# API Reference
Complete REST API reference.
Base URL
bash
1https://api.solongate.com/api/v1
Authentication
All API requests (except /setup, /auth, and /health) require an API key. Pass it via theAuthorization header orX-API-Key header.
bash
1# Authorization header2curl -H "Authorization: Bearer sg_live_..." https://api.solongate.com/api/v1/validate34# X-API-Key header5curl -H "X-API-Key: sg_live_..." https://api.solongate.com/api/v1/validate
Rate Limiting
All endpoints are rate limited. Limits vary by endpoint type.
| Endpoint | Limit | Scope |
|---|---|---|
| /validate | 200 req/min | Per API key |
| All authenticated | 100 req/min | Per API key |
| /setup | 5 req/min | Per IP |
| /auth | 10 req/min | Per IP |
Rate limit info is included in response headers:X-RateLimit-Remaining andRetry-After (on 429).
Endpoints
Core
POST
/validateValidate tool callPOST
/tokens/verifyVerify tokenAuthentication
POST
/setupCreate project + keysPOST
/authLogin / RegisterGET
/auth/meUser profilePolicies
GET
/policiesList policiesPOST
/policiesCreate policyGET
/policies/:idGet policyPUT
/policies/:idUpdate policyGET
/policies/:id/versionsVersion historyResources
GET
/toolsList toolsGET
/keysList API keysGET
/audit-logsQuery audit logsGET
/statsDashboard statsGET
/healthHealth checkPOST /validate
Validate a tool call against security policies.
Request Body
json
1{2 "tool": "file_read",3 "arguments": {4 "path": "/data/document.txt"5 },6 "context": {7 "trustLevel": "VERIFIED",8 "permission": "READ",9 "serverName": "my-mcp-server"10 }11}
Response
json
1{2 "allowed": true,3 "decision": {4 "effect": "ALLOW",5 "matchedRule": {6 "id": "allow-file-read",7 "description": "Allow file reads in /data"8 },9 "reason": "Matched rule: allow-file-read",10 "evaluatedAt": "2024-01-15T10:30:00.000Z"11 },12 "token": "eyJhbGciOiJIUzI1NiJ9...",13 "requestId": "req_abc123xyz",14 "latencyMs": 12.515}
POST /tokens/verify
Verify a capability token. Tokens are single-use.
Request Body
json
1{2 "token": "eyJhbGciOiJIUzI1NiJ9..."3}
Response (Valid)
json
1{2 "valid": true,3 "tool": "file_read",4 "scope": ["read"],5 "expiresAt": "2024-01-15T10:30:30.000Z"6}
Response (Invalid)
json
1{2 "valid": false,3 "error": "Token expired"4}
POST /auth
Register a new account or sign in. No API key required.
Register
json
1{2 "action": "register",3 "email": "user@example.com",4 "password": "SecureP@ss123",5 "name": "John Doe"6}
Login
json
1{2 "action": "login",3 "email": "user@example.com",4 "password": "SecureP@ss123"5}
Login Response
json
1{2 "user": {3 "id": "uuid",4 "email": "user@example.com",5 "name": "John Doe"6 },7 "projects": [8 { "id": "uuid", "name": "My Project", "slug": "my-project-abc12345" }9 ]10}
GET /auth/me
Get the current user profile and project info. Requires API key.
Response
json
1{2 "user": {3 "id": "uuid",4 "email": "user@example.com",5 "name": "John Doe"6 },7 "project": {8 "id": "uuid",9 "name": "My Project",10 "slug": "my-project-abc12345"11 },12 "api_key": {13 "prefix": "sg_live_abc12345",14 "is_live": true15 }16}
GET /policies
List all policies for your project.
Response
json
1{2 "policies": [3 {4 "id": "production-policy",5 "name": "Production Security Policy",6 "_version": 3,7 "_hash": "sha256:abc123...",8 "_created_at": "2024-01-15T10:00:00.000Z",9 "rules": [...]10 }11 ],12 "total": 113}
GET /health
Health check endpoint for monitoring.
Response
json
1{2 "status": "healthy",3 "version": "0.2.0",4 "timestamp": "2024-01-15T10:30:00.000Z"5}