HTTP API reference

Minimal catalog derived from app/api route handlers. For request/response schemas, read the source or Open your deployment in an API client against https://zentro.run.

Health

Liveness for load balancers; no auth.

GET/api/health
JSON ok, service name, and uptime seconds.
HEAD/api/health
Same as GET without body.

Incidents

GET/api/incidents/{id}/export
Download incident as Markdown (authenticated Supabase user).
Auth: Session cookie
GET/api/incidents/{id}/evidence
Download incident evidence pack JSON (timeline, dry-run, audit-linked events).
Auth: Session cookie
GET/api/incidents/{id}/review
Download post-incident review Markdown (narrative, timeline, execution evidence, audit snapshot).
Auth: Session cookie
POST/api/incidents/{id}/rca/run
Generate and persist an incident RCA hypothesis with confidence and evidence references.
Auth: Session cookie
GET/api/incidents/{id}/rca/latest
Fetch latest persisted RCA run for an incident.
Auth: Session cookie
GET/api/services/{id}/slo
Fetch service SLO profile plus latest error budget windows (7d/30d).
Auth: Session cookie
GET/api/overview/error-budget-summary
Fetch SLO error budget overview across services (critical/warning burn and average used budget).
Auth: Session cookie

Integrations

POST/api/integrations/alerts
Create or dedupe incident from monitoring (Bearer alert ingest token).
Auth: Bearer ingest token
Paid-gated per deployment; validates token server-side. Supports normalized Zentro payload, Datadog, Prometheus/Grafana Alertmanager, PagerDuty, and New Relic payloads (vendor-specific dedupe keys). Optional HMAC signature check via ZENTRO_ALERT_WEBHOOK_SIGNING_SECRET.
POST/api/integrations/vulnerabilities
Upsert Qualys/Tenable finding; auto-open incident for high/critical (Bearer ingest token).
Auth: Bearer ingest token
Same token as alert ingest. Optional X-Zentro-Vuln-Source header. Supports Qualys (QID/HOST), Tenable (plugin/asset), or generic finding_id payloads.
GET/api/health/db
Postgres readiness via zentro_db_health() RPC (requires migration #15).
Auth: None
GET/api/connectors/status
Probe configured reasoning/automation connector URLs.
Auth: Session cookie when Supabase auth is enabled
POST/api/integrations/slack/approvals
Receive signed Slack action payloads and decide pending approvals.
Auth: Slack request signature (X-Slack-Signature)
POST/api/approvals/policy-suggestions/promote
Promote a decision-intelligence policy suggestion into policy review and log audit evidence.
Auth: Session cookie (or session mode fallback)
GET/api/deployment/profile
Active organization deployment tier, data region, and boundary (FedRAMP-oriented).
Auth: Session cookie
GET/api/deployment/retention
Effective org retention policy for audit_log and closed incidents (tier defaults + overrides).
Auth: Session cookie
GET/api/governance/compliance/summary
SOC 2 / ISO 27001 control coverage from audit_log and accepted policies (30d window).
Auth: Session cookie
GET/api/governance/compliance/program
Compliance program dashboard — weighted readiness, SOC 2 / ISO gaps, attestation and vendor rollups.
Auth: Session cookie
GET/api/governance/compliance/gap-remediations
Gap-to-runbook remediation queue from live assessment exceptions plus org tracking rows.
Auth: Session cookie
GET/api/governance/compliance/risk-heatmap
Compliance risk heatmap — framework concentration, vendor tier matrix, and top hotspots from live org data.
Auth: Session cookie
GET/api/governance/compliance/executive-summary
Board-ready GRC executive summary — program readiness, frameworks, hotspots, and leadership actions (JSON, Markdown, HTML, CSV).
Auth: Session cookie
GET/api/governance/compliance/calendar
GRC compliance calendar — attestations, vendor reviews, bundles, audit season checkpoints (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/benchmarking
Control benchmarking — org readiness percentiles vs industry reference cohorts (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/policy-drift
Policy drift — accepted automation guardrails vs live assessment gaps (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/control-graph
Control dependency graph — crosswalk, thematic, shared audit, and shared policy edges (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/regulatory-impact
Regulatory change impact — scenario readiness deltas vs live baseline (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/evidence-lineage
Evidence lineage — audit and policy sources through bundles to assessor workbook (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/testing-evidence-linker
Control testing evidence linker — dry-run outputs mapped to controls and evidence bundles (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/testing-evidence-linker
Record test-to-bundle links in audit log for assessor export trail.
Auth: Session cookie
GET/api/governance/compliance/testing-schedules
Control testing schedules — recurring evidence windows from attestations, checkpoints, and freshness (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/scope-boundary
Scope boundary mapper — in-scope systems, data flows, and framework control mappings (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/kpi-trends
Compliance KPI trends — weekly remediation velocity, attestation closure, framework readiness (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/posture-score
Unified compliance posture score — blended readiness, attestations, vendors, gaps, risk (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/control-ownership
GRC control ownership matrix — RACI per control linked to scope and attestations (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/exception-register
Compliance exception register — assessment gaps, policy drift, compensating remediations (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/evidence-requests
Assessor evidence request workflow — open document requests with due dates and control linkage (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/evidence-request-sla
Evidence request SLA dashboard — overdue queue, at-risk window, fulfillment metrics (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/evidence-request-sla
Deliver auditor evidence request SLA digest (email + optional webhook).
Auth: Session cookie
POST/api/governance/compliance/evidence-request-sla/scheduled
Cron SLA digest delivery (Bearer ZENTRO_EVIDENCE_REQUEST_SLA_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/obligation-ics
Compliance obligation ICS — iCalendar feed of attestations, vendors, bundles, checkpoints (text/calendar).
Auth: Session cookie
GET/api/governance/compliance/mapping-digest
Preview regulatory mapping change digest vs last org snapshot.
Auth: Session cookie
POST/api/governance/compliance/mapping-digest
Run mapping change digest — webhook/email when catalog or crosswalk changes.
Auth: Session cookie
POST/api/governance/compliance/mapping-digest/scheduled
Cron mapping digest (Bearer ZENTRO_MAPPING_DIGEST_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/inherited-control-gaps
Inherited control coverage gaps — vendors missing evidence on tier-inherited controls (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/control-health-scorecard
Leadership control health scorecard — posture, vendor inherited controls, and gap closure (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-heatmap
Regulatory obligation heatmap — open obligations by framework, vendor tier, and testing schedule (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-crossover
Multi-framework obligation crossover — shared due windows and crosswalk-linked evidence reuse clusters (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-consolidation
Obligation consolidation playbook — six-step workflows per crossover cluster with tracked play status (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-forecast
Board obligation forecast — weekly forward-looking obligation density and committee milestones (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-whatif
Board obligation what-if — stress-test forecast density with week shifts or framework descope (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/committee-capacity-budget
Committee obligation capacity budget — weekly owner-hours vs forecast peaks with shortfall flags (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/obligation-load-balancing
Obligation owner load balancing — peak-week RACI load slices and rebalance suggestions (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/peak-week-staffing-digest
Peak-week staffing digest — capacity shortfall + load imbalance coincidence preview (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/peak-week-staffing-digest
Deliver peak-week staffing digest (email, Slack, optional webhook).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/peak-week-staffing-digest/scheduled
Cron peak-week staffing digest (Bearer ZENTRO_PEAK_WEEK_STAFFING_DIGEST_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/staffing-actions
Obligation staffing action tracker — proposed and tracked load-balance and capacity relief actions (JSON, CSV, or HTML completion report).
Auth: Session cookie
GET/api/governance/compliance/staffing-action-reminders
Staffing action overdue reminders — open actions past peak week preview (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/staffing-action-reminders
Send staffing action overdue reminders (email and Slack).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/staffing-action-reminders/scheduled
Cron staffing overdue reminders (Bearer ZENTRO_STAFFING_OVERDUE_REMINDER_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/staffing-completion-rollup
Staffing completion rollup — tracked vs open vs completed archive (JSON, CSV, or printable HTML).
Auth: Session cookie
POST/api/governance/compliance/staffing-completion-rollup
Email weekly staffing completion rollup to owners and admins.
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/staffing-completion-rollup/scheduled
Cron staffing completion rollup (Bearer ZENTRO_STAFFING_COMPLETION_ROLLUP_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/staffing-sla-breach-digest
Staffing SLA breach digest — open actions past committee completion SLA after peak week (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/staffing-sla-breach-digest
Deliver staffing SLA breach digest (email and Slack).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/staffing-sla-breach-digest/scheduled
Cron staffing SLA breach digest (Bearer ZENTRO_STAFFING_SLA_BREACH_DIGEST_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/cross-staffing-committee-escalation
Cross-staffing committee escalation — SLA breaches still open after completion rollup email (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/cross-staffing-committee-escalation
Deliver cross-staffing committee escalation (email and Slack).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/cross-staffing-committee-escalation/scheduled
Cron cross-staffing committee escalation (Bearer ZENTRO_CROSS_STAFFING_COMMITTEE_ESCALATION_CRON_SECRET).
Auth: Bearer cron secret
POST/api/governance/compliance/staffing-digest-auto-chain/scheduled
Cron staffing digest auto-chain — rollup, SLA digest, escalation in one run (Bearer ZENTRO_STAFFING_DIGEST_AUTO_CHAIN_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/committee-digest
Quarterly obligation committee digest — forecast, crossover, and SLA rollup preview (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/committee-digest
Deliver quarterly obligation committee digest (email + optional webhook).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/committee-digest/scheduled
Cron quarterly digest delivery (Bearer ZENTRO_OBLIGATION_COMMITTEE_DIGEST_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/obligation-rollup
Obligation executive rollup — printable HTML (print to PDF), JSON, or CSV for board packets.
Auth: Session cookie
GET/api/governance/compliance/obligation-density-alerts
Obligation density alerting — forecast breach preview against org thresholds (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/obligation-density-alerts
Send obligation density Slack and email alerts for active breaches.
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/obligation-density-alerts/scheduled
Cron obligation density alerts (Bearer ZENTRO_OBLIGATION_DENSITY_ALERT_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/compliance/obligation-density-trend-history
Obligation density trend history — trailing-quarter weekly density and alert deliveries (JSON or CSV).
Auth: Session cookie
GET/api/governance/compliance/committee-meeting-pack
Committee meeting pack ZIP — printable HTML summary, scorecard, posture, exceptions, and open gaps.
Auth: Session cookie
GET/api/governance/compliance/attestation-renewal
Attestation renewal calendar — renewal waves by due window with framework rollup (JSON or CSV).
Auth: Session cookie
POST/api/governance/compliance/attestation-renewal
Email control owners for current renewal waves (org admins).
Auth: Session cookie
POST/api/governance/compliance/attestation-renewal/scheduled
Cron owner renewal nudges (Bearer ZENTRO_ATTESTATION_RENEWAL_CRON_SECRET).
Auth: Bearer cron secret
GET/api/governance/legal-holds
Active legal holds on incidents and count of audit rows flagged (org-scoped).
Auth: Session cookie
GET/api/governance/compliance/bundles
List persisted assessor evidence bundles for the active organization.
Auth: Session cookie
POST/api/governance/compliance/bundles
Create tamper-evident evidence bundle; optional webhook delivery to org URL.
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/bundles/scheduled
Cron entrypoint to generate bundle (Bearer ZENTRO_BUNDLE_CRON_SECRET, body: orgId, window).
Auth: Bearer cron secret
GET/api/governance/compliance/bundles/{id}
Fetch persisted evidence bundle metadata and manifest verification for the active org.
Auth: Session cookie
GET/api/governance/compliance/bundles/{id}/download
Download evidence bundle ZIP archive by bundle id.
Auth: Session cookie
GET/api/governance/compliance/crosswalk
SOC 2 / ISO 27001 crosswalk — mapping matrix with optional periodDays and format=csv|json; evidence overlay per control.
Auth: Session cookie
GET/api/governance/compliance/workbook
Unified assessor workbook ZIP — evidence pack, crosswalk, framework assessments, README, and tamper-evident manifest.
Auth: Session cookie
POST/api/governance/compliance/digest
Compliance program digest — readiness deltas vs prior snapshot, overdue attestations; optional HTTPS webhook delivery.
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/digest/scheduled
Cron digest delivery — Bearer ZENTRO_DIGEST_CRON_SECRET; body { orgId, periodDays? }.
Auth: Bearer ZENTRO_DIGEST_CRON_SECRET
GET/api/governance/compliance/sla-reminders
Preview SLA reminder candidates (due soon, overdue, regressed) and org settings.
Auth: Session cookie
POST/api/governance/compliance/sla-reminders
Send compliance SLA reminders via Slack and optional Resend email (owner/admin).
Auth: Session cookie (owner/admin)
POST/api/governance/compliance/sla-reminders/scheduled
Cron SLA reminders — Bearer ZENTRO_SLA_CRON_SECRET; body { orgId }.
Auth: Bearer ZENTRO_SLA_CRON_SECRET
GET/api/governance/compliance/fedramp-poam
FedRAMP POA&M export — NIST 800-53 rows from continuous assessment gaps; periodDays and format=csv|json.
Auth: Session cookie
GET/api/governance/compliance/evidence-freshness
Evidence freshness dashboard — per-control last evidence timestamps, stale queue; format=csv|json.
Auth: Session cookie
GET/api/governance/compliance/baseline-comparison
Multi-framework baseline comparison — live readiness and prior-period deltas for all framework packs; format=csv|json.
Auth: Session cookie
GET/api/governance/compliance/assessor-tokens
List org assessor API tokens and allowed export resource paths.
Auth: Session cookie
POST/api/governance/compliance/assessor-tokens
Create org assessor API token (zentro_ca_*); returns plaintext key once.
Auth: Session cookie (owner/admin)
DELETE/api/governance/compliance/assessor-tokens/{id}
Revoke assessor API token.
Auth: Session cookie (owner/admin)
GET/api/governance/compliance/assessor/{id}
Assessor read-only export — evidence-export, workbook, crosswalk, obligation-ics, baseline-comparison, risk-heatmap, executive-summary, framework reports; Bearer zentro_ca_* token.
Auth: Bearer assessor token
GET/api/governance/compliance/export
Compliance evidence pack — audit events + accepted policies with control tags (CSV or JSON).
Auth: Session cookie
GET/api/governance/compliance/type-ii
SOC 2 Type II continuous monitoring report — control trends, exceptions, evidence bundle and legal-hold counts.
Auth: Session cookie
GET/api/governance/compliance/iso-assessment
ISO 27001 Annex A continuous assessment — domain readiness, control trends, and gap analysis.
Auth: Session cookie
GET/api/governance/compliance/pci-dss
PCI DSS v4 control pack — requirement readiness, trends, and gap analysis from shared audit evidence.
Auth: Session cookie
GET/api/governance/compliance/hipaa
HIPAA Security Rule safeguards — readiness, trends, gap analysis, and BAA vendor control inheritance.
Auth: Session cookie
GET/api/governance/compliance/nist-csf
NIST CSF 2.0 alignment — function maturity tiers, control trends, and gap analysis from shared audit evidence.
Auth: Session cookie
GET/api/governance/compliance/cis-v8
CIS Controls v8 safeguard pack — Implementation Group readiness, control trends, and gap analysis.
Auth: Session cookie
GET/api/governance/compliance/cmmc-l2
CMMC 2.0 Level 2 overlay — 800-171 practice readiness, SPRS-style score, and gap analysis.
Auth: Session cookie
GET/api/governance/compliance/gdpr-art32
GDPR Article 32 technical measures — domain readiness, DPA bands, and gap analysis.
Auth: Session cookie
GET/api/governance/compliance/attestations
Control attestation board — owners, due dates, status, linked audit evidence counts per SOC 2 / ISO control.
Auth: Session cookie
GET/api/governance/third-party/vendors
Third-party risk register — vendors with inherited controls, attestation status, and reused audit evidence counts.
Auth: Session cookie
POST/api/governance/third-party/vendors
Add vendor; inherit SOC 2 / ISO controls from risk tier and category (owner/admin).
Auth: Session cookie (owner/admin)
GET/api/governance/policy-blocks/summary
Return policy-block analytics summary for current user (window=7d|30d, includes prior-window delta and reason distribution).
Auth: Session cookie

Automations

POST/api/automations/dry-run
Run playbook dry-run; may persist and append audit when configured.
Auth: Session cookie
POST/api/automations/execute
Record guarded execution after successful dry-run with approval note and rollback plan.
Auth: Session cookie
POST/api/automations/remediate
Run guarded remediation with dry-run freshness and accepted policy checks.
Auth: Session cookie
GET/api/attack-paths/simulate
Simulate ranked attack paths from vuln entry points through dependency graph to production targets.
Auth: Session cookie
Optional query: targetServiceId, maxDepth.
GET/api/services/dependency-graph
Fetch service dependency graph (nodes and directed edges).
Auth: Session cookie

Copilot

POST/api/copilot/chat
Streaming or JSON chat completion (OpenAI → reasoning URL → guided offline).
Auth: Session cookie when OPENAI_API_KEY and Supabase auth are set; otherwise IP rate limit
GET/api/copilot/threads
List conversation threads.
Auth: Session cookie
POST/api/copilot/threads
Create thread.
Auth: Session cookie
GET/api/copilot/threads/{id}/messages
List messages in a thread.
Auth: Session cookie
POST/api/copilot/threads/{id}/messages
Append user message and run assistant turn.
Auth: Session cookie

User-scoped keys

GET/api/user/api-keys
List API keys (metadata).
Auth: Session cookie
POST/api/user/api-keys
Create API key (returns plaintext once).
Auth: Session cookie
DELETE/api/user/api-keys/{id}
Revoke key.
Auth: Session cookie
GET/api/user/alert-ingest-tokens
List alert ingest tokens.
Auth: Session cookie
POST/api/user/alert-ingest-tokens
Create ingest token (returns secret once).
Auth: Session cookie
DELETE/api/user/alert-ingest-tokens/{id}
Revoke ingest token.
Auth: Session cookie

Connector proxies

Forward to ZENTRO_REASONING_API_URL and ZENTRO_ROBOT_API_URL when set.

GET|POST|PUT|PATCH|DELETE/api/reasoning/*
Proxy to reasoning backend.
Auth: Session cookie
GET|POST|PUT|PATCH|DELETE/api/robot/*
Proxy to automation robot backend.
Auth: Session cookie

Audit

GET/api/audit/export
Download all audit_log rows for the signed-in user as CSV (optional window=24h|7d|30d|all).
Auth: Session cookie
GET/api/audit/slack-events/export
Download Slack delivery audit rows as CSV (optional window=24h|7d|30d|all).
Auth: Session cookie

Billing

POST/api/webhooks/lemonsqueezy
Lemon Squeezy subscription webhook.
Auth: Webhook signature (Lemon)

OpenAPI sketch

Partial YAML for tooling; paths are abbreviated — expand in-repo before publishing a full spec.

openapi: 3.0.3
info:
  title: Zentro API
  version: "0.1.0"
servers:
  - url: https://zentro.run
paths:
  /api/health:
    get:
      summary: Liveness and uptime
  /api/integrations/alerts:
    post:
      summary: Alert ingest (Bearer token)
  /api/automations/dry-run:
    post:
      summary: Playbook dry-run
  /api/copilot/chat:
    post:
      summary: Copilot chat
  /api/user/api-keys:
    get:
      summary: List API keys
    post:
      summary: Create API key

← Docs hub