The SoCMate API provides programmatic access to investigations, incidents, the knowledge graph, search, and platform administration. All endpoints return JSON and follow REST conventions.

Base URL

All API requests are made against your organization’s SoCMate API endpoint: 
https://api.socmate.yourcompany.com

Authentication

SoCMate supports two authentication methods:
For machine-to-machine integrations, use an API key in the X-API-Key header. API keys are created by admins in the Admin panel.
curl -X GET https://api.socmate.yourcompany.com/api/v1/search?q=phishing \
  -H "X-API-Key: sk_live_abc123..."
API keys are scoped to specific permissions (e.g., investigations:read, incidents:read). See API Keys for details.

Rate Limits

Authentication MethodRate Limit
API KeyPer-key limits configured at creation
OAuth2 JWT (user)100 requests/minute per user
OAuth2 Client Credentials200 requests/minute per client
Concurrent investigationsConfigurable per deployment (default: 5 per user)
When a rate limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header.

Error Format

All error responses follow a consistent format: 
{
  "detail": "Human-readable error message describing what went wrong"
}
For validation errors (422), the response includes field-level details: 
{
  "detail": [
    {
      "loc": ["body", "query"],
      "msg": "field required",
      "type": "value_error.missing"
    }
  ]
}

Status Codes

CodeMeaning
200Success
201Resource created
204Success (no content)
400Bad request — invalid parameters
401Unauthorized — missing or invalid token
403Forbidden — insufficient permissions or role
404Resource not found
409Conflict — duplicate resource or invalid state transition
422Validation error — request body failed validation
429Too many requests — rate limit or concurrent session limit exceeded
500Internal server error
502Bad gateway — upstream service error
503Service unavailable — dependency down (e.g., Sentinel)

Pagination

List endpoints support cursor-based pagination with offset and limit parameters: 
curl -X GET "https://api.socmate.yourcompany.com/api/v1/sessions/?limit=20&offset=40" \
  -H "X-API-Key: sk_live_abc123..."
Paginated responses include total count: 
{
  "sessions": [...],
  "total": 142,
  "limit": 20,
  "offset": 40
}
ParameterTypeDefaultDescription
limitinteger20Maximum number of items to return (max 100)
offsetinteger0Number of items to skip

Common Headers

HeaderRequiredDescription
AuthorizationYes (if not using API key)Bearer <jwt_token>
X-API-KeyYes (if not using JWT)API key value
Content-TypeYes (for POST/PATCH/PUT)application/json
AcceptOptionalapplication/json (default) or text/event-stream (for SSE)

API Sections

Authentication

OAuth2 flow, API key usage, token refresh, and JWT structure.

Investigations

Start investigations, send follow-ups, stream results, and query sessions.

Incidents

List, enrich, and manage Sentinel incidents.

Knowledge Graph

Query entity neighborhoods, investigation subgraphs, and entity search.