API Documentation

Complete guide to integrating ComplianceLayer into your security workflow.

Authentication

ComplianceLayer uses API keys for authentication. All API requests must include a valid API key in the Authorization header. API keys are prefixed with cl_ and can be managed from your dashboard.

Getting Your API Key

To create an API key:

  1. Sign in to your dashboard at app.compliancelayer.net
  2. Navigate to Settings → API Keys
  3. Click Create API Key
  4. Give your key a descriptive name (e.g., "Production Server", "CI/CD Pipeline")
  5. Copy the key immediately — it will only be shown once
Security Warning: Treat API keys like passwords. Never commit them to version control, expose them in client-side code, or share them publicly.

Using API Keys

Include your API key in the Authorization header with the Bearer scheme:

curl "https://api.compliancelayer.net/v1/scan" \
  -H "Authorization: Bearer cl_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "example.com"
  }'

Authentication Errors

If authentication fails, you'll receive a 401 Unauthorized response:

HTTP/1.1 401 Unauthorized

{
  "error": "unauthorized",
  "message": "Invalid or missing authentication",
  "status": 401
}

API Key Management

Creating Multiple Keys

You can create multiple API keys for different environments or use cases:

  • Production servers
  • Staging/development environments
  • CI/CD pipelines
  • Third-party integrations

Each key can be named and managed independently, allowing you to revoke specific keys without affecting others.

Rotating Keys

Best practice is to rotate API keys every 90 days. To rotate a key without downtime:

  1. Create a new API key
  2. Update your application to use the new key
  3. Verify the new key works correctly
  4. Revoke the old key

Revoking Keys

If you suspect a key has been compromised, revoke it immediately:

  1. Go to Settings → API Keys
  2. Click Revoke next to the compromised key
  3. Create a new key if needed

Revoked keys stop working immediately and cannot be restored.

JWT Tokens (Dashboard Access)

In addition to API keys, ComplianceLayer uses JWT tokens for dashboard authentication. These are managed automatically when you sign in through the web interface.

Signing In

curl -X POST "https://api.compliancelayer.net/v1/auth/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your_password"
  }'

# Response
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": 123,
    "email": "[email protected]",
    "plan": "professional"
  }
}

Using JWT Tokens

JWT tokens can be used in place of API keys for all API requests. Include the token in the Authorization header:

curl "https://api.compliancelayer.net/v1/auth/me" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

JWT tokens expire after 24 hours. For server-to-server communication, use API keys instead.

Security Best Practices

1. Use Environment Variables

Never hardcode API keys in your source code. Use environment variables:

# .env
COMPLIANCELAYER_API_KEY=cl_your_api_key_here

2. Use Secrets Management

For production deployments, use a secrets management service:

  • AWS Secrets Manager — For AWS deployments
  • HashiCorp Vault — For on-premises or multi-cloud
  • Azure Key Vault — For Azure deployments
  • Google Secret Manager — For GCP deployments

3. Limit Key Scope

Create separate API keys for different environments:

  • Development/testing keys (free tier account)
  • Staging keys (separate account or key)
  • Production keys (dedicated account)

This limits the blast radius if a key is compromised.

4. Monitor API Usage

Regularly review API usage in your dashboard:

  • Check for unexpected spikes in requests
  • Review which API keys are being used
  • Monitor for failed authentication attempts
  • Set up alerts for unusual activity

5. Rotate Keys Regularly

Set a schedule for rotating API keys:

  • Every 90 days for production keys
  • Immediately if you suspect compromise
  • When team members leave who had access

Troubleshooting

401 Unauthorized

  • Check that your API key starts with cl_
  • Ensure the Authorization header is included
  • Verify the key hasn't been revoked
  • Confirm your account subscription is active

403 Forbidden

  • Your account may be disabled or suspended
  • You may have hit your plan's quota limits
  • The endpoint may require a higher subscription tier

429 Too Many Requests

  • You've exceeded your rate limit
  • Wait for the time specified in the Retry-After header
  • Consider upgrading your plan for higher limits