Integration surfaces
What is not public API
The following are not public API contracts:- browser network calls from the web application
- undocumented platform endpoints or private application routes
- locally generated API explorers or broad development references
- generated clients used by Living Security web applications
- MCP or Livvy tool responses
- database tables, private DTOs, or page-shaped response models
Base URL and versioning
Use the API base URL provided by Living Security for your environment. Public REST endpoints are versioned under/api/v1.
The v1 public API evolves additively by default. New response fields may appear
without a version change, so clients should ignore unknown fields. Removing or
renaming endpoints or fields, changing field types, narrowing accepted values,
or changing authentication, authorization, tenant, or pagination semantics
requires a documented migration path.
Deprecated operations remain in the API reference during their migration
window. A deprecated operation includes a sunset date, a deprecation reason, and
a migration guide. When a direct replacement exists, the reference also names
the replacement operation.
Current v1 resources
The current public API catalog is intentionally small and resource-oriented. Endpoints are promoted when they have a stable customer use case, documented authorization behavior, and a supportable compatibility path.
See the Public API Reference section in the Developers tab for the current
endpoint list generated from the curated public API contract.
Promotion standard
An endpoint becomes public API only after it has:- a concrete customer-facing entity or resource model
- stable request and response DTOs that do not expose database or page models
- documented authentication, tenant, error, pagination, filter, and sort behavior where applicable
- permission and tenant-isolation coverage
- compatibility review, SDK generation, and this documentation updated
Authentication
Public API integrations use Living Security API access keys created in the Living Security platform. Create and manage keys in Settings -> Access Keys. Exchange the secret access key value for a bearer access token, then call the public API with both headers:Authorization: Bearer <bearer-token>x-organization-id: <organization-id>
Request patterns
Use documented resource identifiers, filters, sorting options, and pagination parameters only. Undocumented fields, web application URLs, and page-specific payloads are not public API contract. When a list endpoint is paginated, treat page boundaries and total counts as owned by that endpoint. Do not combine separately paginated requests and then sort the partial rows client-side.Errors, rate limits, and retries
Errors use standard HTTP status codes and documented response bodies in the API reference. Treat401 as an expired or invalid bearer access token, 403 as
missing permission or tenant access, 404 as a missing resource, and 400 as
invalid input.
Clients should handle transient 408, 429, and 5xx responses with bounded
exponential backoff. If a response includes Retry-After, wait at least that
long before retrying.
Do not assume a write endpoint is idempotent unless the endpoint reference says
so. If a network failure happens after a create, rotate, or revoke request,
check resource state before retrying.
MCP
MCP is available for agentic workflows that need tool-style interactions rather than REST resources. MCP tools share the same tenant and permission expectations as the rest of the platform, but they are not the public REST API and they are not web application endpoints. MCP tools are designed around permissioned actions and compact structured outputs for AI clients. They may use the same backend use cases as public REST resources, but tool responses should not be treated as REST DTOs and REST resources should not be created by copying tool output. See MCP Integration for setup.Related
API Access Keys
Create and manage credentials for API access.
MCP Integration
Connect AI tools through the Model Context Protocol.

