Admin API
The Admin API provides endpoints for managing Surface Security through the dashboard or custom integrations. All endpoints are under the /api/v1/admin prefix unless otherwise noted.
Authentication: JWT Bearer token in the Authorization header:
Authorization: Bearer <access-token>
Obtain tokens via POST /api/v1/auth/login (see Authentication API). Refresh via POST /api/v1/auth/refresh. All endpoints enforce tenant isolation.
Rate Limit: 100 requests per 60 seconds per client IP (configurable via RATE_LIMIT_RPS).
Common Error Response
{
"error": "descriptive error message"
}
| Status | Meaning |
|---|---|
| 400 | Bad request or validation error |
| 401 | Missing or invalid JWT token |
| 403 | Insufficient permissions or license expired |
| 404 | Resource not found |
| 409 | Conflict (duplicate resource) |
| 429 | Rate limit exceeded (check Retry-After header) |
| 500 | Internal server error |
Pagination
List endpoints support pagination via query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | Page number (1-indexed) |
page_size | integer | 20 | Items per page |
Paginated responses use the resource name as the array key (e.g. alerts, users, devices) and include paging metadata. The exact set of metadata fields varies by endpoint, but fully-paginated endpoints return:
{
"alerts": [],
"total": 0,
"page": 1,
"pageSize": 20,
"totalPages": 0
}
Some smaller admin lists (e.g. GET /admin/admin-users, GET /admin/groups) return the full tenant-scoped set and only include <resource> and total. Check the individual endpoint for its response shape.
Current User
Get Current User
GET /api/v1/admin/me
Returns the authenticated admin user's profile.
Re-authenticate (Verify Password)
POST /api/v1/admin/verify-password
Exchanges the user's password for a short-lived re-auth token. The token gates privileged operations (e.g. rotating threat-intel API keys or disabling MFA from settings).
Body:
{
"password": "current-password"
}
Response:
{
"reAuthToken": "opaque-token",
"expiresIn": 300
}
MFA Management
Get MFA Status
GET /api/v1/admin/mfa/status
Begin MFA Setup
POST /api/v1/admin/mfa/setup
Returns a TOTP secret and QR code for setting up an authenticator app.
Verify MFA Setup
POST /api/v1/admin/mfa/setup/verify
Confirms MFA setup by verifying a TOTP code from the authenticator app.
Disable MFA
DELETE /api/v1/admin/mfa
Employees (Users)
List Employees
GET /api/v1/admin/users
Query Parameters: page, page_size, search, department, status
Create Employee
POST /api/v1/admin/users
Body:
{
"email": "jane@example.com",
"displayName": "Jane Smith",
"department": "Engineering",
"jobTitle": "Software Engineer"
}
Get Employee Details
GET /api/v1/admin/users/{userID}
Update Employee
PUT /api/v1/admin/users/{userID}
Delete Employee
DELETE /api/v1/admin/users/{userID}
Bulk Delete Employees
DELETE /api/v1/admin/users/bulk
Bulk Import
POST /api/v1/admin/users/import
Body: multipart/form-data with a file field containing a CSV file.
Get User Credentials
GET /api/v1/admin/users/{userID}/credentials
Returns credential telemetry for the user (sites where credentials were entered, reuse status, HIBP status).
Get User Credential Stats
GET /api/v1/admin/users/{userID}/credentials/stats
Get User Credential Reuse Records
GET /api/v1/admin/users/{userID}/credentials/reuse-records
Get User Groups
GET /api/v1/admin/users/{userID}/groups
Update User Groups
PUT /api/v1/admin/users/{userID}/groups
Tenant Credential Stats
GET /api/v1/admin/credential-stats
Returns aggregate credential statistics across all users in the tenant.
Alerts
List Alerts
GET /api/v1/admin/alerts
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
page | integer | Page number (default: 1) |
page_size | integer | Items per page (default: 20) |
severity | string | Filter: critical, high, medium, low |
alert_type | string | Filter by alert type |
status | string | Filter: open, acknowledged, resolved, false_positive |
start_date | string | ISO 8601 start date |
end_date | string | ISO 8601 end date |
Get Alert Details
GET /api/v1/admin/alerts/{alertID}
Get Related Alerts
GET /api/v1/admin/alerts/{alertID}/related
Alert Statistics
GET /api/v1/admin/alerts/stats
Alert Trend
GET /api/v1/admin/alerts/trend
Alert Trend by Severity
GET /api/v1/admin/alerts/trend/by-severity
List Aggregated Alerts
GET /api/v1/admin/alerts/aggregated
Acknowledge Alert
PUT /api/v1/admin/alerts/{alertID}/acknowledge
Body:
{
"notes": "Investigating this alert"
}
Resolve Alert
PUT /api/v1/admin/alerts/{alertID}/resolve
Body:
{
"resolution": "Confirmed false positive from internal testing",
"status": "resolved"
}
Status must be resolved or false_positive.
Assign Alert
PUT /api/v1/admin/alerts/{alertID}/assign
Claim Alert
PUT /api/v1/admin/alerts/{alertID}/claim
Assigns the alert to the current authenticated admin user.
Reopen Alert
PUT /api/v1/admin/alerts/{alertID}/reopen
Update Alert Severity
PUT /api/v1/admin/alerts/{alertID}/severity
Forward Alert to Portal
POST /api/v1/admin/alerts/{alertID}/forward
Forwards the alert to the Surface Security Portal (portal.surface-security.com) for centralized management.
Triage Metrics
GET /api/v1/admin/alerts/triage-metrics
Returns MTTR / MTTA / acknowledgment and resolution rates for the current tenant.
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
timeframe | string | One of 24h, 7d, 30d, 90d (default 7d) |
Record Policy Action
PUT /api/v1/admin/alerts/{alertID}/policy-action
Records the policy action taken after resolving an alert as a true positive (created new policy, added to existing, skipped, advanced).
Body:
{
"action": "created",
"policyId": "uuid",
"policyName": "Block suspicious domain"
}
action must be one of created, added_to_existing, skipped, advanced.
Portal Status
GET /api/v1/admin/portal/status
Returns the connection status to the Surface Security Portal (portal.surface-security.com).
Security Posture
GET /api/v1/admin/security-posture
Returns the overall security posture score and breakdown for the tenant.
Endpoints
List Discovered Endpoints
GET /api/v1/admin/endpoints
Query Parameters: page, page_size, classification, search
Endpoint Statistics
GET /api/v1/admin/endpoints/stats
Get Endpoint Details
GET /api/v1/admin/endpoints/{endpointID}
Returns endpoint details including technology fingerprints.
Get Endpoint Users
GET /api/v1/admin/endpoints/{endpointID}/users
Update Endpoint Classification
PUT /api/v1/admin/endpoints/{endpointID}/classification
Authentication Endpoints
List Authentication Endpoints
GET /api/v1/admin/auth-endpoints
Returns authentication endpoints with IDP analysis (Microsoft Entra, Okta, Google Workspace, etc.).
Authentication Endpoint Statistics
GET /api/v1/admin/auth-endpoints/stats
Returns authentication metrics including MFA adoption rates, IDP breakdown, and auth method statistics.
Get Authentication Endpoint Details
GET /api/v1/admin/auth-endpoints/{authEndpointID}
Get Authentication Endpoint Users
GET /api/v1/admin/auth-endpoints/{authEndpointID}/users
List SSO Relying Parties
GET /api/v1/admin/auth-endpoints/{authEndpointID}/relying-parties
Update MFA Override
PUT /api/v1/admin/auth-endpoints/{authEndpointID}/mfa-override
Attack Surface
Get Attack Surface Summary
GET /api/v1/admin/attack-surface
Get Domain Details
GET /api/v1/admin/attack-surface/domain/{domain}
Get Subdomain Details
GET /api/v1/admin/attack-surface/subdomain/{subdomain}
Devices
List Devices
GET /api/v1/admin/devices
Query Parameters: page, page_size, user_id, status
Get Device Details
GET /api/v1/admin/devices/{deviceID}
Get Device Extensions
GET /api/v1/admin/devices/{deviceID}/extensions
Revoke Device
PUT /api/v1/admin/devices/{deviceID}/revoke
Revokes the device's mTLS certificate, preventing further communication with the backend.
Request Device Wipe
PUT /api/v1/admin/devices/{deviceID}/wipe
Signals the extension to clear all local data on the next heartbeat.
Silence Stale Device Alerts
PUT /api/v1/admin/devices/{deviceID}/silence-stale-alerts
Delete Device
DELETE /api/v1/admin/devices/{deviceID}
Fleet Health
GET /api/v1/admin/fleet-health
Returns fleet-wide health metrics (active devices, stale devices, enrollment status).
Support Bundle
GET /api/v1/admin/support-bundle
Generates a diagnostic support bundle for troubleshooting. Requires super_admin role.
Policies
List Policies
GET /api/v1/admin/policies
Create Policy
POST /api/v1/admin/policies
Body:
{
"name": "Block phishing domains",
"description": "Prevents credential entry on known phishing sites",
"priority": 1,
"rules": [],
"isEnabled": true
}
Test Policy
POST /api/v1/admin/policies/test
Evaluates a policy against test input without saving it.
Get Policy
GET /api/v1/admin/policies/{policyID}
Update Policy
PUT /api/v1/admin/policies/{policyID}
Delete Policy
DELETE /api/v1/admin/policies/{policyID}
Domain Scope
List Domain Scopes
GET /api/v1/admin/domain-scope
Create Domain Scope
POST /api/v1/admin/domain-scope
Delete Domain Scope
DELETE /api/v1/admin/domain-scope/{domainID}
Settings
Get Tenant Settings
GET /api/v1/admin/settings
Update Tenant Settings
PUT /api/v1/admin/settings
Body:
{
"extensionMode": "warn",
"learningThreshold": 2,
"hibpEnabled": true,
"alertEmailEnabled": true
}
Get Alert Severity Settings
GET /api/v1/admin/settings/alert-severity
Update Alert Severity Settings
PUT /api/v1/admin/settings/alert-severity
Get Retention Settings
GET /api/v1/admin/settings/retention
Returns current event and stream retention windows (in days) along with the license's retention limits.
Get License Info
GET /api/v1/admin/settings/license
Update License
PUT /api/v1/admin/settings/license
Update Mobile Access by Role
PUT /api/v1/admin/settings/mobile-access-by-role
Sets which admin roles are allowed to sign in from the mobile (iOS) app.
Body:
{
"mobileAccess": {
"admin": true,
"analyst": true,
"executive": false
}
}
Keys are admin role types (super_admin, admin, analyst, executive); values are booleans. Roles omitted from the map retain their current setting. Response echoes the cleaned map: {"mobileAccess": {...}}.
Admin User Management
List Admin Users
GET /api/v1/admin/admin-users
Create Admin User
POST /api/v1/admin/admin-users
List Admin Roles
GET /api/v1/admin/admin-users/roles
Returns available admin roles: super_admin, admin, analyst, viewer.
Get Admin User
GET /api/v1/admin/admin-users/{userID}
Update Admin User
PUT /api/v1/admin/admin-users/{userID}
Delete Admin User
DELETE /api/v1/admin/admin-users/{userID}
Reset Admin Password
POST /api/v1/admin/admin-users/{userID}/reset-password
Generates a one-time password for the admin user. The response includes temporaryPassword (shown only once) and marks the account as requiring password change on next login.
Toggle Mobile Access
PUT /api/v1/admin/admin-users/{userID}/mobile-access
Toggles the per-admin-user mobile app access flag.
Unblock Keys
List Unblock Keys
GET /api/v1/admin/unblock-keys
Generate Unblock Key
POST /api/v1/admin/unblock-keys
Phishing Whitelist
List Phishing Whitelist
GET /api/v1/admin/phishing-whitelist
Create Phishing Whitelist Entry
POST /api/v1/admin/phishing-whitelist
Delete Phishing Whitelist Entry
DELETE /api/v1/admin/phishing-whitelist/{entryID}
Threat Intelligence
Get Threat Intel Settings
GET /api/v1/admin/threat-intel/settings
Response:
{
"urlscanEnabled": true,
"urlscanConfigured": true,
"virustotalEnabled": false,
"virustotalConfigured": false
}
Update Threat Intel Settings
PUT /api/v1/admin/threat-intel/settings
Body:
{
"urlscanEnabled": true,
"virustotalEnabled": true
}
Save API Key
PUT /api/v1/admin/threat-intel/api-key
Body:
{
"service": "urlscan",
"apiKey": "your-api-key-here"
}
Service must be urlscan or virustotal.
Test API Key
POST /api/v1/admin/threat-intel/test
Body:
{
"service": "urlscan"
}
SSO Configuration
List SSO Configs
GET /api/v1/admin/sso-configs
Create SSO Config
POST /api/v1/admin/sso-configs
Test SSO Config
POST /api/v1/admin/sso-configs/test
Get SSO Config Details
GET /api/v1/admin/sso-configs/{configID}
Update SSO Config
PUT /api/v1/admin/sso-configs/{configID}
Delete SSO Config
DELETE /api/v1/admin/sso-configs/{configID}
Org-Managed Tenant SSO
These endpoints let an MSSP organization owner view and configure each managed
tenant's SSO from the org panel, without signing in to the tenant. They operate on the
same sso_configs store as the tenant endpoints above; a config created here is a normal
tenant SSO config and the end-user login flow is unchanged (users still authenticate
through the tenant's /api/v1/auth/sso/* and /api/v1/auth/saml/* endpoints — see the
Auth API).
Authentication & authorization:
- All endpoints require an org-admin session (the
/api/v1/orgsurface), not a tenant-admin token. {tenantId}is bounded to the org's accessible tenants. A tenant outside the org, or aconfigIdthat does not belong to the bounded tenant, returns 404 (no information is leaked).- Reads (list, get) are open to any org role.
- Writes (create, update, delete) require the
org_ownerrole plus a single-use re-authentication token in theX-ReAuth-Tokenheader (obtained fromPOST /api/v1/org/verify-password). The re-auth gate is enforced before the tenant is resolved. - Test (OIDC discovery probe) requires the
org_ownerrole.
Secrets (clientSecret, SAML SP signing key) are write-only: they are accepted on
create/update but never returned by the read endpoints.
List Tenant SSO Configs
GET /api/v1/org/tenants/{tenantId}/sso-configs
Returns { "configs": [...] } (secret-free summaries).
Create Tenant SSO Config
POST /api/v1/org/tenants/{tenantId}/sso-configs
Headers: X-ReAuth-Token. Body is identical to the tenant
POST /api/v1/admin/sso-configs body.
Test Tenant SSO Config
POST /api/v1/org/tenants/{tenantId}/sso-configs/test
Body: { "issuerUrl": "...", "clientId": "..." }. Probes OIDC discovery for the issuer;
reads no tenant data.
Get Tenant SSO Config Details
GET /api/v1/org/tenants/{tenantId}/sso-configs/{configId}
Update Tenant SSO Config
PUT /api/v1/org/tenants/{tenantId}/sso-configs/{configId}
Headers: X-ReAuth-Token. Partial update; omit clientSecret/SAML SP key to keep the
current value.
Delete Tenant SSO Config
DELETE /api/v1/org/tenants/{tenantId}/sso-configs/{configId}
Headers: X-ReAuth-Token.
Org-Login SSO
These endpoints let an MSSP organization configure its OWN OIDC identity provider for
authenticating org admins to the org panel — distinct from the per-tenant SSO above
(which configures a managed tenant's IdP). They operate on the separate org_sso_configs
store. An org admin is matched by their verified email; accounts are never
auto-created, and the IdP is the MFA authority (no separate local TOTP challenge).
Config Management
Authentication & authorization:
- All config endpoints require an org-admin session (the
/api/v1/orgsurface). - Reads (list, get) are open to any org role.
- Writes (create, update, delete, require-SSO toggle) require the
org_ownerrole plus a single-use re-authentication token in theX-ReAuth-Tokenheader (fromPOST /api/v1/org/verify-password). - Test (OIDC discovery probe) requires the
org_ownerrole. - The
clientSecretis write-only: accepted on create/update, never returned by reads.
GET /api/v1/org/sso-configs # list (secret-free); also returns requireSso
POST /api/v1/org/sso-configs # create (X-ReAuth-Token)
POST /api/v1/org/sso-configs/test # OIDC discovery probe { issuerUrl, clientId }
PUT /api/v1/org/sso-configs/require # toggle require-SSO { requireSso } (X-ReAuth-Token)
GET /api/v1/org/sso-configs/{configId} # details (secret-free)
PUT /api/v1/org/sso-configs/{configId} # update; omit clientSecret to keep current (X-ReAuth-Token)
DELETE /api/v1/org/sso-configs/{configId} # delete (X-ReAuth-Token)
Enabling require-SSO is refused unless at least one enabled SSO config exists
(self-lockout guard); when set, the org's password login path
(POST /api/v1/org/auth/login) is rejected for that org. The RECOVERY_KEY break-glass
path is unaffected.
Login Flow (pre-auth)
These run before any session exists, are rate-limited, and carry no auth middleware:
POST /api/v1/org/auth/sso/discover # { email } -> { ssoAvailable, loginUrl } (uniform shape)
GET /api/v1/org/auth/sso/status # ?host=/?slug= -> { ssoAvailable, loginUrl } (branded page)
GET /api/v1/org/auth/sso/login # starts the OIDC code flow (org bound in signed state)
GET /api/v1/org/auth/sso/callback # IdP return; verifies the assertion, mints a handoff code
POST /api/v1/org/auth/sso/exchange # { code } -> { accessToken, refreshToken, user }
The callback authenticates the IdP assertion (verified email required), matches the admin
within the state's bound org, re-applies the account-state/role/trial gates, then redirects
to /login?org_sso_code=<code> with a single-use, ~60s handoff code — never a token in
the URL. The SPA exchanges that code at /exchange for the org session (tokens returned in
the JSON body only; the session is minted at exchange, never stored at rest). Any rejection
redirects to /login?org_sso_error=<reason> and issues no session.
Active Countermeasures
List Canary Cookies
GET /api/v1/admin/active-countermeasures/canary-cookies
Create Canary Cookie
POST /api/v1/admin/active-countermeasures/canary-cookies
Update Canary Cookie
PUT /api/v1/admin/active-countermeasures/canary-cookies/{cookieID}
Delete Canary Cookie
DELETE /api/v1/admin/active-countermeasures/canary-cookies/{cookieID}
Alert Notifications
Get Notification Settings
GET /api/v1/admin/alert-notifications/settings
Update Notification Settings
PUT /api/v1/admin/alert-notifications/settings
Save SMTP Password
PUT /api/v1/admin/alert-notifications/smtp-password
Save Webhook Secret
PUT /api/v1/admin/alert-notifications/webhook-secret
Test Email Notification
POST /api/v1/admin/alert-notifications/test-email
Test Webhook Notification
POST /api/v1/admin/alert-notifications/test-webhook
List Push Notification Rules
GET /api/v1/admin/alert-notifications/push-rules
Returns the rules that decide which alerts fan out as iOS push notifications to on-call engineers.
Create Push Notification Rule
POST /api/v1/admin/alert-notifications/push-rules
Update Push Notification Rule
PUT /api/v1/admin/alert-notifications/push-rules/{ruleId}
Delete Push Notification Rule
DELETE /api/v1/admin/alert-notifications/push-rules/{ruleId}
Mobile (iOS App)
Manages iOS push-device registrations and per-admin preferences used by the Surface Security iOS companion app.
List Registered Devices
GET /api/v1/admin/mobile/devices
Register Device
POST /api/v1/admin/mobile/devices
Registers an APNs device token for the current admin user.
Unregister Device
DELETE /api/v1/admin/mobile/devices/{deviceId}
Get Mobile Preferences
GET /api/v1/admin/mobile/preferences
Update Mobile Preferences
PUT /api/v1/admin/mobile/preferences
On-Call Rotation
Schedules and overrides for the on-call rotation that drives push-rule targeting.
Current On-Call
GET /api/v1/admin/on-call/current
Returns the admin user currently on call.
Upcoming On-Call
GET /api/v1/admin/on-call/upcoming
Returns the upcoming on-call shifts.
List Schedules
GET /api/v1/admin/on-call/schedules
Create Schedule
POST /api/v1/admin/on-call/schedules
Get Schedule
GET /api/v1/admin/on-call/schedules/{scheduleId}
Update Schedule
PUT /api/v1/admin/on-call/schedules/{scheduleId}
Delete Schedule
DELETE /api/v1/admin/on-call/schedules/{scheduleId}
Create Override
POST /api/v1/admin/on-call/overrides
Creates a one-time override (e.g. for PTO coverage) that takes precedence over the scheduled rotation.
Delete Override
DELETE /api/v1/admin/on-call/schedules/{scheduleId}/overrides/{overrideId}
Extension Monitoring
Get Monitoring Settings
GET /api/v1/admin/extension-monitoring/settings
Update Monitoring Settings
PUT /api/v1/admin/extension-monitoring/settings
List Extension Whitelist
GET /api/v1/admin/extension-monitoring/whitelist
Create Whitelist Entry
POST /api/v1/admin/extension-monitoring/whitelist
Quick-Add Whitelist Entry
POST /api/v1/admin/extension-monitoring/whitelist/quick-add
Get Whitelist Entry
GET /api/v1/admin/extension-monitoring/whitelist/{entryID}
Update Whitelist Entry
PUT /api/v1/admin/extension-monitoring/whitelist/{entryID}
Delete Whitelist Entry
DELETE /api/v1/admin/extension-monitoring/whitelist/{entryID}
List Extension Inventory
GET /api/v1/admin/extension-monitoring/inventory
Extension Inventory Stats
GET /api/v1/admin/extension-monitoring/inventory/stats
List Unwhitelisted Extensions
GET /api/v1/admin/extension-monitoring/inventory/unwhitelisted
Extension Aggregates
GET /api/v1/admin/extension-monitoring/inventory/aggregates
List Extension Events
GET /api/v1/admin/extension-monitoring/events
Get Extension Detail
GET /api/v1/admin/extension-monitoring/extension/{extensionID}
Signatures
List Signatures
GET /api/v1/admin/signatures
Create Signature
POST /api/v1/admin/signatures
Update Signature
PUT /api/v1/admin/signatures/{signatureID}
Delete Signature
DELETE /api/v1/admin/signatures/{signatureID}
Upload Signature Pack
POST /api/v1/admin/signatures/upload
List Signature Packs
GET /api/v1/admin/signatures/packs
ClickFix Signatures
List ClickFix Signatures
GET /api/v1/admin/clickfix-signatures
Create ClickFix Signature
POST /api/v1/admin/clickfix-signatures
Update ClickFix Signature
PUT /api/v1/admin/clickfix-signatures/{signatureID}
Delete ClickFix Signature
DELETE /api/v1/admin/clickfix-signatures/{signatureID}
Screenshots
Get Screenshot Metadata
GET /api/v1/admin/screenshots/{screenshotID}
Response:
{
"id": "uuid",
"eventId": "uuid",
"url": "https://presigned-url...",
"origin": "https://suspicious-site.com",
"capturedAt": "2024-01-15T10:30:00Z"
}
Get Screenshot Image
GET /api/v1/admin/screenshots/{screenshotID}/image
Proxies the actual screenshot image from object storage.
Get Screenshot by Event ID
GET /api/v1/admin/screenshots/event/{eventID}
Integrations (Log Forwarding)
List Log Destinations
GET /api/v1/admin/integrations/log-destinations
Create Log Destination
POST /api/v1/admin/integrations/log-destinations
Update Log Destination
PUT /api/v1/admin/integrations/log-destinations/{destID}
Delete Log Destination
DELETE /api/v1/admin/integrations/log-destinations/{destID}
Test Log Destination
POST /api/v1/admin/integrations/log-destinations/{destID}/test
Events Viewer
Event Statistics
GET /api/v1/admin/events/stats
List Navigation Events
GET /api/v1/admin/events/navigation
List Credential Attempt Events
GET /api/v1/admin/events/credential-attempts
List Auth Flow Events
GET /api/v1/admin/events/auth-flow
Updates
Get Update Info
GET /api/v1/admin/updates/info
Get Extension Versions
GET /api/v1/admin/updates/extension-versions
Get Update History
GET /api/v1/admin/updates/history
Check for Updates
POST /api/v1/admin/updates/check
Apply Update
POST /api/v1/admin/updates/apply
Rollback Update
POST /api/v1/admin/updates/rollback
Upload Update Bundle
POST /api/v1/admin/updates/upload
Enrollment
Generate Enrollment Token
POST /api/v1/admin/enrollment/token
Body:
{
"expiresInDays": 7
}
Response:
{
"token": "abc123...",
"expiresAt": "2024-01-22T00:00:00Z"
}
Generate Bulk Enrollment Configurations
POST /api/v1/admin/enrollment/bulk-config
Body:
{
"count": 50,
"format": "json"
}
Format must be json or zip.
Get Enrollment Config
GET /api/v1/admin/enrollment/config
Returns the current enrollment configuration (API endpoint, tenant ID).
Certificates
Upload CA Certificate
POST /api/v1/admin/certificates/ca
Body:
{
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----"
}
| Field | Required | Description |
|---|---|---|
certificate | Yes | PEM-encoded CA certificate |
privateKey | Yes | PEM-encoded CA private key |
Delete CA Certificate
DELETE /api/v1/admin/certificates/ca
Get CA Status
GET /api/v1/admin/certificates/ca/status
TLS Certificate Management
Get TLS Status
GET /api/v1/admin/tls/status
Upload TLS Certificate
POST /api/v1/admin/tls/certificate
Search
Global Search
GET /api/v1/admin/search
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
q | string | Search query |
type | string | Filter by resource type |
page | integer | Page number |
Searches across users, endpoints, and alerts. Returns categorized results.
Export Search Results
GET /api/v1/admin/search/export
Filters
Filter option endpoints for populating search dropdowns in the dashboard.
GET /api/v1/admin/filters/extensions
GET /api/v1/admin/filters/users
GET /api/v1/admin/filters/devices
GET /api/v1/admin/filters/alert-types
GET /api/v1/admin/filters/technologies
GET /api/v1/admin/filters/groups
Audit Log
List Audit Log
GET /api/v1/admin/audit-log
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
page | integer | Page number |
page_size | integer | Items per page |
actor_id | string | Filter by admin user ID |
action | string | Filter by action type |
resource_type | string | Filter by resource type |
start_date | string | Start date (ISO 8601) |
end_date | string | End date (ISO 8601) |
Export Audit Log
GET /api/v1/admin/audit-log/export
Exports audit log as CSV or JSON.
Verify Audit Chain
GET /api/v1/admin/audit-log/verify
Verifies the HMAC-SHA256 tamper-detection chain integrity of the audit log.
SCIM Client Management
List SCIM OAuth Clients
GET /api/v1/admin/scim/clients
Create SCIM OAuth Client
POST /api/v1/admin/scim/clients
Returns the clientId and clientSecret for use with the OAuth Token endpoint.
Delete SCIM OAuth Client
DELETE /api/v1/admin/scim/clients/{clientID}
Directory Sources
List Directory Sources
GET /api/v1/admin/directory-sources
Create Directory Source
POST /api/v1/admin/directory-sources
Trigger All Directory Sync
POST /api/v1/admin/directory-sources/sync-all
Get Directory Source
GET /api/v1/admin/directory-sources/{sourceID}
Update Directory Source
PUT /api/v1/admin/directory-sources/{sourceID}
Delete Directory Source
DELETE /api/v1/admin/directory-sources/{sourceID}
Test Directory Source
POST /api/v1/admin/directory-sources/{sourceID}/test
Trigger Directory Sync
POST /api/v1/admin/directory-sources/{sourceID}/sync
Get Available Groups
GET /api/v1/admin/directory-sources/{sourceID}/groups
Update Synced Groups
PUT /api/v1/admin/directory-sources/{sourceID}/synced-groups
Groups
List Groups
GET /api/v1/admin/groups
Create Group
POST /api/v1/admin/groups
Get Group
GET /api/v1/admin/groups/{groupID}
Update Group
PUT /api/v1/admin/groups/{groupID}
Delete Group
DELETE /api/v1/admin/groups/{groupID}
Get Group Members
GET /api/v1/admin/groups/{groupID}/members
Add Group Members
POST /api/v1/admin/groups/{groupID}/members
Remove Group Member
DELETE /api/v1/admin/groups/{groupID}/members/{userID}
Get Group Policies
GET /api/v1/admin/groups/{groupID}/policies
Assign Group Policy
POST /api/v1/admin/groups/{groupID}/policies
Remove Group Policy
DELETE /api/v1/admin/groups/{groupID}/policies/{policyID}
Verification (Admin)
Admin-side verification management for the peer identity verification system.
Verify Daily Code
POST /api/v1/admin/verification/daily-code/verify
Verify OTP
POST /api/v1/admin/verification/otp/verify
Search Users for Verification
GET /api/v1/admin/verification/users
List Verification Audit Events
GET /api/v1/admin/verification/audit-events
List Verification Alerts
GET /api/v1/admin/verification/alerts
Mark Verification Alert Read
PUT /api/v1/admin/verification/alerts/{alertID}/read
Dashboard Analytics
Top Users by New Sites
GET /api/v1/admin/dashboard/top-users-new-sites
Top Users by Warnings
GET /api/v1/admin/dashboard/top-users-warnings
Top Alert Types
GET /api/v1/admin/dashboard/top-alert-types
Top Users by Breached Passwords
GET /api/v1/admin/dashboard/top-users-pwned
Dashboard Trends
GET /api/v1/admin/dashboard/trends
Policy Deployment Status
GET /api/v1/admin/dashboard/policy-deployment
Policy Deployment Trend
GET /api/v1/admin/dashboard/policy-deployment-trend
New Sites Trend
GET /api/v1/admin/dashboard/new-sites-trend
Day Detail
GET /api/v1/admin/dashboard/day-detail
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
date | string | Date to get details for (ISO 8601) |