HomeAbout UsPricingContact Us
FrameworksISO, SOC 2, NIST & more, explainedBlogArticles from the security deskDocumentationProduct guides & how-tosAPIBuild on the Platform APIMCP integrationConnect your AI to your workspaceFrequent questionsAnswers, straight
Log inBook a demo
HomeAbout UsPricingContact Us
Resources
FrameworksBlogDocumentationAPIMCP integrationFrequent questions
Log inBook a demo
Ready when you are

Be audit-ready by default.

Start free with two frameworks, twenty policies, and one living picture of your security program.

Get started freeTalk to an expert

Cyber Security Framework as a Service: governance, risk and compliance, run from one living platform.

Compliance insights, monthly. No spam.

Product

PlatformPricingRequest a demoAccess CSFaaS

Resources

FrameworksBlogDocumentationAPIMCP integrationFrequent questions

Company

About usContact usDarkProtect, managed services

Legal

Privacy policyTerms & conditions
© 2026 CSFaaS, All rights reserved.All systems operational
Resources â–¸ API

The CSFaaS Platform API.

Read your entire GRC program over HTTPS. One workspace per key, read-only, and authorized by the same database rules that guard the app.

Create your API keyUse it from an AI agent (MCP)

An API key sees exactly what its assigned roles allow, nothing more.

Quickstart

Your first call, in three steps

No SDK required. A key and curl are enough to read live data from your workspace.

1

Create a key

In the app, an admin opens Settings â–¸ API & MCP and creates a key, assigning it the roles it may act as. It is scoped to that workspace and those roles. Copy it once; you will not see it again.

Settings â–¸ API & MCP â–¸ Create key

# Settings â–¸ API & MCP â–¸ Create key
csfaas_sk_live_5f3c9a2b7e1d84...
# Shown once. Store it in your secrets manager.
2

Call the API

Send the key as a Bearer token. Start with /v1/me to confirm who the key belongs to and which workspace it reads.

bash

curl https://api.csfaas.com/v1/me \
  -H "Authorization: Bearer csfaas_sk_live_..."
3

Read the response

Plain JSON, scoped to you. Every other endpoint follows the same shape and the same access rules.

200 OK · application/json

{
  "user": {
    "id": "8f2c...e10",
    "name": "Dana Okafor",
    "email": "[email protected]"
  },
  "workspace": {
    "id": "ffd5...761",
    "name": "Acme Security",
    "roles": ["Risk Analyst"]
  },
  "access": "read-only"
}
How access works

Authorized by the database, not by the API

There is no privileged path. Your key resolves to a short-lived, workspace-pinned token, and PostgreSQL row-level security decides what it can read, exactly as it does for your session in the app.

Your API key

csfaas_sk_live_...

Short-lived JWT

pinned to your workspace

PostgreSQL RLS

scoped to its roles

Your data

nothing more

The service holds no service-role key. It cannot read anything you cannot read, and it cannot reach another workspace, because the boundary is enforced one layer below the code.

Role-scoped keys

An admin assigns each key one or more roles. Every call is limited to exactly those roles, never a service account with god-mode.

One workspace per key

Each key is pinned to a single workspace. It can never read across the tenant boundary.

Read-only by design

The v1 surface only reads. There is no write path that could mutate your program from outside the app.

Enforced by the database

Every request is authorized by the same PostgreSQL row-level security that guards the app. The API cannot forget a check.

No privileged copy

The service carries no service-role key. It resolves your key, mints a short-lived workspace-pinned JWT, and reads as you.

Instant revocation

Revoke a key in Settings and it stops working immediately. No cache, no grace window.

Workspace-auditable

Key use is recorded in your activity log, so an admin can see exactly what was read and when.

European hosting

The API runs on the same EU-hosted, GDPR-aligned infrastructure as the platform itself.

Full reference

The complete reference, always current

Browse every path, parameter, schema and response in a full interactive reference, generated from the running service. Or drop the OpenAPI 3.1 JSON into Postman, Bruno or your codegen of choice.

Interactive API reference

https://api.csfaas.com · raw JSON at https://api.csfaas.com/v1/openapi.json

Open the reference
Errors and limits

Predictable failures

Standard HTTP status codes, a JSON body on every error, and one rule that trips up first-time readers.

Empty is a 200, not a 403

A successful call that returns no rows is a normal 200 with an empty data array. Row-level security filters invisible records out; it does not raise. Do not treat an empty list as an error.

401

Unauthorized

The key is missing, malformed or revoked. Send a valid Bearer token.

403

Forbidden

The key owner lacks permission for this resource. Access mirrors the app exactly.

404

Not found

The id does not exist, or it exists but is outside your visibility.

422

Unprocessable

A query parameter failed validation. The body names the offending field.

429

Too many requests

You hit the rate limit. Back off and retry after the Retry-After header.

Rate limits

Requests are metered per key. When you exceed the limit you receive a 429 with a Retry-After header. Read in pages and cache what you can; the API is built for steady polling, not bursts.

Build on your program

Read your whole GRC posture with one key

Create a key in the app, point curl at it, and pull live compliance data in seconds. It is included in every plan, at no extra cost.

Create your API keyRead the MCP guide