Secureframe API (2023-10-18)

Download OpenAPI specification:Download


Secureframe exposes a REST API for use by customers, partners, and community developers.

The Secureframe API utilizes resource-oriented endpoints and returns requests in the form of standard JSON responses, based on the JSON API spec. Search utilizes Lucene Syntax.

API URL (latest version):

New to Secureframe?
Customers: Start here
Partners: Start here


Secureframe utilizes API keys to authenticate requests. API keys are assigned on a per company <> user basis. API secrets can only be viewed a single time at key creation. Please securely store your secrets and do not share your keys in a public medium. If you forget your secret, you must generate a new API key.

To view, create, and revoke API keys, navigate to the Secureframe Console -> Your Profile -> Company settings -> API keys. This page is protected by RBAC and only accessible by certain roles. To authenticate with an API Key and Secret, include the header 'Authorization: <YOUR_API_KEY> <YOUR_KEY_SECRET>' in your request.

--header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>'

Requests made via HTTP will be redirected to HTTPS.


Secureframe utilizes role-based access control (RBAC) to determine which requests are authorized based on the assigned company <> user.

As an example, let’s say a user is assigned to a custom role called “Risk Manager”, and that role does not have permission to view Tests. If a request is made to a Tests endpoint with an API Key <> Secret pair assigned to that user, the request will fail.

To determine the permissions of each role, navigate to the Secureframe Console -> Personnel -> Personnel settings -> Roles and click into the applicable role.

Creating a Request

Reference the below template in cURL for creating a request with parameters:

curl --location -g --request GET \
     --header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>' \

Note: Our API does not directly support bulk updates - only one object can be updated per request. That said, you can utilize loops to mimic bulk operations.

Request History

API requests, just like console-based requests, are tracked in the Audit Log (note: API vs Console requests are not differentiated visually).

To access the Audit Log, navigate to the Secureframe Console -> Your Profile -> Company settings -> Audit Log. This page is protected by RBAC and only accessible by certain roles.

Rate Limiting

Requests are limited to 500 requests per minute per IP address. If the limit is exceeded, requests will be blocked until requests are available based on the aforementioned limit.


HTTP Status Code Description
200 - OK Request successful
400 - Bad Request Invalid request
401 - Unauthorized Invalid authentication to make requested response. API key and/or secret are invalid.
403 - Forbidden Invalid authorization to requested resource. Insufficient permissions based on RBAC.
429 - Too Many Requests Rate limit of 500 requests per minute has been reached for the IP address.
500 Internal server error


Secureframe makes many additive API changes that are backwards compatible and able to be supported in all API versions:

  • Adding operations
  • Adding optional parameters
  • Adding optional request headers
  • Adding response attributes
  • Adding response headers

Backwards incompatible changes require Secureframe to release a new dated API version, as the can potentially break an integration:

  • Removing operations
  • Removing, renaming, or changing the type of a parameter
  • Adding a required parameter or making a previously optional parameter now required
  • Removing attributes from request responses
  • Adding a required header
  • Introducing new parameter data validation constraints
  • Updating authentication and authorization mechanisms
Dated Version (Release Date) API URL Deprecation Date
2023-10-18 -

API Changelog


  • Released API Dated Version 2023-10-18
  • Initial release.