API Reference

HTTP API endpoints for the Sekuire Core service.

note

Most API requests require authentication via API key (X-API-Key) or bearer token (Authorization: Bearer ...). The internal admin email PIN endpoints below are intentionally unauthenticated entry points.

---

Base URL

Production: https://api.sekuire.ai/api/v1
Local:      http://localhost:9300/api/v1

---

Authentication

Request Header

X-API-Key: sk_live_your_api_key_here

Internal Admin Email PIN Login

Admin console sessions can be created with a one-time PIN sent by email. PINs expire after 5 minutes.

POST /admin/auth/request-pin

curl -X POST https://api.sekuire.ai/api/v1/admin/auth/request-pin \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@sekuire.ai"
  }'

Response:

{
  "challenge_id": "cf4b26f1-3b34-4c8f-b4c4-dccb0c1828b0",
  "expires_at": "2026-02-19T18:15:00Z",
  "delivery": "email"
}

POST /admin/auth/verify-pin

curl -X POST https://api.sekuire.ai/api/v1/admin/auth/verify-pin \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@sekuire.ai",
    "challenge_id": "cf4b26f1-3b34-4c8f-b4c4-dccb0c1828b0",
    "pin": "123456"
  }'

Response:

{
  "session_token": "adm_b1468f885cc34ff89f0410324d0c0354",
  "expires_at": "2026-02-20T01:10:00Z",
  "email": "admin@sekuire.ai"
}

Use the returned session_token as a bearer token:

Request Header

Authorization: Bearer adm_b1468f885cc34ff89f0410324d0c0354

In the internal admin console, sessions are automatically cleared and the user is redirected to login once expires_at is reached.

---

Plan Limit Errors

Paid-feature endpoints return 402 Payment Required when the current plan does not allow the requested action or resource limit is exceeded.

Response shape:

{
  "error": "plan_limit_exceeded",
  "message": "Your current plan (free) does not include fleet_ops. Upgrade to starter or higher.",
  "code": "FLEET_OPS_REQUIRES_UPGRADE",
  "required_plan": "starter",
  "upgrade_url": "https://sekuire.ai/billing",
  "current_usage": {
    "current": 3,
    "max": 3
  }
}

current_usage is optional and only included for quota-style limits.

---

Agents

Register Agent

POST /agents/register

curl -X POST https://api.sekuire.ai/api/v1/agents/register \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "sekuire_id": "a1b2c3d4...",
    "name": "My Agent",
    "version": "1.0.0",
    "public_key": "base64_encoded_public_key",
    "manifest_hash": "hash_of_manifest"
  }'

Verify Agent

GET /agents/:sekuire_id/verify

curl https://api.sekuire.ai/api/v1/agents/a1b2c3d4.../verify \
  -H "X-API-Key: sk_live_..."

Response:

{
  "valid": true,
  "sekuire_id": "a1b2c3d4...",
  "name": "My Agent",
  "version": "1.0.0",
  "registered_at": "2024-01-15T10:30:00Z"
}

---

Workspaces

List Workspaces

GET /orgs/:org_id/workspaces

curl https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces \
  -H "X-API-Key: sk_live_..."

Create Workspace

POST /orgs/:org_id/workspaces

curl -X POST https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production",
    "description": "Production workspace"
  }'

Get Workspace

GET /orgs/:org_id/workspaces/:id

curl https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces/ws_abc123 \
  -H "X-API-Key: sk_live_..."

Update Workspace

PUT /orgs/:org_id/workspaces/:id

curl -X PUT https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces/ws_abc123 \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production (Updated)",
    "description": "Updated production workspace"
  }'

Delete Workspace

DELETE /orgs/:org_id/workspaces/:id

curl -X DELETE https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces/ws_abc123 \
  -H "X-API-Key: sk_live_..."

List Workspace Members

GET /orgs/:org_id/workspaces/:id/members

curl https://api.sekuire.ai/api/v1/orgs/org_abc123/workspaces/ws_abc123/members \
  -H "X-API-Key: sk_live_..."

---

Install Tokens

Create Install Token

POST /workspaces/:workspace_id/install-tokens

curl -X POST https://api.sekuire.ai/api/v1/workspaces/ws_abc123/install-tokens \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "a1b2c3d4...",
    "expiry_minutes": 15
  }'

Response:

{
  "token": "skt_u2ZQfOpyP01KcEDfdmu0yciIBU6SnLJV",
  "expires_at": "2026-02-03T12:15:00Z",
  "agent_id": "a1b2c3d4...",
  "workspace_id": "ws_abc123"
}

---

Agent Installations

Bootstrap Installation

Exchange an install token for runtime credentials.

POST /installations/bootstrap

curl -X POST https://api.sekuire.ai/api/v1/installations/bootstrap \
  -H "Content-Type: application/json" \
  -d '{
    "install_token": "skt_xxx",
    "upstream_url": "http://my-agent:8000",
    "capabilities": ["data_analysis", "code_generation"],
    "heartbeat_interval_seconds": 60
  }'

Response (first bootstrap):

{
  "installation_id": "uuid",
  "runtime_token": "srt_xxx",
  "refresh_token": "srf_xxx",
  "expires_at": "2026-05-03T12:00:00Z",
  "heartbeat_interval": 60
}

note

refresh_token is only returned on first bootstrap and recovery bootstrap. If the same install token is used again within 60 seconds (idempotent bootstrap), the response omits refresh_token to avoid invalidating the token held by the first caller.

Heartbeat / Lease Renewal

POST /installations/:id/lease

curl -X POST https://api.sekuire.ai/api/v1/installations/inst_xyz/lease \
  -H "Authorization: Bearer srt_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "running",
    "heartbeat_interval_seconds": 60,
    "health_payload": { "memory_mb": 512 }
  }'

Response:

{
  "installation_id": "uuid",
  "lease_expires_at": "2026-02-03T12:05:00Z",
  "next_heartbeat_at": "2026-02-03T12:01:00Z",
  "command": null,
  "refreshed_token": {
    "runtime_token": "srt_new_xxx",
    "expires_at": "2026-05-03T12:00:00Z",
    "token_version": 2
  }
}

refreshed_token is only present when the current token is within 7 days of expiry.

Refresh Runtime Token

Manually refresh using the refresh token.

POST /installations/:id/refresh

curl -X POST https://api.sekuire.ai/api/v1/installations/inst_xyz/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "srf_xxx"
  }'

Response:

{
  "runtime_token": "srt_new_xxx",
  "expires_at": "2026-05-03T12:00:00Z",
  "token_version": 2
}

Recovery Bootstrap

Re-bootstrap an agent without an install token. Requires API key with workspace access.

POST /installations/recovery

curl -X POST https://api.sekuire.ai/api/v1/installations/recovery \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "a1b2c3d4...",
    "workspace_id": "ws_abc123",
    "upstream_url": "http://my-agent:8000",
    "capabilities": ["data_analysis"],
    "heartbeat_interval_seconds": 60
  }'

Response: Same as Bootstrap Installation.

---

Policies

Get Workspace Policy

GET /workspaces/:id/policy

curl https://api.sekuire.ai/api/v1/workspaces/ws_abc123/policy \
  -H "X-API-Key: sk_live_..."

---

Trust Protocol

Verify Agent with Context

POST /trust/verify

curl -X POST https://api.sekuire.ai/api/v1/trust/verify \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "sekuire_id": "7f8a9b3c...",
    "signature": "ed25519_signature",
    "context": { "workspace_id": "ws_abc123" }
  }'

Get Trust Profile

GET /trust/profile/:did

curl https://api.sekuire.ai/api/v1/trust/profile/did:sekuire:7f8a9b3c... \
  -H "X-API-Key: sk_live_..."

Generate Trust Headers

POST /trust/headers

curl -X POST https://api.sekuire.ai/api/v1/trust/headers \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "sekuire_id": "7f8a9b3c...",
    "request_body_hash": "sha256_of_body"
  }'

---

Beacon & Liveness

Register Beacon

POST /installations/:id/beacon/register

curl -X POST https://api.sekuire.ai/api/v1/installations/inst_xyz/beacon/register \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "platform": "kubernetes",
    "metadata": { "pod_name": "agent-abc", "namespace": "prod" }
  }'

Revoke Agent

POST /installations/:id/revoke

curl -X POST https://api.sekuire.ai/api/v1/installations/inst_xyz/revoke \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "reason": "Security incident",
    "shutdown_timeout_ms": 5000
  }'

---

Container Images

List Images

GET /images

curl https://api.sekuire.ai/api/v1/images \
  -H "X-API-Key: sk_live_..."

Scan Image

POST /images/:ref/scan

curl -X POST https://api.sekuire.ai/api/v1/images/my-org%2Fmy-agent:v1.0.0/scan \
  -H "X-API-Key: sk_live_..."

Get Scan Report

GET /images/:ref/scan-report

curl https://api.sekuire.ai/api/v1/images/my-org%2Fmy-agent:v1.0.0/scan-report \
  -H "X-API-Key: sk_live_..."

---

Audit Logs and SIEM Exports

List Audit Logs (Starter+)

GET /audit-logs

curl "https://api.sekuire.ai/api/v1/audit-logs?organization_id=org_abc123&workspace_id=ws_abc123&limit=50" \
  -H "X-API-Key: sk_live_..."

Export to Datadog (Professional+)

POST /audit-logs/siem/datadog/export

curl -X POST https://api.sekuire.ai/api/v1/audit-logs/siem/datadog/export \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "organization_id": "org_abc123",
    "workspace_id": "ws_abc123",
    "event_type": "policy.updated",
    "limit": 250,
    "api_key": "dd_api_key_optional_if_server_env_is_set",
    "intake_url": "https://http-intake.logs.datadoghq.com/api/v2/logs",
    "service": "sekuire.audit",
    "source": "sekuire",
    "tags": ["env:prod", "team:secops"]
  }'

Export to Splunk HEC (Professional+)

POST /audit-logs/siem/splunk/export

curl -X POST https://api.sekuire.ai/api/v1/audit-logs/siem/splunk/export \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "organization_id": "org_abc123",
    "workspace_id": "ws_abc123",
    "event_type": "policy.updated",
    "limit": 250,
    "hec_token": "splunk_hec_token_optional_if_server_env_is_set",
    "intake_url": "https://splunk.example.com:8088/services/collector",
    "source": "sekuire:audit",
    "sourcetype": "_json",
    "host": "api-node-1",
    "index": "main",
    "tags": ["env:prod", "team:secops"]
  }'

Export to PagerDuty Events API (Professional+)

POST /audit-logs/siem/pagerduty/export

curl -X POST https://api.sekuire.ai/api/v1/audit-logs/siem/pagerduty/export \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "organization_id": "org_abc123",
    "workspace_id": "ws_abc123",
    "event_type": "policy.updated",
    "limit": 100,
    "routing_key": "pd_routing_key_optional_if_server_env_is_set",
    "intake_url": "https://events.pagerduty.com/v2/enqueue",
    "event_action": "trigger",
    "source": "sekuire.audit",
    "severity": "info",
    "component": "agent-control-plane",
    "group": "governance",
    "class": "audit",
    "dedup_key_prefix": "sekuire-audit",
    "tags": ["env:prod", "team:secops"]
  }'

---

Support Channels

All support routes use the same request body shape:

Support Request Body

{
  "organization_id": "org_abc123",
  "workspace_id": "ws_abc123",
  "subject": "Need help with SIEM export",
  "message": "Datadog export returned 502 at 2026-02-18T12:00:00Z",
  "category": "integrations",
  "contact_email": "ops@example.com"
}

Starter Email Support (Starter+)

POST /support/email

curl -X POST https://api.sekuire.ai/api/v1/support/email \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Priority Support (Professional+)

POST /support/priority

curl -X POST https://api.sekuire.ai/api/v1/support/priority \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Slack Support Channel (Professional+)

POST /support/slack

curl -X POST https://api.sekuire.ai/api/v1/support/slack \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Dedicated CSM Workflow (Enterprise)

POST /support/csm

curl -X POST https://api.sekuire.ai/api/v1/support/csm \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

---

Professional Registry Network

Registry Network Summary (Professional+)

GET /registry/network/summary

curl https://api.sekuire.ai/api/v1/registry/network/summary \
  -H "X-API-Key: sk_live_..."

Registry Network Agents (Professional+)

GET /registry/network/agents

curl "https://api.sekuire.ai/api/v1/registry/network/agents?category=security&verified_only=true&limit=20&offset=0" \
  -H "X-API-Key: sk_live_..."

---

Enterprise Compliance and Retention

Custom Retention Override (Enterprise)

Retention must be greater than 365 and less than or equal to 3650.

PUT /enterprise/orgs/:org_id/retention

curl -X PUT https://api.sekuire.ai/api/v1/enterprise/orgs/org_abc123/retention \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "audit_log_retention_days": 730
  }'

Export Compliance Report (Enterprise)

GET /agents/:sekuire_id/compliance/:workspace_id/report

curl "https://api.sekuire.ai/api/v1/agents/a1b2c3d4/compliance/ws_abc123/report?format=markdown&frameworks=soc2,hipaa" \
  -H "X-API-Key: sk_live_..."

format supports json (default) and markdown.

---

Error Codes

Code	Description
400	Bad Request - Invalid request payload
401	Unauthorized - Invalid or missing API key
402	Payment Required - Feature not available on current plan
403	Forbidden - Insufficient permissions
404	Not Found - Resource doesn't exist
409	Conflict - Resource already exists
422	Validation Error - Invalid request body