Claw GRC/Docs
Start Free
📡

REST API Reference

All Claw GRC APIs are accessed through a single gateway at your instance URL. Every request must include authentication (see Authentication docs). The gateway enforces RBAC per-route based on the caller's role.

Base URL

All endpoints are relative to https://api.clawgrc.com/api/v1. For local development, use http://localhost:8080/api/v1.

Authentication

MethodPathDescription
POST/auth/register — Register a new user (any authenticated Firebase user)POST
GET/auth/me — Get the current authenticated user profileGET
POST/auth/api-keys — Create a new API key (admin/owner only)POST
GET/auth/api-keys — List API keys (admin/owner only)GET
DELETE/auth/api-keys/:id — Revoke an API key (admin/owner only)DELETE

Compliance Engine

Manage GRC frameworks, controls, evidence artifacts, policies, risks, reports, analytics, and tickets.

Frameworks

MethodPathDescription
GET/frameworks — List all frameworks with pagination and optional status filterGET
POST/frameworks — Create a new compliance frameworkPOST
GET/frameworks/:id — Get framework details with control countsGET
PUT/frameworks/:id — Update a frameworkPUT
DELETE/frameworks/:id — Delete a frameworkDELETE
GET/frameworks/:id/controls — List controls belonging to a frameworkGET

Controls

MethodPathDescription
GET/controls — List controls with framework, status, and priority filtersGET
POST/controls — Create a new control mapped to a frameworkPOST
GET/controls/:id — Get control detailsGET
PUT/controls/:id — Update control status, priority, or evidencePUT
GET/controls/:id/mappings — List cross-framework control mappingsGET
POST/controls/:id/mappings — Create a cross-framework control mappingPOST

Evidence

MethodPathDescription
GET/evidence — List evidence items with status and source filtersGET
POST/evidence — Create a new evidence recordPOST
GET/evidence/:id — Get evidence details with metadataGET
PUT/evidence/:id — Update evidence metadataPUT
DELETE/evidence/:id — Soft-delete an evidence itemDELETE
POST/evidence/upload-url — Get a presigned URL for file uploadPOST
POST/evidence/:id/confirm — Confirm a completed file uploadPOST
GET/evidence/:id/download — Get a presigned download URLGET

Policies

MethodPathDescription
GET/policies — List policies with status and type filtersGET
POST/policies — Create a new policyPOST
GET/policies/types — List available policy typesGET
GET/policies/:id — Get policy details with version historyGET
PUT/policies/:id — Update a policyPUT
DELETE/policies/:id — Delete a policyDELETE
POST/policies/:id/transition — Transition policy lifecycle status (draft → in_review → approved → published → archived)POST

Risks

MethodPathDescription
GET/risks — List risks with category and treatment filtersGET
POST/risks — Create a new risk entryPOST
GET/risks/summary — Get risk summary with AIRSS score distributionGET
POST/risks/score — Calculate AIRSS score for given risk factorsPOST
GET/risks/:id — Get risk details with linked findings and controlsGET
PUT/risks/:id — Update risk factors or treatment strategyPUT
DELETE/risks/:id — Delete a risk entryDELETE

Reports & Analytics

MethodPathDescription
GET/reports — List generated compliance reportsGET
POST/reports — Generate a new compliance reportPOST
GET/reports/:id — Get report details and download URLGET
DELETE/reports/:id — Delete a generated reportDELETE
GET/analytics/compliance-score — Get overall compliance score and per-framework breakdownGET
GET/analytics/control-coverage — Get control coverage statisticsGET

Tickets

MethodPathDescription
GET/tickets — List remediation tickets with status and priority filtersGET
POST/tickets — Create a new remediation ticketPOST
GET/tickets/:id — Get ticket detailsGET
PUT/tickets/:id — Update ticket status, priority, or assigneePUT
DELETE/tickets/:id — Delete a ticketDELETE
GET/tickets/:id/messages — List messages on a ticketGET
POST/tickets/:id/messages — Add a message to a ticketPOST

Search

MethodPathDescription
GET/search — Full-text search across all entity types (frameworks, controls, evidence, policies, risks, agents)GET

Monitoring

MethodPathDescription
POST/monitoring/drift-webhook — Receive configuration drift events from external monitoring systemsPOST

Organization

MethodPathDescription
GET/org — Get organization detailsGET
PUT/org — Update organization settings (admin/owner only)PUT
GET/org/members — List organization membersGET
POST/org/members/invite — Invite a new member (admin/owner only)POST
POST/org/invites/accept — Accept an invite (public, token-based)POST
PATCH/org/members/:id — Update a member's role (admin/owner only)PATCH
DELETE/org/members/:id — Remove a member (admin/owner only)DELETE
DELETE/org/invites/:id — Revoke a pending invite (admin/owner only)DELETE

Billing

MethodPathDescription
GET/billing/subscription — Get current subscription detailsGET
POST/billing/checkout — Create a Stripe checkout session (admin/owner only)POST
POST/billing/portal — Create a Stripe billing portal session (admin/owner only)POST
POST/billing/webhook — Stripe webhook endpoint (Stripe-signed, no JWT)POST

Integrations

MethodPathDescription
GET/integrations — List connected integrationsGET
POST/integrations — Connect a new integrationPOST
DELETE/integrations/:provider — Disconnect an integrationDELETE
PUT/integrations/aws/config — Configure AWS integration settings (admin/owner only)PUT
POST/integrations/aws/test — Test AWS connection (admin/owner only)POST

Audit Log

MethodPathDescription
GET/audit-log — Query audit log entries with action, actor, resource, and date filtersGET
GET/audit-log/export — Export audit log as CSVGET

Security Engine

Run security assessments, manage findings, and execute vulnerability scans.

Assessments

MethodPathDescription
GET/assessments — List assessments with type and status filtersGET
POST/assessments — Create a new security assessmentPOST
GET/assessments/:id — Get assessment with findings severity summaryGET
PUT/assessments/:id — Update assessment name, status, or configurationPUT

Findings

MethodPathDescription
GET/findings — List findings with severity, status, and assessment filtersGET
POST/findings — Create a security finding linked to an assessmentPOST
GET/findings/:id — Get finding details with remediation guidanceGET
PUT/findings/:id — Update finding status or remediation notesPUT

Scans

MethodPathDescription
POST/scans — Trigger a security scan (DAST, API, cloud config)POST

Agent Protocol

Register AI agents, log interactions with tamper-evident chain hashing, manage trust scores, and connect via MCP.

Agents

MethodPathDescription
GET/agents — List registered agents with type and status filtersGET
POST/agents — Register a new AI agentPOST
GET/agents/:id — Get agent details with trust scoreGET
PUT/agents/:id — Update agent configuration or statusPUT
POST/agents/:id/invoke — Invoke a method on a registered agentPOST
POST/agents/discover — Find agents by capability and trust scorePOST

Interactions

MethodPathDescription
GET/agent-interactions — List agent interactions with chain hash verificationGET
POST/agent-interactions — Log a new agent interaction (auto chain-hashed)POST
GET/agent-interactions/:id — Get interaction with chain integrity statusGET

Trust Scoring

MethodPathDescription
GET/trust/:agentId/score — Get computed trust score for an agentGET
GET/trust/:agentId/factors — Get detailed trust factor breakdownGET
POST/trust/recalculate — Recalculate all trust scores for the organizationPOST

MCP Sessions

MethodPathDescription
POST/mcp/sessions — Create an MCP session (handshake)POST
GET/mcp/sessions — List active MCP sessions for the organizationGET
POST/mcp/sessions/:id/messages — Send a tool invocation message to an MCP sessionPOST
DELETE/mcp/sessions/:id — Close an MCP sessionDELETE
GET/mcp/tools — List all available MCP tool definitionsGET

Common Patterns

Pagination

All list endpoints support page (1-based) and page_size (max 100) query parameters. Responses include total, page, and page_size fields.

curl -H "Authorization: Bearer $TOKEN" \
  "https://api.clawgrc.com/api/v1/frameworks?page=2&page_size=10"

Error Responses

All errors follow a consistent JSON format:

{
  "error": "not_found",
  "message": "Framework f47ac10b-... not found",
  "status": 404
}

RBAC Roles

The API Gateway enforces role-based access control. Each route requires specific roles:

Role SetRolesUsed For
Read (human)owner, admin, auditor, member, viewerGET endpoints
Read (with agents)owner, admin, auditor, member, viewer, agentAgent protocol GET
Write (human)owner, admin, memberPOST/PUT/DELETE
Write (with agents)owner, admin, member, agentAgent protocol writes
Admin onlyowner, adminAPI keys, org settings, integrations, billing

Interactive API Docs

Each backend service also exposes interactive documentation. When running locally, visit http://localhost:8082/docs (Security Engine) or http://localhost:8083/docs(Agent Protocol) for auto-generated OpenAPI documentation with “Try it out” functionality.