DOCUMENTATION HUB·LEVEL_2

API Documentation — Ironframe GRC

REF_PATH: technical/api-documentationSOURCE: APP_DOCUMENTS_DB

API Documentation — Ironframe GRC

Overview of public and internal HTTP APIs. All tenant-scoped routes require Supabase session unless noted.

Authentication

MethodUsage
Supabase session cookieBrowser and same-origin fetch
x-tenant-id headerSet by tenantFetch / Ironguard client
Authorization: BearerCron and internal gates (IRONFRAME_CRON_SECRET, simulation secret)

Core dashboard

MethodPathDescription
GET/api/dashboardCommand Center aggregate payload (tenant-scoped)
GET/api/healthLiveness probe

Threats and risks

MethodPathDescription
GET/api/threatsThreat list
GET/api/threats/activeActive threats
POST/api/threats/ingestIrongate-sanitized ingest
POST/api/ingestAlternate ingest surface
GET/api/threat-events-heatmapHeatmap data
GET/POST/api/threats/[id]Single threat
POST/api/threats/[id]/neutralizeNeutralize threat

Sustainability (Ironbloom)

MethodPathDescription
GET/api/sustainability/statsCarbon pulse + financial bundle (60s poll)
GET/api/sustainability/pulse-lkgLast-known-good pulse offline bundle
GET/api/sustainability/ironbloomIronbloom service surface
GET/api/grc/carbon-pulseGRC carbon pulse (mirrors stats)
GET/api/grc/carbon-pulse/evidenceForensic manifest by artifactId

Query hygiene: Empty _api_key= stripped by middleware; use env fallback when configured.

GRC and governance

MethodPathDescription
GET/api/grc/governance-maturityMaturity snapshot
GET/api/grc/compliance-driftDrift metrics
GET/api/grc/irontallyControl framework tally
GET/api/grc/tas-integrityConstitutional integrity (200/503)
GET/api/grc/tas-constitutionTAS constitution payload
GET/api/grc/security-postureSecurity posture summary
POST/api/grc/sustainability-stale-lockdown-waiverTripartite stale waiver
POST/api/grc/constitutional-overrideBreak-glass override
POST/api/grc/constitutional-restorationRestoration flow

Audit and exports

MethodPathDescription
GET/api/audit/intelligence-feedAudit intelligence stream
GET/api/audit/ledger-feedLedger feed
GET/api/audit/exportAudit export
GET/api/ironquery/exportIronquery analyst export
GET/api/internal/ironquery/exportInternal token-gated export

Ironwatch

MethodPathDescription
GET/api/ironwatch/layout-signalGlobal freeze + quarantine flags
POST/api/ironwatch/human-ack-anomalyHuman anomaly acknowledgment

Internal cron (Bearer secret)

PathPurpose
/api/internal/cron/ironwatch-api-heartbeatElectricity Maps heartbeat
/api/internal/cron/gridcore-rate-pollUtility rate poll
/api/internal/cron/health-posture-triageHealth posture triage
/api/internal/cron/ironscribe-daily-auditDaily audit synthesis
/api/internal/cron/ironsight-regulatory-pollRegulatory poll
/api/internal/cron/carbon-budget-reallocationCarbon budget
/api/internal/cron/sustainability-achievement-reportAchievement report

Response conventions

{ "ok": true, "pulse": { ... }, "source": "electricity-maps" }
{ "ok": false, "error": "No active tenant." }
  • Financial fields: stringified BigInt cents in JSON
  • Carbon intensity: number (gCO₂eq/kWh)
  • Errors: prefer 200 + ok: false for UI routes where LKG applies; 503 when no fallback

Client usage

import { ironguardFetch } from "@/app/utils/apiClient";

const res = await ironguardFetch("/api/sustainability/stats", { cache: "no-store" });
const json = await res.json();

Tenant-scoped SWR keys should include tenant UUID (see CarbonPulse component).

Environment reference

Full variable list: .env.example
Operations: DOCS_OPERATIONS.md

Related documents