Authentication
API keys are the primary authentication method for all plans. Org-scoped credentials are issued throughPOST /v1/api_keys and used via the x-api-key header. See Auth, Billing, and First Utility for the full model.
Hosted MCP clients use x-api-key for server-to-server access and can discover OAuth metadata through api.secapi.ai where the client requires protected-resource metadata. OAuth discovery endpoints are published at /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server.
WorkOS SSO
WorkOS is the dashboard human-auth boundary. Users authenticate through WorkOS. Enterprise SSO expands this same boundary to SAML and OIDC federation with Okta, Azure AD, Google Workspace, and other SAML 2.0 / OIDC identity providers for customers who require corporate-IdP-backed human login.Audit Logs
Every API request generates a traceable event chain. SEC API provides multiple surfaces for inspecting activity after the fact.Event export
Export the available event log in JSON or NDJSON for ingestion into external SIEM, log aggregation, or compliance tooling:kind, type, requestId, since, limit, format (json or ndjson). See Event Export for details.
Entitlement Reporting
Billing state, usage, and plan limits are always available through the API. Use these endpoints to build internal dashboards or enforce organizational spend policies.Billing snapshot
Usage summary
Plan limits
Budget controls
Set spend caps and alert thresholds to prevent runaway costs:Key Rotation
Webhook signing secrets can be rotated without downtime from the signed-in dashboard. Secret rotation is a human-authenticated organization setting; it does not accept an API key. Save the newly shown secret before closing the confirmation. The response includes the full webhook endpoint object with the newsigningSecret. Update your verification logic before the next delivery arrives.
API keys can be revoked and re-created through DELETE /v1/api_keys/:keyId and POST /v1/api_keys.
Multi-Seat Organizations
The Team plan ($239/mo) supports up to five seats within a shared organization. All seats share:
- org-scoped API keys with configurable scopes (
read:sec,write:sec,admin:operator) - a unified billing context with shared spend caps and budget alerts
- shared webhook endpoints, stream subscriptions, and event history
- a single billing relationship through Stripe
API key management
Each plan tier has a key limit. Team plans include more keys than Personal or PAYG:SLA Guarantees
SEC API provides signed, logged, at-least-once webhook delivery with manual replay for retained delivery attempts. Automatic retry and endpoint auto-pause are rollout-gated operational features; Webhook Delivery is the source of truth for the currently shipped contract.Commercial Licensing
The Commercial plan (from$18,000/yr) is required for redistribution, embedding, white-label, and resale use cases. It includes:
- redistribution and external commercial rights
- contract-based invoicing
- dedicated onboarding support
- custom throughput and rate limit configuration
Enterprise endpoints summary
| Category | Endpoints |
|---|---|
| Auth | GET /v1/me, GET /v1/org, POST /v1/api_keys, DELETE /v1/api_keys/:keyId |
| Audit | GET /v1/delivery/events, GET /v1/delivery/events/export |
| Entitlements | GET /v1/billing, GET /v1/usage, GET /v1/limits, GET /v1/billing/rates |
| Budget | PUT /v1/billing/budget, POST /v1/billing/quote |
| Key rotation | POST /v1/webhook_endpoints/:webhookId/rotate_secret |
| Checkout | POST /v1/billing/checkout, POST /v1/billing/portal |
Read next
Audit Logs
Detailed reference for all audit log and event export endpoints.
Webhook Delivery
Signed delivery, audit history, event catalog, and manual replay.
Plans and Pricing
Full plan comparison including Commercial licensing.

