Skip to main content
SEC API ships enterprise-grade infrastructure from the first request. Audit logging, entitlement reporting, key rotation, and multi-seat organizations are built into the platform today. WorkOS powers dashboard login and remains the enterprise SSO boundary as organization-level access expands.

Authentication

API keys are the primary authentication method for all plans. Org-scoped credentials are issued through POST /v1/api_keys and used via the x-api-key header. See Auth, Billing, and First Utility for the full model. Hosted MCP clients use x-api-key for server-to-server access and can discover OAuth metadata through api.secapi.ai where the client requires protected-resource metadata. OAuth discovery endpoints are published at /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server.

WorkOS SSO

WorkOS is the dashboard human-auth boundary. Users authenticate through WorkOS. Enterprise SSO expands this same boundary to SAML and OIDC federation with Okta, Azure AD, Google Workspace, and other SAML 2.0 / OIDC identity providers for customers who require corporate-IdP-backed human login.

Audit Logs

Every API request generates a traceable event chain. SEC API provides multiple surfaces for inspecting activity after the fact.

Event export

Export the available event log in JSON or NDJSON for ingestion into external SIEM, log aggregation, or compliance tooling:
curl "$SECAPI_BASE_URL/v1/delivery/events/export?kind=event&format=ndjson&limit=100" \
  -H "x-api-key: $SECAPI_API_KEY"
Filters: kind, type, requestId, since, limit, format (json or ndjson). See Event Export for details.

Entitlement Reporting

Billing state, usage, and plan limits are always available through the API. Use these endpoints to build internal dashboards or enforce organizational spend policies.

Billing snapshot

curl "$SECAPI_BASE_URL/v1/billing" \
  -H "x-api-key: $SECAPI_API_KEY"
Returns the current plan key, billing state, spend caps, budget alerts, and Stripe subscription status.

Usage summary

curl "$SECAPI_BASE_URL/v1/usage" \
  -H "x-api-key: $SECAPI_API_KEY"
Returns metered usage events grouped by meter class for the current billing period.

Plan limits

curl "$SECAPI_BASE_URL/v1/limits" \
  -H "x-api-key: $SECAPI_API_KEY"
Returns the rate limits, API key limits, and throughput ceilings for the current plan.

Budget controls

Set spend caps and alert thresholds to prevent runaway costs:
curl -X PUT "$SECAPI_BASE_URL/v1/billing/budget" \
  -H "x-api-key: $SECAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"spendCapCents": 50000, "softCapCents": 30000, "approvalThresholdCents": 40000}'
Budget events are recorded with the acting principal, previous values, and request ID for audit purposes.

Key Rotation

Webhook signing secrets can be rotated without downtime from the signed-in dashboard. Secret rotation is a human-authenticated organization setting; it does not accept an API key. Save the newly shown secret before closing the confirmation. The response includes the full webhook endpoint object with the new signingSecret. Update your verification logic before the next delivery arrives. API keys can be revoked and re-created through DELETE /v1/api_keys/:keyId and POST /v1/api_keys.

Multi-Seat Organizations

The Team plan ($239/mo) supports up to five seats within a shared organization. All seats share:
  • org-scoped API keys with configurable scopes (read:sec, write:sec, admin:operator)
  • a unified billing context with shared spend caps and budget alerts
  • shared webhook endpoints, stream subscriptions, and event history
  • a single billing relationship through Stripe
The Commercial plan extends multi-seat support with custom seat counts, dedicated infrastructure options, and contract-based invoicing.

API key management

Each plan tier has a key limit. Team plans include more keys than Personal or PAYG:
# List existing keys
curl "$SECAPI_BASE_URL/v1/api_keys" \
  -H "x-api-key: $SECAPI_API_KEY"

# Create a new key with specific scopes
curl -X POST "$SECAPI_BASE_URL/v1/api_keys" \
  -H "x-api-key: $SECAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label": "CI pipeline", "scopes": ["read:sec"], "livemode": true}'

SLA Guarantees

SEC API provides signed, logged, at-least-once webhook delivery with manual replay for retained delivery attempts. Automatic retry and endpoint auto-pause are rollout-gated operational features; Webhook Delivery is the source of truth for the currently shipped contract.

Commercial Licensing

The Commercial plan (from $18,000/yr) is required for redistribution, embedding, white-label, and resale use cases. It includes:
  • redistribution and external commercial rights
  • contract-based invoicing
  • dedicated onboarding support
  • custom throughput and rate limit configuration
See Plans and Pricing for the full plan comparison and Enterprise and Commercial Posture for the rights boundary and escalation path.

Enterprise endpoints summary

CategoryEndpoints
AuthGET /v1/me, GET /v1/org, POST /v1/api_keys, DELETE /v1/api_keys/:keyId
AuditGET /v1/delivery/events, GET /v1/delivery/events/export
EntitlementsGET /v1/billing, GET /v1/usage, GET /v1/limits, GET /v1/billing/rates
BudgetPUT /v1/billing/budget, POST /v1/billing/quote
Key rotationPOST /v1/webhook_endpoints/:webhookId/rotate_secret
CheckoutPOST /v1/billing/checkout, POST /v1/billing/portal

Audit Logs

Detailed reference for all audit log and event export endpoints.

Webhook Delivery

Signed delivery, audit history, event catalog, and manual replay.

Plans and Pricing

Full plan comparison including Commercial licensing.