Secureframe exposes a REST API for use by customers, partners, and community developers.
API URL (latest version): https://api.secureframe.com
Secureframe utilizes API keys to authenticate requests. API keys are assigned on a per company <> user basis. API secrets can only be viewed a single time at key creation. Please securely store your secrets and do not share your keys in a public medium. If you forget your secret, you must generate a new API key.
To view, create, and revoke API keys, navigate to the Secureframe Console -> Your Profile -> Company settings -> API keys. This page is protected by RBAC and only accessible by certain roles.
To authenticate with an API Key and Secret, include the header
'Authorization: <YOUR_API_KEY> <YOUR_KEY_SECRET>' in your request.
--header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>'
Requests made via HTTP will be redirected to HTTPS.
Secureframe utilizes role-based access control (RBAC) to determine which requests are authorized based on the assigned company <> user.
As an example, let’s say a user is assigned to a custom role called “Risk Manager”, and that role does not have permission to view Tests. If a request is made to a Tests endpoint with an API Key <> Secret pair assigned to that user, the request will fail.
To determine the permissions of each role, navigate to the Secureframe Console -> Personnel -> Personnel settings -> Roles and click into the applicable role.
Reference the below template in
cURL for creating a request with parameters:
curl --location -g --request GET \ --header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>' \ 'https://api.secureframe.com/<ENDPOINT>?include[<PARAM>]=<VALUE>
Note: Our API does not directly support bulk updates - only one object can be updated per request. That said, you can utilize loops to mimic bulk operations.
API requests, just like console-based requests, are tracked in the Audit Log (note: API vs Console requests are not differentiated visually).
To access the Audit Log, navigate to the Secureframe Console -> Your Profile -> Company settings -> Audit Log. This page is protected by RBAC and only accessible by certain roles.
Requests are limited to 500 requests per minute per IP address. If the limit is exceeded, requests will be blocked until requests are available based on the aforementioned limit.
|HTTP Status Code||Description|
|200 - OK||Request successful|
|400 - Bad Request||Invalid request|
|401 - Unauthorized||Invalid authentication to make requested response. API key and/or secret are invalid.|
|403 - Forbidden||Invalid authorization to requested resource. Insufficient permissions based on RBAC.|
|429 - Too Many Requests||Rate limit of 500 requests per minute has been reached for the IP address.|
|500||Internal server error|
Secureframe makes many additive API changes that are backwards compatible and able to be supported in all API versions:
Backwards incompatible changes require Secureframe to release a new dated API version, as the can potentially break an integration:
|Dated Version (Release Date)||API URL||Deprecation Date|