REST API Endpoints¶

Complete reference for all CertifyClouds REST API endpoints.

Authentication¶

POST /auth/login
Content-Type: application/json

{
  "username": "admin",
  "password": "yourpassword"
}

Response:

{
  "access_token": "<token>",
  "token_type": "bearer",
  "expires_in": <seconds>
}

Logout¶

POST /auth/logout
Authorization: Bearer {token}

Get Current User¶

GET /auth/me
Authorization: Bearer {token}

Health & System¶

Health Check¶

GET /health

No authentication required.

License Status¶

GET /system/license/status

No authentication required.

Identity Info¶

GET /identity
Authorization: Bearer {token}

Returns current Azure identity information.

Discovery¶

Start Scan¶

POST /api/assets/discovery/scan
Authorization: Bearer {token}
Content-Type: application/json

{
  "mode": "full" | "delta" | "force",
  "subscriptions": ["sub-id-1", "sub-id-2"]  // optional
}

Get Scan Status¶

GET /api/assets/discovery/scan/{scan_id}/status
Authorization: Bearer {token}

Get Scan Results¶

GET /api/assets/discovery/scan/{scan_id}/results
Authorization: Bearer {token}

List Scans¶

GET /api/assets/discovery/scans
Authorization: Bearer {token}

Query params: limit, offset

List Assets¶

GET /api/assets/discovery/assets
Authorization: Bearer {token}

Query params: - type: secret, key, certificate - status: healthy, warning, critical, expired - vault: vault name filter - subscription: subscription ID

Get Asset Details¶

GET /api/assets/discovery/assets/{asset_id}
Authorization: Bearer {token}

List Vaults¶

GET /api/assets/discovery/vaults
Authorization: Bearer {token}

Compliance¶

Get Score¶

GET /compliance/score
Authorization: Bearer {token}

Response:

{
  "score": 87.5,
  "passed": 42,
  "failed": 6,
  "total": 48,
  "bySeverity": {
    "critical": 0,
    "high": 2,
    "medium": 3,
    "low": 1
  }
}

List Violations¶

GET /compliance/violations
Authorization: Bearer {token}

Query params: severity, framework, limit, offset

Evaluate Compliance¶

POST /compliance/evaluate
Authorization: Bearer {token}

List Frameworks¶

GET /compliance/frameworks
Authorization: Bearer {token}

Get Framework Details¶

GET /compliance/frameworks/{framework_id}
Authorization: Bearer {token}

Alerts¶

List Rules¶

GET /alerts/rules
Authorization: Bearer {token}

Create Rule¶

POST /alerts/rules
Authorization: Bearer {token}
Content-Type: application/json

{
  "name": "Expiring Secrets Alert",
  "alertType": "secret_expiring",
  "thresholdDays": 30,
  "deliveryMethod": "email",
  "deliveryMode": "digest",
  "recipients": ["team@company.com"],
  "enabled": true
}

Update Rule¶

PUT /alerts/rules/{rule_id}
Authorization: Bearer {token}
Content-Type: application/json

{
  "thresholdDays": 14,
  "enabled": false
}

Delete Rule¶

DELETE /alerts/rules/{rule_id}
Authorization: Bearer {token}

Test Rule¶

POST /alerts/rules/{rule_id}/test
Authorization: Bearer {token}

Get History¶

GET /alerts/history
Authorization: Bearer {token}

Query params: start_date, end_date, status

Subscriptions¶

List Subscriptions¶

GET /subscriptions
Authorization: Bearer {token}

Add Subscription¶

POST /subscriptions
Authorization: Bearer {token}
Content-Type: application/json

{
  "subscriptionId": "12345678-1234-1234-1234-123456789012",
  "name": "Production"
}

Remove Subscription¶

DELETE /subscriptions/{subscription_id}
Authorization: Bearer {token}

Test Connection¶

POST /subscriptions/{subscription_id}/test
Authorization: Bearer {token}

Audit¶

List Entries¶

GET /audit/entries
Authorization: Bearer {token}

Query params: - start_date: ISO 8601 date - end_date: ISO 8601 date - event_type: event type filter - actor: actor filter - limit, offset: pagination

Export Entries¶

GET /audit/export
Authorization: Bearer {token}

Query params: format (json, csv, pdf), start_date, end_date

Rotation (PRO)¶

Run Discovery¶

POST /api/automation/rotation/discover
Authorization: Bearer {token}

List Apps¶

GET /api/automation/rotation/apps
Authorization: Bearer {token}

Get Matches¶

GET /api/automation/rotation/apps/{app_id}/matches
Authorization: Bearer {token}

Rotate Secret¶

POST /api/automation/rotation/rotate
Authorization: Bearer {token}
Content-Type: application/json

{
  "appId": "12345678-1234-1234-1234-123456789012",
  "secretId": "secret-key-id",
  "expiryDays": 365,
  "updateKeyVaults": true
}

Get History¶

GET /api/automation/rotation/history
Authorization: Bearer {token}

Sync (PRO)¶

List Records¶

GET /api/automation/sync/records
Authorization: Bearer {token}

Create Record¶

POST /api/automation/sync/records
Authorization: Bearer {token}
Content-Type: application/json

{
  "sourceVault": "kv-production",
  "sourceSecret": "api-key",
  "targetProvider": "aws",
  "targetService": "secretsmanager",
  "targetName": "certifyclouds/api-key",
  "targetRegion": "us-east-1",
  "scheduleHours": 6,
  "enabled": true
}

Trigger Sync¶

POST /api/automation/sync/records/{record_id}/sync
Authorization: Bearer {token}

Get Status¶

GET /api/automation/sync/records/{record_id}/status
Authorization: Bearer {token}

Configure Provider¶

POST /api/automation/sync/providers/{provider}
Authorization: Bearer {token}
Content-Type: application/json

{
  "accessKeyId": "AKIA...",
  "secretAccessKey": "...",
  "region": "us-east-1"
}

Dependencies (PRO)¶

List Dependencies¶

GET /api/assets/dependencies
Authorization: Bearer {token}

Get Blast Radius¶

GET /api/assets/dependencies/blast-radius/{secret_id}
Authorization: Bearer {token}

Full-Stack Rotation¶

POST /api/assets/dependencies/rotate/{secret_id}
Authorization: Bearer {token}
Content-Type: application/json

{
  "includeResources": ["resource-id-1", "resource-id-2"],
  "skipVerification": false
}

Settings¶

Settings changed via the UI take precedence over environment variables. All changes are audit logged.

Get All Settings¶

GET /api/settings/all
Authorization: Bearer {token}

Response:

{
  "licenseTier": "PRO",
  "performance": [...],
  "features": [...],
  "logging": [...],
  "alertDefaults": [...],
  "retention": [...],
  "compliancePolicy": [...],
  "automation": [...]
}

Performance Settings¶

GET /api/settings/performance
Authorization: Bearer {token}

PUT /api/settings/performance
Authorization: Bearer {token}
Content-Type: application/json

{
  "discoveryMaxWorkers": 10,
  "discoveryScanTimeout": 300
}

Feature Flags¶

GET /api/settings/features
Authorization: Bearer {token}

PUT /api/settings/features
Authorization: Bearer {token}
Content-Type: application/json

{
  "enableNotifications": true,
  "enableComplianceScanning": true
}

Logging Settings¶

GET /api/settings/logging
Authorization: Bearer {token}

PUT /api/settings/logging
Authorization: Bearer {token}
Content-Type: application/json

{
  "logLevel": "INFO"
}

Valid values for logLevel: DEBUG, INFO, WARNING, ERROR

Alert Defaults¶

GET /api/settings/alert-defaults
Authorization: Bearer {token}

PUT /api/settings/alert-defaults
Authorization: Bearer {token}
Content-Type: application/json

{
  "defaultThresholdDays": 30
}

Compliance Policy¶

GET /api/settings/compliance-policy
Authorization: Bearer {token}

PUT /api/settings/compliance-policy
Authorization: Bearer {token}
Content-Type: application/json

{
  "criticalExpiryDays": 7,
  "warningExpiryDays": 30
}

Retention Settings¶

GET /api/settings/retention
Authorization: Bearer {token}

PUT /api/settings/retention
Authorization: Bearer {token}
Content-Type: application/json

{
  "auditRetentionDays": 365,
  "rotationRetentionDays": 90
}

Automation Settings¶

GET /api/settings/automation
Authorization: Bearer {token}

PUT /api/settings/automation
Authorization: Bearer {token}
Content-Type: application/json

{
  "rotationTriggerDays": 30,
  "defaultValidityDays": 365
}

Purge History¶

Purge all history tables:

POST /api/settings/retention/purge
Authorization: Bearer {token}
Content-Type: application/json

{
  "retentionDays": 90
}

retentionDays is optional. Omit to use the configured retention settings.

Purge a specific history type:

POST /api/settings/retention/purge/{history_type}
Authorization: Bearer {token}
Content-Type: application/json

{
  "retentionDays": 90
}

Valid history_type values: audit, rotation, sync, alerts

History Stats¶

GET /api/settings/retention/stats
Authorization: Bearer {token}

Reset a Setting¶

DELETE /api/settings/{category}/{key}
Authorization: Bearer {token}

Valid categories: performance, features, logging, alert-defaults, retention, compliance-policy, automation

Reset All Settings¶

DELETE /api/settings/all
Authorization: Bearer {token}

Removes all database overrides. Settings fall back to environment variables or defaults.

Azure DevOps Integration¶

GET /api/settings/integrations/ado
Authorization: Bearer {token}

PUT /api/settings/integrations/ado
Authorization: Bearer {token}
Content-Type: application/json

{
  "orgUrl": "https://dev.azure.com/contoso"
}

Set orgUrl to null to disable the integration.

POST /api/settings/integrations/ado/test
Authorization: Bearer {token}

PUT /api/settings/integrations/ado/projects
Authorization: Bearer {token}
Content-Type: application/json

{
  "projectIds": ["project-id-1", "project-id-2"]
}

Empty projectIds array scans all accessible projects.

SSO Configuration (PRO)¶

Single Sign-On via OIDC or SAML. Requires PRO license.

Get SSO Status¶

GET /auth/sso/status

No authentication required. Returns the minimal information needed to display the SSO login button.

Response:

{
  "enabled": true,
  "providerType": "oidc",
  "loginButtonText": "Sign in with Microsoft",
  "ssoOnlyMode": false
}

Get SSO Configuration¶

GET /auth/sso/config
Authorization: Bearer {token}

Returns the full SSO configuration. Client secrets are never returned.

Response:

{
  "providerType": "oidc",
  "isEnabled": true,
  "oidcIssuer": "https://login.microsoftonline.com/{tenant-id}/v2.0",
  "oidcClientId": "your-client-id",
  "oidcScopes": ["openid", "profile", "email"],
  "autoCreateUsers": true,
  "defaultRole": "user",
  "ssoOnlyMode": false,
  "loginButtonText": "Sign in with Microsoft",
  "totalSsoLogins": 42,
  "lastSuccessfulLoginAt": "2026-03-09T14:23:00Z"
}

Update SSO Configuration¶

PUT /auth/sso/config
Authorization: Bearer {token}
Content-Type: application/json

{
  "providerType": "oidc",
  "isEnabled": true,
  "oidcIssuer": "https://login.microsoftonline.com/{tenant-id}/v2.0",
  "oidcClientId": "your-client-id",
  "oidcClientSecret": "your-client-secret",
  "oidcScopes": ["openid", "profile", "email"],
  "autoCreateUsers": true,
  "defaultRole": "user",
  "ssoOnlyMode": false,
  "loginButtonText": "Sign in with Microsoft"
}

Test SSO Configuration¶

POST /auth/sso/config/test
Authorization: Bearer {token}
Content-Type: application/json

{
  "providerType": "oidc",
  "oidcIssuer": "https://login.microsoftonline.com/{tenant-id}/v2.0",
  "oidcClientId": "your-client-id",
  "oidcClientSecret": "your-client-secret"
}

Tests connectivity and endpoint discovery without saving the configuration.

Disable SSO¶

DELETE /auth/sso/config
Authorization: Bearer {token}

Disables SSO without deleting the configuration. Users can still log in with username and password.

Discover OIDC Endpoints¶

POST /auth/sso/discover
Content-Type: application/json

{
  "issuerUrl": "https://login.microsoftonline.com/{tenant-id}/v2.0"
}

No authentication required. Fetches the OIDC discovery document from the issuer's .well-known/openid-configuration endpoint.

GET /auth/sso/login?returnUrl=/home

No authentication required. Redirects the user to the identity provider. Used by the login page SSO button.

SSO Callback¶

GET /auth/sso/callback?code={code}&state={state}

No authentication required. Called by the identity provider after authentication. Completes login and sets session cookies, then redirects to the frontend.

Users (PRO)¶

List Users¶

GET /auth/users
Authorization: Bearer {token}

Create User¶

POST /auth/users
Authorization: Bearer {token}
Content-Type: application/json

{
  "username": "jsmith",
  "email": "jsmith@company.com",
  "password": "SecurePassword123!",
  "role": "user"
}

Update User¶

PUT /auth/users/{user_id}
Authorization: Bearer {token}
Content-Type: application/json

{
  "email": "john.smith@company.com",
  "role": "admin"
}

Delete User¶

DELETE /auth/users/{user_id}
Authorization: Bearer {token}

Unlock User¶

POST /auth/users/{user_id}/unlock
Authorization: Bearer {token}

B2C Registry (PRO)¶

List Tenants¶

GET /b2c/tenants
Authorization: Bearer {token}

Register Tenant¶

POST /b2c/tenants
Authorization: Bearer {token}
Content-Type: application/json

{
  "tenantId": "12345678-...",
  "tenantDomain": "company.onmicrosoft.com",
  "displayName": "Production B2C",
  "clientId": "...",
  "clientSecret": "...",
  "autoDiscover": true,
  "discoveryIntervalHours": 24
}

Discover Credentials¶

POST /b2c/tenants/{tenant_id}/discover
Authorization: Bearer {token}

Test Connection¶

POST /b2c/tenants/{tenant_id}/test
Authorization: Bearer {token}

REST API Endpoints¶

Authentication¶

Login¶

Logout¶

Get Current User¶

Health & System¶

Health Check¶

License Status¶

Identity Info¶

Discovery¶

Start Scan¶

Get Scan Status¶

Get Scan Results¶

List Scans¶

List Assets¶

Get Asset Details¶

List Vaults¶

Compliance¶

Get Score¶

List Violations¶

Evaluate Compliance¶

List Frameworks¶

Get Framework Details¶

Alerts¶

List Rules¶

Create Rule¶

Update Rule¶

Delete Rule¶

Test Rule¶

Get History¶

Subscriptions¶

List Subscriptions¶

Add Subscription¶

Remove Subscription¶

Test Connection¶

Audit¶

List Entries¶

Export Entries¶

Rotation (PRO)¶

Run Discovery¶

List Apps¶

Get Matches¶

Rotate Secret¶

Get History¶

Sync (PRO)¶

List Records¶

Create Record¶

Trigger Sync¶

Get Status¶

Configure Provider¶

Dependencies (PRO)¶

List Dependencies¶

Get Blast Radius¶

Full-Stack Rotation¶

Settings¶

Get All Settings¶

Performance Settings¶

Feature Flags¶

Logging Settings¶

Alert Defaults¶

Compliance Policy¶

Retention Settings¶

Automation Settings¶

Purge History¶

History Stats¶

Reset a Setting¶

Reset All Settings¶

Azure DevOps Integration¶

SSO Configuration (PRO)¶

Get SSO Status¶

Get SSO Configuration¶

Update SSO Configuration¶

Test SSO Configuration¶

Disable SSO¶

Discover OIDC Endpoints¶

Initiate SSO Login¶

SSO Callback¶

Users (PRO)¶

List Users¶

Create User¶