Developer
JSON API
Read your ISO/IEC 27001:2022 control catalogue and per-tenant readiness state over HTTPS. Responses are JSON. No SDK to install — just a fetch or curl.
Machine-readable counterpart: an OpenAPI 3.1 spec at /openapi.json (compatible with Postman, Swagger UI, Redoc, and procurement scanners).
Public catalogue, authenticated everything else.
The control catalogue — the 93 Annex A controls and their Microsoft evidence mapping — is open-readable. Your tenant's state (risks, policies, evidence, SoA decisions) sits behind a Microsoft Entra ID sign-in and is RLS-scoped to your org.
Catalogue · public
GET /api/controls
Returns the 93 ISO/IEC 27001:2022 Annex A controls — code, theme, name, purpose summary, automation tier (A/P/M), and the primary Microsoft product the evidence usually comes from.
Query parameters
| Name | Type | Description |
|---|---|---|
| theme | Organizational | People | Physical | Technological | Filter to one Annex A theme. |
| automation | A | P | M | Automation tier — Automated, Partial, Manual. |
| new | true | Only the 11 controls that are new in the 2022 revision. |
| q | string | Substring search across code, name, purpose. |
Example
curl https://app.securityflare.com.au/api/controls?theme=Technological{
"count": 34,
"controls": [
{
"id": "0c2a…",
"code": "A.8.1",
"theme": "Technological",
"name": "User end point devices",
"newIn2022": false,
"controlTypes": ["Preventive"],
"automationTier": "P",
"primaryMicrosoftProduct": "Intune",
"purpose": "Protect information against the risks introduced by using …"
}
]
}Cached at the edge for 5 minutes (cache-control: public, max-age=300, s-maxage=600).
Catalogue · public
GET /api/controls/:code
One control by Annex A code (for example A.5.1). Returns every column in the catalogue: purpose, ISO clauses cross-referenced, Essential 8 mapping, the Microsoft Graph endpoints used to evidence it.
curl https://app.securityflare.com.au/api/controls/A.5.1Returns 404 if the code doesn't match the catalogue.
Beta
Authenticated endpoints
Every tenant-scoped read and every write currently lives behind a session cookie set by Microsoft Entra ID sign-in. Programmatic access tokens for service-to-service integration are on the roadmap, tracked alongside the wider Graph integration story in CLAUDE.md §3.3.
- §4-6 audit foundation —
/api/isms-scope(§4.3 scope statement w/ append-only versions),/api/interested-parties(§4.2),/api/objectives(§6.2) /api/risks— risk register CRUD/api/policies— policy library CRUD + version history/api/soa— Statement of Applicability rollup/api/assets,/api/suppliers,/api/incidents,/api/audits,/api/findings,/api/training,/api/documents— supporting registers/api/team— members + invitations/api/dashboard— ISMS overview + Recent Activity/api/msp— cross-tenant portfolio rollup (MSP-only)/api/billing— current Stripe subscription state/api/audit-log— tenant-side audit-trail viewer (A.8.15)
These shapes are exercised end-to-end inside the app. If you want early access to the programmatic surface — or a specific endpoint documented in this style — email hello@securityflare.com.au.
Auditor handoff
Spreadsheet exports (XLSX)
Every governance register exposes an export.xlsx endpoint that streams the full register as a single-sheet workbook with bolded header row, frozen header, autofilter, and per-column widths. The file opens in Excel/Numbers/LibreOffice without warnings. Auth + RLS still apply — each export is scoped to the signed-in tenant.
curl -b cookies.txt https://app.securityflare.com.au/api/risks/export.xlsx > risks.xlsxEndpoints
/api/risks/export.xlsx— risk register/api/soa/export.xlsx— Statement of Applicability (live from risk → control links)/api/objectives/export.xlsx— §6.2 objectives/api/interested-parties/export.xlsx— §4.2 interested parties/api/isms-scope/export.xlsx— §4.3 ISMS scope, full version history (auditors look at every revision, not just the current one)
Response headers: content-type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, content-disposition: attachment; filename="iso27001-{kind}-YYYY-MM-DD.xlsx", cache-control: private, no-store.
Reference
Errors
| Name | Type | Description |
|---|---|---|
| 400 | Bad Request | Invalid query parameter (theme/automation/new) or malformed control code. |
| 401 | Unauthorized | Authenticated endpoint reached without a session cookie. |
| 403 | Forbidden | Session is valid but the role or org status doesn't permit the action. |
| 404 | Not Found | Catalogue lookup with an unknown control code, or a tenant entity outside the current org. |
| 5xx | Server error | Reported to our oncall via Logpush. Retry safely after a back-off — every public read is idempotent. |
Reference
Rate limits
Public reads are cached at the edge — typical apps will never feel a limit. Authenticated endpoints share a per-tenant Durable Object token bucket sized to keep one customer's burst from impacting another tenant in the same Cloudflare colo. If you're planning a large catalogue sync or bulk evidence pull, drop us an email so we can pre-warm the bucket for your tenant.
Reference
Versioning
The catalogue schema is stable — code, theme, name, purpose, automation tier are all guaranteed for the lifetime of the v1 surface. New fields can be added without notice; existing fields won't be removed or have their semantics changed without a deprecation note in the changelog at least 60 days before removal.