limits - always in sync with the version of CertifyClouds you're running.

See the API Reference page for the full pointer set.

The pages on this public docs site (Endpoints overview, Webhooks) describe what the API does and which surfaces exist, not the exact JSON shapes - those would drift out of sync the moment a field changes.

What you can do via the API

  • Trigger and monitor discovery scans
  • Query assets, compliance findings, alerts, audit log
  • Manage subscriptions and settings
  • Automate secret + certificate rotation (PRO + ENTERPRISE)
  • Sync to AWS / GCP (PRO + ENTERPRISE)
  • Generate auditor-grade evidence packages (PRO + ENTERPRISE)

Base URL

https://<your-deployment>/api

For local development: http://localhost:8080/api.

Authentication

Most endpoints require a JWT bearer token. To get one:

  1. Call POST /api/auth/login with username + password.
  2. Use the returned token in the Authorization: Bearer <token> header on subsequent requests.

The web UI uses HTTP-only cookies for browser sessions and the same JWT mechanism under the hood.

Exact login request / response shape: see /docs on your deployment.

Conventions

  • All endpoints are under /api/....
  • JSON request and response bodies use camelCase field names (with a few documented exceptions for OAuth2-spec compatibility on auth endpoints).
  • Timestamps are ISO 8601 UTC with explicit timezone marker (e.g. 2026-05-20T10:30:00+00:00).
  • Errors return non-2xx HTTP status with a JSON body. The exact shape and error codes per route are in /docs.
  • All endpoints are rate-limited; exceeding a limit returns HTTP 429 with a Retry-After header.

HTTP status codes

Code Meaning
2xx Success
400 Bad request - see response body for detail
401 Unauthorized - token missing, expired, or revoked
403 Forbidden - your license tier or role doesn't grant access
404 Not found
429 Rate-limited
5xx Server error - please report

SDKs

CertifyClouds does not ship official SDKs. The OpenAPI spec at /openapi.json can be fed to any code-generator (openapi-generator, openapi-python-client, etc.) to produce a client in your language.

Customers writing one-off integrations typically use a plain HTTP client: Python httpx, JavaScript fetch, Go net/http, PowerShell Invoke-RestMethod.

API sections in these docs

  • Endpoints overview

    The catalogue of available endpoints. See your deployment's /docs for exact contracts.

  • Webhooks

    How outbound webhook deliveries work (alert notifications).

  • API Reference details

    Where to find the live OpenAPI / Swagger UI / ReDoc on your deployment.

Support

For API questions: