Skip to main content

A REST API for your whole stack

Run your saved queries from your own applications over HTTP. Scoped API keys, JSON responses, read-only — the same engine behind the dashboard, Slack, and AI chat.

What you can build

One HTTP call runs a saved query and hands you JSON. The rest is up to you.

Scheduled audits

Run your saved access and compliance queries on a cron — nightly SOC 2 evidence, weekly MFA gaps, monthly cost reviews — and pipe the JSON wherever you keep records.

CI guardrails

Fail a pipeline when a query comes back non-empty: a public bucket, an over-privileged role, a stale offboarded user. One HTTP call, exit non-zero on rows.

Embed in your own tools

Feed live Configview results into an internal portal, a Grafana panel, or a spreadsheet. Same data as the dashboard, on your own surface.

Scoped API keys

Each key is minted by an admin and locked to an explicit allowlist of queries. Deny-by-default: a key runs only what you granted it, with a per-minute rate limit and optional expiry.

Read-only by design

The API runs your saved queries and returns rows. It never writes to your systems and can't run arbitrary SQL — the same guarantee as the AI connector.

Fully audited

Every call is recorded in the activity log, attributed to the key that made it. Rotate a key by revoke-and-reissue without disrupting your other consumers.

Up and running in one call

Every customer has a dedicated API at https://<your-subdomain>.configview.com/api/v1. Mint a scoped key in the dashboard, send it as a Bearer token, and run any query on the key's allowlist.

Responses are plain JSON: column names, rows, a row count, and whether the result came from cache. Turn the positional rows into records in a couple of lines, in whatever language you already use.

# Run a saved query
curl -X POST \
  https://acme.configview.com/api/v1/queries/okta.users_without_mfa/run \
  -H "Authorization: Bearer $CONFIGVIEW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"params": {"days": 90}}'

# → JSON response
{
  "seed_key": "okta.users_without_mfa",
  "columns": ["email", "status"],
  "rows": [["[email protected]", "ACTIVE"]],
  "row_count": 1,
  "from_cache": true
}

API questions

How keys, scope, and caching work.

How is this different from the AI connector?
The AI connector (MCP) is for people asking questions in Claude, ChatGPT, or Gemini, authenticated per user over OAuth. The REST API is for your applications — scripts, CI, scheduled jobs — authenticated with a long-lived API key scoped to specific queries. Both are read-only and run the same saved queries.
What can a key actually run?
Only the saved queries on its allowlist. Keys are deny-by-default — a key with an empty allowlist can run nothing. An admin chooses exactly which queries each key may call when minting it.
Where do API keys come from?
An admin mints them from Admin → API Keys in the dashboard, setting a name, the allowed queries, a per-minute rate limit, and an optional expiry. The full key is shown once at creation and stored only as a hash — revoke and reissue to rotate.
Do results come from a cache?
By default you get the most recent cached result if it is still within the query's freshness window — fast and easy on your integrations. Pass force_live to run against live data when you need it.
Is it available on self-hosted instances?
Yes. The API lives at /api/v1 on your own Configview subdomain, so requests and data stay within your network on self-hosted deployments.

Build on your live infrastructure data

Self-hosted or cloud-managed. Mint a scoped key and make your first call in minutes.