Skip to main content

Admin API

The Admin API provides endpoints for managing Surface Security through the dashboard or custom integrations. All endpoints are under the /api/v1/admin prefix unless otherwise noted.

Authentication: JWT Bearer token in the Authorization header:

Authorization: Bearer <access-token>

Obtain tokens via POST /api/v1/auth/login (see Authentication API). Refresh via POST /api/v1/auth/refresh. All endpoints enforce tenant isolation.

Rate Limit: 100 requests per 60 seconds per client IP (configurable via RATE_LIMIT_RPS).

Common Error Response

{
"error": "descriptive error message"
}
StatusMeaning
400Bad request or validation error
401Missing or invalid JWT token
403Insufficient permissions or license expired
404Resource not found
409Conflict (duplicate resource)
429Rate limit exceeded (check Retry-After header)
500Internal server error

Pagination

List endpoints support pagination via query parameters:

ParameterTypeDefaultDescription
pageinteger1Page number (1-indexed)
page_sizeinteger20Items per page

Paginated responses use the resource name as the array key (e.g. alerts, users, devices) and include paging metadata. The exact set of metadata fields varies by endpoint, but fully-paginated endpoints return:

{
"alerts": [],
"total": 0,
"page": 1,
"pageSize": 20,
"totalPages": 0
}

Some smaller admin lists (e.g. GET /admin/admin-users, GET /admin/groups) return the full tenant-scoped set and only include <resource> and total. Check the individual endpoint for its response shape.


Current User

Get Current User

GET /api/v1/admin/me

Returns the authenticated admin user's profile.

Re-authenticate (Verify Password)

POST /api/v1/admin/verify-password

Exchanges the user's password for a short-lived re-auth token. The token gates privileged operations (e.g. rotating threat-intel API keys or disabling MFA from settings).

Body:

{
"password": "current-password"
}

Response:

{
"reAuthToken": "opaque-token",
"expiresIn": 300
}

MFA Management

Get MFA Status

GET /api/v1/admin/mfa/status

Begin MFA Setup

POST /api/v1/admin/mfa/setup

Returns a TOTP secret and QR code for setting up an authenticator app.

Verify MFA Setup

POST /api/v1/admin/mfa/setup/verify

Confirms MFA setup by verifying a TOTP code from the authenticator app.

Disable MFA

DELETE /api/v1/admin/mfa

Employees (Users)

List Employees

GET /api/v1/admin/users

Query Parameters: page, page_size, search, department, status

Create Employee

POST /api/v1/admin/users

Body:

{
"email": "jane@example.com",
"displayName": "Jane Smith",
"department": "Engineering",
"jobTitle": "Software Engineer"
}

Get Employee Details

GET /api/v1/admin/users/{userID}

Update Employee

PUT /api/v1/admin/users/{userID}

Delete Employee

DELETE /api/v1/admin/users/{userID}

Bulk Delete Employees

DELETE /api/v1/admin/users/bulk

Bulk Import

POST /api/v1/admin/users/import

Body: multipart/form-data with a file field containing a CSV file.

Get User Credentials

GET /api/v1/admin/users/{userID}/credentials

Returns credential telemetry for the user (sites where credentials were entered, reuse status, HIBP status).

Get User Credential Stats

GET /api/v1/admin/users/{userID}/credentials/stats

Get User Credential Reuse Records

GET /api/v1/admin/users/{userID}/credentials/reuse-records

Get User Groups

GET /api/v1/admin/users/{userID}/groups

Update User Groups

PUT /api/v1/admin/users/{userID}/groups

Tenant Credential Stats

GET /api/v1/admin/credential-stats

Returns aggregate credential statistics across all users in the tenant.


Alerts

List Alerts

GET /api/v1/admin/alerts

Query Parameters:

ParameterTypeDescription
pageintegerPage number (default: 1)
page_sizeintegerItems per page (default: 20)
severitystringFilter: critical, high, medium, low
alert_typestringFilter by alert type
statusstringFilter: open, acknowledged, resolved, false_positive
start_datestringISO 8601 start date
end_datestringISO 8601 end date

Get Alert Details

GET /api/v1/admin/alerts/{alertID}
GET /api/v1/admin/alerts/{alertID}/related

Alert Statistics

GET /api/v1/admin/alerts/stats

Alert Trend

GET /api/v1/admin/alerts/trend

Alert Trend by Severity

GET /api/v1/admin/alerts/trend/by-severity

List Aggregated Alerts

GET /api/v1/admin/alerts/aggregated

Acknowledge Alert

PUT /api/v1/admin/alerts/{alertID}/acknowledge

Body:

{
"notes": "Investigating this alert"
}

Resolve Alert

PUT /api/v1/admin/alerts/{alertID}/resolve

Body:

{
"resolution": "Confirmed false positive from internal testing",
"status": "resolved"
}

Status must be resolved or false_positive.

Assign Alert

PUT /api/v1/admin/alerts/{alertID}/assign

Claim Alert

PUT /api/v1/admin/alerts/{alertID}/claim

Assigns the alert to the current authenticated admin user.

Reopen Alert

PUT /api/v1/admin/alerts/{alertID}/reopen

Update Alert Severity

PUT /api/v1/admin/alerts/{alertID}/severity

Forward Alert to Portal

POST /api/v1/admin/alerts/{alertID}/forward

Forwards the alert to the Surface Security Portal (portal.surface-security.com) for centralized management.

Triage Metrics

GET /api/v1/admin/alerts/triage-metrics

Returns MTTR / MTTA / acknowledgment and resolution rates for the current tenant.

Query Parameters:

ParameterTypeDescription
timeframestringOne of 24h, 7d, 30d, 90d (default 7d)

Record Policy Action

PUT /api/v1/admin/alerts/{alertID}/policy-action

Records the policy action taken after resolving an alert as a true positive (created new policy, added to existing, skipped, advanced).

Body:

{
"action": "created",
"policyId": "uuid",
"policyName": "Block suspicious domain"
}

action must be one of created, added_to_existing, skipped, advanced.


Portal Status

GET /api/v1/admin/portal/status

Returns the connection status to the Surface Security Portal (portal.surface-security.com).


Security Posture

GET /api/v1/admin/security-posture

Returns the overall security posture score and breakdown for the tenant.


Endpoints

List Discovered Endpoints

GET /api/v1/admin/endpoints

Query Parameters: page, page_size, classification, search

Endpoint Statistics

GET /api/v1/admin/endpoints/stats

Get Endpoint Details

GET /api/v1/admin/endpoints/{endpointID}

Returns endpoint details including technology fingerprints.

Get Endpoint Users

GET /api/v1/admin/endpoints/{endpointID}/users

Update Endpoint Classification

PUT /api/v1/admin/endpoints/{endpointID}/classification

Authentication Endpoints

List Authentication Endpoints

GET /api/v1/admin/auth-endpoints

Returns authentication endpoints with IDP analysis (Microsoft Entra, Okta, Google Workspace, etc.).

Authentication Endpoint Statistics

GET /api/v1/admin/auth-endpoints/stats

Returns authentication metrics including MFA adoption rates, IDP breakdown, and auth method statistics.

Get Authentication Endpoint Details

GET /api/v1/admin/auth-endpoints/{authEndpointID}

Get Authentication Endpoint Users

GET /api/v1/admin/auth-endpoints/{authEndpointID}/users

List SSO Relying Parties

GET /api/v1/admin/auth-endpoints/{authEndpointID}/relying-parties

Update MFA Override

PUT /api/v1/admin/auth-endpoints/{authEndpointID}/mfa-override

Attack Surface

Get Attack Surface Summary

GET /api/v1/admin/attack-surface

Get Domain Details

GET /api/v1/admin/attack-surface/domain/{domain}

Get Subdomain Details

GET /api/v1/admin/attack-surface/subdomain/{subdomain}

Devices

List Devices

GET /api/v1/admin/devices

Query Parameters: page, page_size, user_id, status

Get Device Details

GET /api/v1/admin/devices/{deviceID}

Get Device Extensions

GET /api/v1/admin/devices/{deviceID}/extensions

Revoke Device

PUT /api/v1/admin/devices/{deviceID}/revoke

Revokes the device's mTLS certificate, preventing further communication with the backend.

Request Device Wipe

PUT /api/v1/admin/devices/{deviceID}/wipe

Signals the extension to clear all local data on the next heartbeat.

Silence Stale Device Alerts

PUT /api/v1/admin/devices/{deviceID}/silence-stale-alerts

Delete Device

DELETE /api/v1/admin/devices/{deviceID}

Fleet Health

GET /api/v1/admin/fleet-health

Returns fleet-wide health metrics (active devices, stale devices, enrollment status).


Support Bundle

GET /api/v1/admin/support-bundle

Generates a diagnostic support bundle for troubleshooting. Requires super_admin role.


Policies

List Policies

GET /api/v1/admin/policies

Create Policy

POST /api/v1/admin/policies

Body:

{
"name": "Block phishing domains",
"description": "Prevents credential entry on known phishing sites",
"priority": 1,
"rules": [],
"isEnabled": true
}

Test Policy

POST /api/v1/admin/policies/test

Evaluates a policy against test input without saving it.

Get Policy

GET /api/v1/admin/policies/{policyID}

Update Policy

PUT /api/v1/admin/policies/{policyID}

Delete Policy

DELETE /api/v1/admin/policies/{policyID}

Domain Scope

List Domain Scopes

GET /api/v1/admin/domain-scope

Create Domain Scope

POST /api/v1/admin/domain-scope

Delete Domain Scope

DELETE /api/v1/admin/domain-scope/{domainID}

Settings

Get Tenant Settings

GET /api/v1/admin/settings

Update Tenant Settings

PUT /api/v1/admin/settings

Body:

{
"extensionMode": "warn",
"learningThreshold": 2,
"hibpEnabled": true,
"alertEmailEnabled": true
}

Get Alert Severity Settings

GET /api/v1/admin/settings/alert-severity

Update Alert Severity Settings

PUT /api/v1/admin/settings/alert-severity

Get Retention Settings

GET /api/v1/admin/settings/retention

Returns current event and stream retention windows (in days) along with the license's retention limits.

Get License Info

GET /api/v1/admin/settings/license

Update License

PUT /api/v1/admin/settings/license

Update Mobile Access by Role

PUT /api/v1/admin/settings/mobile-access-by-role

Sets which admin roles are allowed to sign in from the mobile (iOS) app.

Body:

{
"mobileAccess": {
"admin": true,
"analyst": true,
"executive": false
}
}

Keys are admin role types (super_admin, admin, analyst, executive); values are booleans. Roles omitted from the map retain their current setting. Response echoes the cleaned map: {"mobileAccess": {...}}.


Admin User Management

List Admin Users

GET /api/v1/admin/admin-users

Create Admin User

POST /api/v1/admin/admin-users

List Admin Roles

GET /api/v1/admin/admin-users/roles

Returns available admin roles: super_admin, admin, analyst, viewer.

Get Admin User

GET /api/v1/admin/admin-users/{userID}

Update Admin User

PUT /api/v1/admin/admin-users/{userID}

Delete Admin User

DELETE /api/v1/admin/admin-users/{userID}

Reset Admin Password

POST /api/v1/admin/admin-users/{userID}/reset-password

Generates a one-time password for the admin user. The response includes temporaryPassword (shown only once) and marks the account as requiring password change on next login.

Toggle Mobile Access

PUT /api/v1/admin/admin-users/{userID}/mobile-access

Toggles the per-admin-user mobile app access flag.


Unblock Keys

List Unblock Keys

GET /api/v1/admin/unblock-keys

Generate Unblock Key

POST /api/v1/admin/unblock-keys

Phishing Whitelist

List Phishing Whitelist

GET /api/v1/admin/phishing-whitelist

Create Phishing Whitelist Entry

POST /api/v1/admin/phishing-whitelist

Delete Phishing Whitelist Entry

DELETE /api/v1/admin/phishing-whitelist/{entryID}

Threat Intelligence

Get Threat Intel Settings

GET /api/v1/admin/threat-intel/settings

Response:

{
"urlscanEnabled": true,
"urlscanConfigured": true,
"virustotalEnabled": false,
"virustotalConfigured": false
}

Update Threat Intel Settings

PUT /api/v1/admin/threat-intel/settings

Body:

{
"urlscanEnabled": true,
"virustotalEnabled": true
}

Save API Key

PUT /api/v1/admin/threat-intel/api-key

Body:

{
"service": "urlscan",
"apiKey": "your-api-key-here"
}

Service must be urlscan or virustotal.

Test API Key

POST /api/v1/admin/threat-intel/test

Body:

{
"service": "urlscan"
}

SSO Configuration

List SSO Configs

GET /api/v1/admin/sso-configs

Create SSO Config

POST /api/v1/admin/sso-configs

Test SSO Config

POST /api/v1/admin/sso-configs/test

Get SSO Config Details

GET /api/v1/admin/sso-configs/{configID}

Update SSO Config

PUT /api/v1/admin/sso-configs/{configID}

Delete SSO Config

DELETE /api/v1/admin/sso-configs/{configID}

Org-Managed Tenant SSO

These endpoints let an MSSP organization owner view and configure each managed tenant's SSO from the org panel, without signing in to the tenant. They operate on the same sso_configs store as the tenant endpoints above; a config created here is a normal tenant SSO config and the end-user login flow is unchanged (users still authenticate through the tenant's /api/v1/auth/sso/* and /api/v1/auth/saml/* endpoints — see the Auth API).

Authentication & authorization:

  • All endpoints require an org-admin session (the /api/v1/org surface), not a tenant-admin token.
  • {tenantId} is bounded to the org's accessible tenants. A tenant outside the org, or a configId that does not belong to the bounded tenant, returns 404 (no information is leaked).
  • Reads (list, get) are open to any org role.
  • Writes (create, update, delete) require the org_owner role plus a single-use re-authentication token in the X-ReAuth-Token header (obtained from POST /api/v1/org/verify-password). The re-auth gate is enforced before the tenant is resolved.
  • Test (OIDC discovery probe) requires the org_owner role.

Secrets (clientSecret, SAML SP signing key) are write-only: they are accepted on create/update but never returned by the read endpoints.

List Tenant SSO Configs

GET /api/v1/org/tenants/{tenantId}/sso-configs

Returns { "configs": [...] } (secret-free summaries).

Create Tenant SSO Config

POST /api/v1/org/tenants/{tenantId}/sso-configs

Headers: X-ReAuth-Token. Body is identical to the tenant POST /api/v1/admin/sso-configs body.

Test Tenant SSO Config

POST /api/v1/org/tenants/{tenantId}/sso-configs/test

Body: { "issuerUrl": "...", "clientId": "..." }. Probes OIDC discovery for the issuer; reads no tenant data.

Get Tenant SSO Config Details

GET /api/v1/org/tenants/{tenantId}/sso-configs/{configId}

Update Tenant SSO Config

PUT /api/v1/org/tenants/{tenantId}/sso-configs/{configId}

Headers: X-ReAuth-Token. Partial update; omit clientSecret/SAML SP key to keep the current value.

Delete Tenant SSO Config

DELETE /api/v1/org/tenants/{tenantId}/sso-configs/{configId}

Headers: X-ReAuth-Token.


Org-Login SSO

These endpoints let an MSSP organization configure its OWN OIDC identity provider for authenticating org admins to the org panel — distinct from the per-tenant SSO above (which configures a managed tenant's IdP). They operate on the separate org_sso_configs store. An org admin is matched by their verified email; accounts are never auto-created, and the IdP is the MFA authority (no separate local TOTP challenge).

Config Management

Authentication & authorization:

  • All config endpoints require an org-admin session (the /api/v1/org surface).
  • Reads (list, get) are open to any org role.
  • Writes (create, update, delete, require-SSO toggle) require the org_owner role plus a single-use re-authentication token in the X-ReAuth-Token header (from POST /api/v1/org/verify-password).
  • Test (OIDC discovery probe) requires the org_owner role.
  • The clientSecret is write-only: accepted on create/update, never returned by reads.
GET /api/v1/org/sso-configs # list (secret-free); also returns requireSso
POST /api/v1/org/sso-configs # create (X-ReAuth-Token)
POST /api/v1/org/sso-configs/test # OIDC discovery probe { issuerUrl, clientId }
PUT /api/v1/org/sso-configs/require # toggle require-SSO { requireSso } (X-ReAuth-Token)
GET /api/v1/org/sso-configs/{configId} # details (secret-free)
PUT /api/v1/org/sso-configs/{configId} # update; omit clientSecret to keep current (X-ReAuth-Token)
DELETE /api/v1/org/sso-configs/{configId} # delete (X-ReAuth-Token)

Enabling require-SSO is refused unless at least one enabled SSO config exists (self-lockout guard); when set, the org's password login path (POST /api/v1/org/auth/login) is rejected for that org. The RECOVERY_KEY break-glass path is unaffected.

Login Flow (pre-auth)

These run before any session exists, are rate-limited, and carry no auth middleware:

POST /api/v1/org/auth/sso/discover # { email } -> { ssoAvailable, loginUrl } (uniform shape)
GET /api/v1/org/auth/sso/status # ?host=/?slug= -> { ssoAvailable, loginUrl } (branded page)
GET /api/v1/org/auth/sso/login # starts the OIDC code flow (org bound in signed state)
GET /api/v1/org/auth/sso/callback # IdP return; verifies the assertion, mints a handoff code
POST /api/v1/org/auth/sso/exchange # { code } -> { accessToken, refreshToken, user }

The callback authenticates the IdP assertion (verified email required), matches the admin within the state's bound org, re-applies the account-state/role/trial gates, then redirects to /login?org_sso_code=<code> with a single-use, ~60s handoff code — never a token in the URL. The SPA exchanges that code at /exchange for the org session (tokens returned in the JSON body only; the session is minted at exchange, never stored at rest). Any rejection redirects to /login?org_sso_error=<reason> and issues no session.


Active Countermeasures

List Canary Cookies

GET /api/v1/admin/active-countermeasures/canary-cookies
POST /api/v1/admin/active-countermeasures/canary-cookies
PUT /api/v1/admin/active-countermeasures/canary-cookies/{cookieID}
DELETE /api/v1/admin/active-countermeasures/canary-cookies/{cookieID}

Alert Notifications

Get Notification Settings

GET /api/v1/admin/alert-notifications/settings

Update Notification Settings

PUT /api/v1/admin/alert-notifications/settings

Save SMTP Password

PUT /api/v1/admin/alert-notifications/smtp-password

Save Webhook Secret

PUT /api/v1/admin/alert-notifications/webhook-secret

Test Email Notification

POST /api/v1/admin/alert-notifications/test-email

Test Webhook Notification

POST /api/v1/admin/alert-notifications/test-webhook

List Push Notification Rules

GET /api/v1/admin/alert-notifications/push-rules

Returns the rules that decide which alerts fan out as iOS push notifications to on-call engineers.

Create Push Notification Rule

POST /api/v1/admin/alert-notifications/push-rules

Update Push Notification Rule

PUT /api/v1/admin/alert-notifications/push-rules/{ruleId}

Delete Push Notification Rule

DELETE /api/v1/admin/alert-notifications/push-rules/{ruleId}

Mobile (iOS App)

Manages iOS push-device registrations and per-admin preferences used by the Surface Security iOS companion app.

List Registered Devices

GET /api/v1/admin/mobile/devices

Register Device

POST /api/v1/admin/mobile/devices

Registers an APNs device token for the current admin user.

Unregister Device

DELETE /api/v1/admin/mobile/devices/{deviceId}

Get Mobile Preferences

GET /api/v1/admin/mobile/preferences

Update Mobile Preferences

PUT /api/v1/admin/mobile/preferences

On-Call Rotation

Schedules and overrides for the on-call rotation that drives push-rule targeting.

Current On-Call

GET /api/v1/admin/on-call/current

Returns the admin user currently on call.

Upcoming On-Call

GET /api/v1/admin/on-call/upcoming

Returns the upcoming on-call shifts.

List Schedules

GET /api/v1/admin/on-call/schedules

Create Schedule

POST /api/v1/admin/on-call/schedules

Get Schedule

GET /api/v1/admin/on-call/schedules/{scheduleId}

Update Schedule

PUT /api/v1/admin/on-call/schedules/{scheduleId}

Delete Schedule

DELETE /api/v1/admin/on-call/schedules/{scheduleId}

Create Override

POST /api/v1/admin/on-call/overrides

Creates a one-time override (e.g. for PTO coverage) that takes precedence over the scheduled rotation.

Delete Override

DELETE /api/v1/admin/on-call/schedules/{scheduleId}/overrides/{overrideId}

Extension Monitoring

Get Monitoring Settings

GET /api/v1/admin/extension-monitoring/settings

Update Monitoring Settings

PUT /api/v1/admin/extension-monitoring/settings

List Extension Whitelist

GET /api/v1/admin/extension-monitoring/whitelist

Create Whitelist Entry

POST /api/v1/admin/extension-monitoring/whitelist

Quick-Add Whitelist Entry

POST /api/v1/admin/extension-monitoring/whitelist/quick-add

Get Whitelist Entry

GET /api/v1/admin/extension-monitoring/whitelist/{entryID}

Update Whitelist Entry

PUT /api/v1/admin/extension-monitoring/whitelist/{entryID}

Delete Whitelist Entry

DELETE /api/v1/admin/extension-monitoring/whitelist/{entryID}

List Extension Inventory

GET /api/v1/admin/extension-monitoring/inventory

Extension Inventory Stats

GET /api/v1/admin/extension-monitoring/inventory/stats

List Unwhitelisted Extensions

GET /api/v1/admin/extension-monitoring/inventory/unwhitelisted

Extension Aggregates

GET /api/v1/admin/extension-monitoring/inventory/aggregates

List Extension Events

GET /api/v1/admin/extension-monitoring/events

Get Extension Detail

GET /api/v1/admin/extension-monitoring/extension/{extensionID}

Signatures

List Signatures

GET /api/v1/admin/signatures

Create Signature

POST /api/v1/admin/signatures

Update Signature

PUT /api/v1/admin/signatures/{signatureID}

Delete Signature

DELETE /api/v1/admin/signatures/{signatureID}

Upload Signature Pack

POST /api/v1/admin/signatures/upload

List Signature Packs

GET /api/v1/admin/signatures/packs

ClickFix Signatures

List ClickFix Signatures

GET /api/v1/admin/clickfix-signatures

Create ClickFix Signature

POST /api/v1/admin/clickfix-signatures

Update ClickFix Signature

PUT /api/v1/admin/clickfix-signatures/{signatureID}

Delete ClickFix Signature

DELETE /api/v1/admin/clickfix-signatures/{signatureID}

Screenshots

Get Screenshot Metadata

GET /api/v1/admin/screenshots/{screenshotID}

Response:

{
"id": "uuid",
"eventId": "uuid",
"url": "https://presigned-url...",
"origin": "https://suspicious-site.com",
"capturedAt": "2024-01-15T10:30:00Z"
}

Get Screenshot Image

GET /api/v1/admin/screenshots/{screenshotID}/image

Proxies the actual screenshot image from object storage.

Get Screenshot by Event ID

GET /api/v1/admin/screenshots/event/{eventID}

Integrations (Log Forwarding)

List Log Destinations

GET /api/v1/admin/integrations/log-destinations

Create Log Destination

POST /api/v1/admin/integrations/log-destinations

Update Log Destination

PUT /api/v1/admin/integrations/log-destinations/{destID}

Delete Log Destination

DELETE /api/v1/admin/integrations/log-destinations/{destID}

Test Log Destination

POST /api/v1/admin/integrations/log-destinations/{destID}/test

Events Viewer

Event Statistics

GET /api/v1/admin/events/stats

List Navigation Events

GET /api/v1/admin/events/navigation

List Credential Attempt Events

GET /api/v1/admin/events/credential-attempts

List Auth Flow Events

GET /api/v1/admin/events/auth-flow

Updates

Get Update Info

GET /api/v1/admin/updates/info

Get Extension Versions

GET /api/v1/admin/updates/extension-versions

Get Update History

GET /api/v1/admin/updates/history

Check for Updates

POST /api/v1/admin/updates/check

Apply Update

POST /api/v1/admin/updates/apply

Rollback Update

POST /api/v1/admin/updates/rollback

Upload Update Bundle

POST /api/v1/admin/updates/upload

Enrollment

Generate Enrollment Token

POST /api/v1/admin/enrollment/token

Body:

{
"expiresInDays": 7
}

Response:

{
"token": "abc123...",
"expiresAt": "2024-01-22T00:00:00Z"
}

Generate Bulk Enrollment Configurations

POST /api/v1/admin/enrollment/bulk-config

Body:

{
"count": 50,
"format": "json"
}

Format must be json or zip.

Get Enrollment Config

GET /api/v1/admin/enrollment/config

Returns the current enrollment configuration (API endpoint, tenant ID).


Certificates

Upload CA Certificate

POST /api/v1/admin/certificates/ca

Body:

{
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----"
}
FieldRequiredDescription
certificateYesPEM-encoded CA certificate
privateKeyYesPEM-encoded CA private key

Delete CA Certificate

DELETE /api/v1/admin/certificates/ca

Get CA Status

GET /api/v1/admin/certificates/ca/status

TLS Certificate Management

Get TLS Status

GET /api/v1/admin/tls/status

Upload TLS Certificate

POST /api/v1/admin/tls/certificate

GET /api/v1/admin/search

Query Parameters:

ParameterTypeDescription
qstringSearch query
typestringFilter by resource type
pageintegerPage number

Searches across users, endpoints, and alerts. Returns categorized results.

Export Search Results

GET /api/v1/admin/search/export

Filters

Filter option endpoints for populating search dropdowns in the dashboard.

GET /api/v1/admin/filters/extensions
GET /api/v1/admin/filters/users
GET /api/v1/admin/filters/devices
GET /api/v1/admin/filters/alert-types
GET /api/v1/admin/filters/technologies
GET /api/v1/admin/filters/groups

Audit Log

List Audit Log

GET /api/v1/admin/audit-log

Query Parameters:

ParameterTypeDescription
pageintegerPage number
page_sizeintegerItems per page
actor_idstringFilter by admin user ID
actionstringFilter by action type
resource_typestringFilter by resource type
start_datestringStart date (ISO 8601)
end_datestringEnd date (ISO 8601)

Export Audit Log

GET /api/v1/admin/audit-log/export

Exports audit log as CSV or JSON.

Verify Audit Chain

GET /api/v1/admin/audit-log/verify

Verifies the HMAC-SHA256 tamper-detection chain integrity of the audit log.


SCIM Client Management

List SCIM OAuth Clients

GET /api/v1/admin/scim/clients

Create SCIM OAuth Client

POST /api/v1/admin/scim/clients

Returns the clientId and clientSecret for use with the OAuth Token endpoint.

Delete SCIM OAuth Client

DELETE /api/v1/admin/scim/clients/{clientID}

Directory Sources

List Directory Sources

GET /api/v1/admin/directory-sources

Create Directory Source

POST /api/v1/admin/directory-sources

Trigger All Directory Sync

POST /api/v1/admin/directory-sources/sync-all

Get Directory Source

GET /api/v1/admin/directory-sources/{sourceID}

Update Directory Source

PUT /api/v1/admin/directory-sources/{sourceID}

Delete Directory Source

DELETE /api/v1/admin/directory-sources/{sourceID}

Test Directory Source

POST /api/v1/admin/directory-sources/{sourceID}/test

Trigger Directory Sync

POST /api/v1/admin/directory-sources/{sourceID}/sync

Get Available Groups

GET /api/v1/admin/directory-sources/{sourceID}/groups

Update Synced Groups

PUT /api/v1/admin/directory-sources/{sourceID}/synced-groups

Groups

List Groups

GET /api/v1/admin/groups

Create Group

POST /api/v1/admin/groups

Get Group

GET /api/v1/admin/groups/{groupID}

Update Group

PUT /api/v1/admin/groups/{groupID}

Delete Group

DELETE /api/v1/admin/groups/{groupID}

Get Group Members

GET /api/v1/admin/groups/{groupID}/members

Add Group Members

POST /api/v1/admin/groups/{groupID}/members

Remove Group Member

DELETE /api/v1/admin/groups/{groupID}/members/{userID}

Get Group Policies

GET /api/v1/admin/groups/{groupID}/policies

Assign Group Policy

POST /api/v1/admin/groups/{groupID}/policies

Remove Group Policy

DELETE /api/v1/admin/groups/{groupID}/policies/{policyID}

Verification (Admin)

Admin-side verification management for the peer identity verification system.

Verify Daily Code

POST /api/v1/admin/verification/daily-code/verify

Verify OTP

POST /api/v1/admin/verification/otp/verify

Search Users for Verification

GET /api/v1/admin/verification/users

List Verification Audit Events

GET /api/v1/admin/verification/audit-events

List Verification Alerts

GET /api/v1/admin/verification/alerts

Mark Verification Alert Read

PUT /api/v1/admin/verification/alerts/{alertID}/read

Dashboard Analytics

Top Users by New Sites

GET /api/v1/admin/dashboard/top-users-new-sites

Top Users by Warnings

GET /api/v1/admin/dashboard/top-users-warnings

Top Alert Types

GET /api/v1/admin/dashboard/top-alert-types

Top Users by Breached Passwords

GET /api/v1/admin/dashboard/top-users-pwned
GET /api/v1/admin/dashboard/trends

Policy Deployment Status

GET /api/v1/admin/dashboard/policy-deployment

Policy Deployment Trend

GET /api/v1/admin/dashboard/policy-deployment-trend

New Sites Trend

GET /api/v1/admin/dashboard/new-sites-trend

Day Detail

GET /api/v1/admin/dashboard/day-detail

Query Parameters:

ParameterTypeDescription
datestringDate to get details for (ISO 8601)