> ## Documentation Index
> Fetch the complete documentation index at: https://docs.secapi.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Features

> Explore SEC API enterprise capabilities like audit logging, entitlement reporting, key rotation, and multi-seat organizations.

SEC API ships enterprise-grade infrastructure from the first request. Audit logging, entitlement reporting, key rotation, and multi-seat organizations are built into the platform today. WorkOS powers dashboard login and remains the enterprise SSO boundary as organization-level access expands.

## Authentication

API keys are the primary authentication method for all plans. Org-scoped credentials are issued through `POST /v1/api_keys` and used via the `x-api-key` header. See [Auth, Billing, and First Utility](/auth-and-pricing) for the full model.

Hosted MCP clients use `x-api-key` for server-to-server access and can discover OAuth metadata through `api.secapi.ai` where the client requires protected-resource metadata. OAuth discovery endpoints are published at `/.well-known/oauth-protected-resource` and `/.well-known/oauth-authorization-server`.

### WorkOS SSO

[WorkOS](https://workos.com) is the dashboard human-auth boundary. Users authenticate through WorkOS. Enterprise SSO expands this same boundary to SAML and OIDC federation with Okta, Azure AD, Google Workspace, and other SAML 2.0 / OIDC identity providers for customers who require corporate-IdP-backed human login.

## Audit Logs

Every API request generates a traceable event chain. SEC API provides multiple surfaces for inspecting activity after the fact.

### Event export

Export the available event log in JSON or NDJSON for ingestion into external SIEM, log aggregation, or compliance tooling:

```bash theme={null}
curl "$SECAPI_BASE_URL/v1/delivery/events/export?kind=event&format=ndjson&limit=100" \
  -H "x-api-key: $SECAPI_API_KEY"
```

Filters: `kind`, `type`, `requestId`, `since`, `limit`, `format` (`json` or `ndjson`). See [Event Export](/event-export) for details.

## Entitlement Reporting

Billing state, usage, and plan limits are always available through the API. Use these endpoints to build internal dashboards or enforce organizational spend policies.

### Billing snapshot

```bash theme={null}
curl "$SECAPI_BASE_URL/v1/billing" \
  -H "x-api-key: $SECAPI_API_KEY"
```

Returns the current plan key, billing state, spend caps, budget alerts, and Stripe subscription status.

### Usage summary

```bash theme={null}
curl "$SECAPI_BASE_URL/v1/usage" \
  -H "x-api-key: $SECAPI_API_KEY"
```

Returns metered usage events grouped by meter class for the current billing period.

### Plan limits

```bash theme={null}
curl "$SECAPI_BASE_URL/v1/limits" \
  -H "x-api-key: $SECAPI_API_KEY"
```

Returns the rate limits, API key limits, and throughput ceilings for the current plan.

### Budget controls

Set spend caps and alert thresholds to prevent runaway costs:

```bash theme={null}
curl -X PUT "$SECAPI_BASE_URL/v1/billing/budget" \
  -H "x-api-key: $SECAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"spendCapCents": 50000, "softCapCents": 30000, "approvalThresholdCents": 40000}'
```

Budget events are recorded with the acting principal, previous values, and request ID for audit purposes.

## Key Rotation

Webhook signing secrets can be rotated without downtime from the signed-in dashboard. Secret rotation is a human-authenticated organization setting; it does not accept an API key. Save the newly shown secret before closing the confirmation.

The response includes the full webhook endpoint object with the new `signingSecret`. Update your verification logic before the next delivery arrives.

API keys can be revoked and re-created through `DELETE /v1/api_keys/:keyId` and `POST /v1/api_keys`.

## Multi-Seat Organizations

The Team plan (`$239/mo`) supports up to five seats within a shared organization. All seats share:

* org-scoped API keys with configurable scopes (`read:sec`, `write:sec`, `admin:operator`)
* a unified billing context with shared spend caps and budget alerts
* shared webhook endpoints, stream subscriptions, and event history
* a single billing relationship through Stripe

The Commercial plan extends multi-seat support with custom seat counts, dedicated infrastructure options, and contract-based invoicing.

### API key management

Each plan tier has a key limit. Team plans include more keys than Personal or PAYG:

```bash theme={null}
# List existing keys
curl "$SECAPI_BASE_URL/v1/api_keys" \
  -H "x-api-key: $SECAPI_API_KEY"

# Create a new key with specific scopes
curl -X POST "$SECAPI_BASE_URL/v1/api_keys" \
  -H "x-api-key: $SECAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label": "CI pipeline", "scopes": ["read:sec"], "livemode": true}'
```

## SLA Guarantees

SEC API provides signed, logged, at-least-once webhook delivery with manual replay for retained delivery attempts. Automatic retry and endpoint auto-pause are rollout-gated operational features; [Webhook Delivery](/webhook-sla) is the source of truth for the currently shipped contract.

## Commercial Licensing

The Commercial plan (from `$18,000/yr`) is required for redistribution, embedding, white-label, and resale use cases. It includes:

* redistribution and external commercial rights
* contract-based invoicing
* dedicated onboarding support
* custom throughput and rate limit configuration

See [Plans and Pricing](/plans-and-pricing) for the full plan comparison and [Enterprise and Commercial Posture](/enterprise-commercial) for the rights boundary and escalation path.

## Enterprise endpoints summary

| Category         | Endpoints                                                                      |
| ---------------- | ------------------------------------------------------------------------------ |
| **Auth**         | `GET /v1/me`, `GET /v1/org`, `POST /v1/api_keys`, `DELETE /v1/api_keys/:keyId` |
| **Audit**        | `GET /v1/delivery/events`, `GET /v1/delivery/events/export`                    |
| **Entitlements** | `GET /v1/billing`, `GET /v1/usage`, `GET /v1/limits`, `GET /v1/billing/rates`  |
| **Budget**       | `PUT /v1/billing/budget`, `POST /v1/billing/quote`                             |
| **Key rotation** | `POST /v1/webhook_endpoints/:webhookId/rotate_secret`                          |
| **Checkout**     | `POST /v1/billing/checkout`, `POST /v1/billing/portal`                         |

## Read next

<CardGroup cols={3}>
  <Card title="Audit Logs" icon="scroll" href="/audit-logs">
    Detailed reference for all audit log and event export endpoints.
  </Card>

  <Card title="Webhook Delivery" icon="shield-check" href="/webhook-sla">
    Signed delivery, audit history, event catalog, and manual replay.
  </Card>

  <Card title="Plans and Pricing" icon="gauge" href="/plans-and-pricing">
    Full plan comparison including Commercial licensing.
  </Card>
</CardGroup>
