Endpoint Catalogue¶
A high-level listing of the REST endpoints CertifyClouds exposes, organised by domain. For exact request and response shapes, query parameters, error codes, and rate limits, see the live OpenAPI / Swagger UI on your deployment at https://<your-deployment>/docs.
This page is for orientation: "is there an endpoint that does X?" The live spec is for integration: "what exactly do I send and what comes back?"
Source of truth
Hand-written JSON examples drift from code the moment a field is added, renamed, or removed. We deliberately don't publish them here. Your deployment's /docs is generated from the running code so it's always accurate for the version you're on.
Authentication¶
| Endpoint | Notes |
|---|---|
POST /api/auth/login | Username + password → JWT bearer token |
POST /api/auth/refresh | Refresh access token using refresh token |
POST /api/auth/logout | Invalidate session |
GET /api/auth/me | Current user info |
Health & system¶
| Endpoint | Notes |
|---|---|
GET /health | Liveness probe (probes D1/KV/R2 - returns 200 healthy / 503 degraded) |
GET /api/system/version | Running version |
GET /api/system/license | License tier, expiry, entitlements |
GET /api/system/updates | Update availability against the central registry |
GET /api/identity | Azure identity context (Service Principal / Managed Identity / CLI) |
Discovery (STARTER+)¶
Asset scanning for Key Vaults across configured subscriptions.
| Endpoint | Notes |
|---|---|
POST /api/assets/discovery/scan | Start a scan (full or incremental) |
GET /api/assets/discovery/scans | List recent scans |
GET /api/assets/discovery/scans/{id} | Scan detail |
GET /api/assets/discovery/assets | List discovered assets with filters |
GET /api/assets/discovery/assets/{id} | Asset detail |
GET /api/assets/discovery/vaults | Per-vault summary |
Compliance (STARTER+)¶
Evidence aggregation, framework mappings, custom rules, evidence packages.
See the Compliance feature page and the Compliance disclaimer for what "compliance evidence" means here.
| Endpoint | Notes |
|---|---|
GET /api/compliance/score | Aggregate score + per-product breakdown |
GET /api/compliance/violations | Current violations across enabled rules |
GET /api/compliance/frameworks | List supported frameworks (HIPAA, PCI-DSS, SOC 2, ISO 27001, NIST 800-53, CIS Azure, Azure Security Benchmark) |
GET /api/compliance/frameworks/{id} | Per-control evidence detail for one framework |
GET /api/compliance/rules | Built-in + custom compliance rules |
POST /api/compliance/rules | Create custom rule (admin) |
PUT /api/compliance/rules/{id} | Update custom rule (admin) |
DELETE /api/compliance/rules/{id} | Delete custom rule (admin) |
POST /api/compliance/rules/test | Preview a rule against the current scan without persisting (admin, rate-limited) |
GET /api/compliance/evidence-package | Generate the consolidated evidence package - JSON or PDF bundle (admin) |
Alerts (STARTER+)¶
Email, generic webhook, Slack, Microsoft Teams, and PagerDuty delivery on rule triggers.
| Endpoint | Notes |
|---|---|
GET /api/alerts/rules | List alert rules |
POST /api/alerts/rules | Create alert rule |
PATCH /api/alerts/rules/{id} | Update alert rule |
DELETE /api/alerts/rules/{id} | Delete alert rule |
POST /api/alerts/rules/{id}/test | Dispatch a test notification |
GET /api/alerts/history | Recent alert deliveries with status |
PagerDuty rules carry their Integration Key (routing_key) instead of a webhook URL; see the Alerts feature page.
Audit (STARTER+)¶
Append-only audit trail. Exports are auditor-grade (hash-chained CSV with HMAC manifest, or PDF evidence bundle with customer management assertion).
| Endpoint | Notes |
|---|---|
GET /api/audit | List audit entries with filters |
GET /api/audit/stats | Aggregate counts (total / today / by-severity) |
GET /api/audit/export?format=csv | Hash-chained CSV with HMAC-signed manifest (admin) |
GET /api/audit/export?format=pdf | Evidence bundle PDF - cover page + embedded CSV + customer management assertion (admin) |
Subscriptions¶
| Endpoint | Notes |
|---|---|
GET /api/subscriptions | List configured Azure subscriptions |
POST /api/subscriptions | Add subscription |
DELETE /api/subscriptions/{id} | Remove subscription |
POST /api/subscriptions/{id}/test | Test Azure connectivity |
STARTER tier is capped at 4 subscriptions.
Rotation (PRO + ENTERPRISE)¶
App Registration secret + certificate rotation. STARTER tier is limited to 3 manual rotations per month.
| Endpoint | Notes |
|---|---|
POST /api/automation/rotation/discover | Discover App Registrations |
GET /api/automation/rotation/inventory | List App Regs with credential counts |
GET /api/automation/rotation/records | Configured rotation records |
POST /api/automation/rotation/records | Create rotation record (probes target vault first) |
PUT /api/automation/rotation/records/{id} | Update rotation record |
POST /api/automation/rotation/records/{id}/rotate | Trigger rotation |
GET /api/automation/history | Rotation history |
Sync (PRO + ENTERPRISE)¶
Replicate Azure Key Vault secrets / certificates / keys to AWS Secrets Manager + Parameter Store + ACM, GCP Secret Manager + Certificate Manager, and other Azure Key Vaults.
| Endpoint | Notes |
|---|---|
GET /api/automation/sync/configs | Provider configurations |
POST /api/automation/sync/configs | Create provider configuration |
GET /api/automation/sync/records | Per-secret sync records |
POST /api/automation/sync/records/{id}/sync | Trigger sync for one record |
GET /api/automation/sync/history | Sync execution history |
Dependencies (PRO + ENTERPRISE)¶
Credential → downstream Azure resource mapping for blast-radius analysis and full-stack rotation.
| Endpoint | Notes |
|---|---|
GET /api/assets/dependencies | List credential→resource mappings |
GET /api/assets/dependencies/{credentialId} | Blast radius for one credential |
POST /api/assets/dependencies/full-stack-rotate | Rotate credential + update all downstream resources |
Settings¶
| Endpoint | Notes |
|---|---|
GET /api/settings | Get effective settings (DB → env → default resolution) |
PUT /api/settings/{category}/{key} | Update a setting (admin) |
DELETE /api/settings/{category}/{key} | Reset a setting to default (admin) |
The settings UI in the dashboard is the primary surface; the API exists for automation. Setting categories are documented in Environment Variables.
SSO (PRO + ENTERPRISE)¶
OIDC and Azure AD identity providers. (SAML is on the roadmap; not yet shipped.)
| Endpoint | Notes |
|---|---|
GET /api/auth/sso/status | SSO configuration status |
GET /api/auth/sso/config | Configuration detail (admin) |
PUT /api/auth/sso/config | Update configuration (admin) |
POST /api/auth/sso/test | Test the configured provider (admin) |
GET /api/auth/sso/login | Initiate SSO login (browser redirect) |
GET /api/auth/sso/callback | Provider callback target |
Users (PRO + ENTERPRISE)¶
Multi-user management. STARTER tier is single-user.
| Endpoint | Notes |
|---|---|
GET /api/users | List users (admin) |
POST /api/users | Create user (admin) |
PUT /api/users/{id} | Update user (admin) |
DELETE /api/users/{id} | Delete user (admin) |
POST /api/users/{id}/unlock | Unlock locked-out account (admin) |
B2C registry (PRO + ENTERPRISE)¶
Scan Azure AD B2C tenants for App Registration credentials.
| Endpoint | Notes |
|---|---|
GET /api/b2c/tenants | Registered B2C tenants |
POST /api/b2c/tenants | Register a B2C tenant (admin) |
PUT /api/b2c/tenants/{id} | Update tenant (admin) |
DELETE /api/b2c/tenants/{id} | Remove tenant (admin) |
POST /api/b2c/tenants/{id}/discover | Run B2C credential discovery |
License tier gating¶
When you call a PRO endpoint with a STARTER license, the server returns HTTP 403 with a structured error indicating the required tier. The exact error body shape is documented in your deployment's /docs; the dashboard surfaces this as an upgrade prompt.
Support¶
If something in /docs doesn't match what your client receives: support@certifyclouds.com.