Skip to main content

Developer

JSON API

Read your ISO/IEC 27001:2022 control catalogue and per-tenant readiness state over HTTPS. Responses are JSON. No SDK to install — just a fetch or curl.

Machine-readable counterpart: an OpenAPI 3.1 spec at /openapi.json (compatible with Postman, Swagger UI, Redoc, and procurement scanners).

Public catalogue, authenticated everything else.

The control catalogue — the 93 Annex A controls and their Microsoft evidence mapping — is open-readable. Your tenant's state (risks, policies, evidence, SoA decisions) sits behind a Microsoft Entra ID sign-in and is RLS-scoped to your org.

Catalogue · public

GET /api/controls

Returns the 93 ISO/IEC 27001:2022 Annex A controls — code, theme, name, purpose summary, automation tier (A/P/M), and the primary Microsoft product the evidence usually comes from.

Query parameters

NameTypeDescription
themeOrganizational | People | Physical | TechnologicalFilter to one Annex A theme.
automationA | P | MAutomation tier — Automated, Partial, Manual.
newtrueOnly the 11 controls that are new in the 2022 revision.
qstringSubstring search across code, name, purpose.

Example

curl
curl https://app.securityflare.com.au/api/controls?theme=Technological
response (truncated)
{
  "count": 34,
  "controls": [
    {
      "id": "0c2a…",
      "code": "A.8.1",
      "theme": "Technological",
      "name": "User end point devices",
      "newIn2022": false,
      "controlTypes": ["Preventive"],
      "automationTier": "P",
      "primaryMicrosoftProduct": "Intune",
      "purpose": "Protect information against the risks introduced by using …"
    }
  ]
}

Cached at the edge for 5 minutes (cache-control: public, max-age=300, s-maxage=600).

Catalogue · public

GET /api/controls/:code

One control by Annex A code (for example A.5.1). Returns every column in the catalogue: purpose, ISO clauses cross-referenced, Essential 8 mapping, the Microsoft Graph endpoints used to evidence it.

curl
curl https://app.securityflare.com.au/api/controls/A.5.1

Returns 404 if the code doesn't match the catalogue.

Beta

Authenticated endpoints

Every tenant-scoped read and every write currently lives behind a session cookie set by Microsoft Entra ID sign-in. Programmatic access tokens for service-to-service integration are on the roadmap, tracked alongside the wider Graph integration story in CLAUDE.md §3.3.

  • §4-6 audit foundation /api/isms-scope (§4.3 scope statement w/ append-only versions), /api/interested-parties (§4.2), /api/objectives (§6.2)
  • /api/risks — risk register CRUD
  • /api/policies — policy library CRUD + version history
  • /api/soa — Statement of Applicability rollup
  • /api/assets, /api/suppliers, /api/incidents, /api/audits, /api/findings, /api/training, /api/documents — supporting registers
  • /api/team — members + invitations
  • /api/dashboard — ISMS overview + Recent Activity
  • /api/msp — cross-tenant portfolio rollup (MSP-only)
  • /api/billing — current Stripe subscription state
  • /api/audit-log — tenant-side audit-trail viewer (A.8.15)

These shapes are exercised end-to-end inside the app. If you want early access to the programmatic surface — or a specific endpoint documented in this style — email hello@securityflare.com.au.

Auditor handoff

Spreadsheet exports (XLSX)

Every governance register exposes an export.xlsx endpoint that streams the full register as a single-sheet workbook with bolded header row, frozen header, autofilter, and per-column widths. The file opens in Excel/Numbers/LibreOffice without warnings. Auth + RLS still apply — each export is scoped to the signed-in tenant.

curl (with cookies)
curl -b cookies.txt https://app.securityflare.com.au/api/risks/export.xlsx > risks.xlsx

Endpoints

  • /api/risks/export.xlsx — risk register
  • /api/soa/export.xlsx — Statement of Applicability (live from risk → control links)
  • /api/objectives/export.xlsx — §6.2 objectives
  • /api/interested-parties/export.xlsx — §4.2 interested parties
  • /api/isms-scope/export.xlsx — §4.3 ISMS scope, full version history (auditors look at every revision, not just the current one)

Response headers: content-type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, content-disposition: attachment; filename="iso27001-{kind}-YYYY-MM-DD.xlsx", cache-control: private, no-store.

Reference

Errors

NameTypeDescription
400Bad RequestInvalid query parameter (theme/automation/new) or malformed control code.
401UnauthorizedAuthenticated endpoint reached without a session cookie.
403ForbiddenSession is valid but the role or org status doesn't permit the action.
404Not FoundCatalogue lookup with an unknown control code, or a tenant entity outside the current org.
5xxServer errorReported to our oncall via Logpush. Retry safely after a back-off — every public read is idempotent.

Reference

Rate limits

Public reads are cached at the edge — typical apps will never feel a limit. Authenticated endpoints share a per-tenant Durable Object token bucket sized to keep one customer's burst from impacting another tenant in the same Cloudflare colo. If you're planning a large catalogue sync or bulk evidence pull, drop us an email so we can pre-warm the bucket for your tenant.

Reference

Versioning

The catalogue schema is stable — code, theme, name, purpose, automation tier are all guaranteed for the lifetime of the v1 surface. New fields can be added without notice; existing fields won't be removed or have their semantics changed without a deprecation note in the changelog at least 60 days before removal.