API Reference

The TeamSentry REST API lets you programmatically access security data, manage incidents, and integrate with AI agents. Every response includes a machine-readable summary field optimized for LLM consumption.

Authentication

All API requests require a valid API key sent as a Bearer token in the Authorization header. API keys are scoped to an organization and can be created from the TeamSentry dashboard under Settings > Agent API.

Creating an API Key

Navigate to Settings > Agent API in your dashboard
Click Create API Key
Give it a descriptive name (e.g., "Claude Desktop", "Security Bot")
Copy the key immediately -- it will not be shown again

API keys follow the format tsk_live_xxxxxxxxxxxx for production keys and tsk_test_xxxxxxxxxxxx for test keys.

Using Your API Key

HTTP Header

Authorization: Bearer tsk_live_your_api_key_here

curl example

curl https://api.teamsentry.ai/v1/overview \
  -H "Authorization: Bearer tsk_live_your_api_key_here" \
  -H "Content-Type: application/json"

Security: Never expose API keys in client-side code, public repositories, or logs. Rotate keys immediately if compromised.

Base URL

All API endpoints are relative to:

Base URL

https://api.teamsentry.ai/v1

Response Format

All responses are JSON. Every successful response includes a top-level summary field containing a natural-language description of the data, optimized for AI agent consumption.

Standard Response Shape

{
  "summary": "Human-readable summary of the response data.",
  "data": { ... },
  "meta": {
    "request_id": "req_abc123",
    "timestamp": "2025-01-15T10:30:00Z"
  }
}

Overview

GET /v1/overview

Returns a high-level security summary for your organization, including risk distribution, active incidents, and AI usage stats.

Parameter	Type		Description
include_ai_usage	boolean	optional	Include AI tool usage statistics
include_incidents	boolean	optional	Include open incident summary

Response

{
  "summary": "142 monitored users. 3 high-risk users. 2 open incidents.",
  "organization": {
    "total_users": 142,
    "monitored_users": 142
  },
  "risk_distribution": {
    "critical": 1,
    "high": 2,
    "medium": 8,
    "low": 47,
    "minimal": 84
  },
  "open_incidents": 2
}

Users

GET /v1/users

List all monitored users in the organization with basic risk info.

Parameter	Type		Description
limit	integer	optional	Max results (default: 50, max: 200)
offset	integer	optional	Pagination offset
risk_level	string	optional	Filter: critical, high, medium, low, minimal

GET /v1/users/:email/risk

Get detailed risk profile for a specific user including active rules, behavioral anomalies, and MITRE ATT&CK mappings.

Parameter	Type		Description
include_timeline	boolean	optional	Include risk score timeline (7d)

Response

{
  "summary": "[email protected] has HIGH risk (82). 4 active rules.",
  "user": {
    "email": "[email protected]",
    "name": "John Smith",
    "risk_score": 82,
    "risk_level": "high"
  },
  "active_rules": [
    {
      "rule_id": "impossible_travel",
      "severity": "high",
      "mitre_tactic": "TA0001",
      "triggered_at": "2025-01-15T08:22:00Z"
    }
  ]
}

GET /v1/users/high-risk

List users above a specified risk threshold, sorted by risk score descending.

Parameter	Type		Description
min_risk_score	integer	optional	Minimum risk score (default: 70)
limit	integer	optional	Max results (default: 20)

GET /v1/users/search

Search users by name, email, or department.

Parameter	Type		Description
query	string	required	Search term
risk_level	string	optional	Filter by risk level
limit	integer	optional	Max results (default: 20)

Incidents

GET /v1/incidents

List security incidents with filtering by status, severity, and date range.

Parameter	Type		Description
status	string	optional	open, closed, or all (default: open)
severity	string	optional	critical, high, medium, low
limit	integer	optional	Max results (default: 20)

GET /v1/incidents/:id

Get full incident details including timeline, affected users, triggered rules, and recommended actions.

PUT /v1/incidents/:id/status

Update incident status. Allows programmatic triage and closure.

Parameter	Type		Description
status	string	required	New status: investigating, resolved, false_positive
notes	string	optional	Resolution notes

AI Usage

GET /v1/ai-usage

Get AI tool usage analytics across the organization. Tracks Gemini, ChatGPT, Claude, and other AI tools.

Parameter	Type		Description
days	integer	optional	Lookback period in days (default: 7)
group_by	string	optional	Group by: user, tool, or day

Apps

GET /v1/apps

List all third-party apps connected to the workspace with risk assessments and OAuth scopes.

Parameter	Type		Description
status	string	optional	Filter: trusted, untrusted, or all

Agent-Specific

These endpoints are specifically designed for AI agent consumption with enriched summaries and structured context.

GET /v1/agent/summary

Returns a comprehensive, LLM-optimized security summary with actionable insights and recommended next steps.

POST /v1/agent/query

Execute a natural language security query. The API interprets the query and returns relevant security data.

Parameter	Type		Description
query	string	required	Natural language query (e.g., "Who has the highest risk?")

GET /v1/agent/tools

Lists all available MCP tools with their schemas, parameter definitions, and example invocations.

Error Codes

The API uses standard HTTP status codes. Error responses include a structured JSON body with error details.

Error Response Format

{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid or expired.",
    "status": 401
  },
  "request_id": "req_abc123"
}

Status	Code	Description
400	bad_request	Invalid request parameters or body
401	invalid_api_key	Missing, invalid, or expired API key
403	forbidden	API key lacks required permissions
404	not_found	Requested resource does not exist
409	conflict	Resource state conflict (e.g., incident already resolved)
429	rate_limited	Too many requests, retry after specified delay
500	internal_error	Unexpected server error

Rate Limits

API requests are rate limited to ensure fair usage and platform stability.

Tier	Limit	Window
Standard	1,000 requests	Per minute, per API key
Enterprise	10,000 requests	Per minute, per API key

Rate limit headers are included in every response:

Rate Limit Headers

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 997
X-RateLimit-Reset: 1705312800

When rate limited, the API returns a 429 status with a Retry-After header indicating the number of seconds to wait before retrying.

Webhooks

Webhooks deliver real-time event notifications to your endpoint via HTTP POST. Configure webhook endpoints in your dashboard under Settings > Webhooks.

Event Format

All webhook payloads follow a standard envelope format:

Webhook Payload

{
  "id": "evt_abc123",
  "event": "incident.created",
  "timestamp": "2025-01-15T10:30:00Z",
  "data": {
    "incident_id": "inc_8f3k2j",
    "severity": "high",
    "title": "Possible account takeover detected",
    "affected_user": "[email protected]"
  }
}

HMAC Verification

Every webhook request includes an X-TeamSentry-Signature header containing an HMAC-SHA256 signature of the raw request body, using your webhook secret as the key.

Python - Verify Signature

import hmac
import hashlib

def verify_signature(payload_body, signature, secret):
    expected = hmac.new(
        secret.encode("utf-8"),
        payload_body,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(
        f"sha256={expected}",
        signature
    )

Retry Policy

If your endpoint does not respond with a 2xx status within 10 seconds, TeamSentry retries delivery with exponential backoff:

Retry 1: after 30 seconds
Retry 2: after 2 minutes
Retry 3: after 10 minutes
Retry 4: after 1 hour
Retry 5: after 6 hours (final attempt)

After 5 failed retries, the event is marked as failed and logged in your dashboard. You can manually replay failed events from the webhook settings page.