API Endpoints
Overview
Vulcan provides JSON API endpoints for programmatic access to projects, components, STIGs, and SRGs. Most endpoints require authentication. Public endpoints (/api/version, /health_check) are noted below.
Authentication
See Authentication for details on API authentication methods.
Base URL
https://your-vulcan-instance.comEndpoints
Version
Get Application Version
GET /api/versionReturns application metadata. No authentication required — used by monitoring tools, deployment verification, and the frontend.
Response:
{
"name": "Vulcan",
"version": "2.3.1",
"rails": "8.0.4",
"ruby": "3.4.9",
"environment": "production"
}Health Check
Readiness Probe
GET /health_checkReturns ok (vulcan 2.3.1) when database is connected. No authentication required.
Database Check
GET /health_check/databaseReturns ok (vulcan 2.3.1) when database is reachable.
Liveness Probe
GET /upRails 8 built-in liveness probe. Returns 200 with no body. No authentication required.
Projects
List Projects
GET /projects.jsonReturns a list of projects accessible to the authenticated user.
Get Project
GET /projects/:id.jsonReturns details for a specific project.
Create Project
POST /projects.jsonCreates a new project.
Update Project
PUT /projects/:id.jsonUpdates an existing project.
Delete Project
DELETE /projects/:id.jsonDeletes a project (admin only).
Components
List Components
GET /components.json
GET /projects/:project_id/components.jsonReturns components, optionally filtered by project.
Get Component
GET /components/:id.jsonReturns details for a specific component.
Create Component
POST /projects/:project_id/components.jsonCreates a new component within a project.
Update Component
PUT /components/:id.jsonUpdates an existing component.
Export Component
GET /components/:id/export.jsonExports component as InSpec profile or XCCDF.
Rules
List Rules
GET /components/:component_id/rules.jsonReturns rules for a component.
Get Rule
GET /rules/:id.jsonReturns details for a specific rule.
Update Rule
PUT /rules/:id.jsonUpdates a rule's content.
STIGs
List STIGs
GET /stigs.jsonReturns available STIGs.
Get STIG
GET /stigs/:id.jsonReturns details for a specific STIG.
Upload STIG
POST /stigs.jsonUploads a new STIG file (admin only).
Security Requirements Guides (SRGs)
List SRGs
GET /security_requirements_guides.jsonReturns available SRGs.
Get SRG
GET /security_requirements_guides/:id.jsonReturns details for a specific SRG.
Upload SRG
POST /security_requirements_guides.jsonUploads a new SRG file (admin only).
Response Format
JSON responses use flat structures (no wrapper object):
Success Response
{
"id": 1,
"name": "Example Project",
"description": "..."
}Error Response
{
"error": "Not found"
}Toast Response (from mutation actions)
{
"toast": {
"title": "Error",
"message": "Validation failed",
"variant": "danger"
}
}Pagination
List endpoints support pagination:
GET /projects.json?page=2&per_page=25Filtering
Some endpoints support filtering:
GET /components.json?project_id=123
GET /rules.json?status=openRate Limiting
Rate limiting is enforced via rack-attack:
- Login attempts: 5 per minute per IP, 5 per minute per email
- File uploads: 10 per minute per IP
Examples
cURL Example
curl -H "Authorization: Bearer YOUR_TOKEN" \
-H "Accept: application/json" \
https://vulcan.example.com/projects.jsonRuby Example
require 'net/http'
require 'json'
uri = URI('https://vulcan.example.com/projects.json')
req = Net::HTTP::Get.new(uri)
req['Authorization'] = 'Bearer YOUR_TOKEN'
req['Accept'] = 'application/json'
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(req)
end
projects = JSON.parse(res.body)Status Codes
200 OK- Request successful201 Created- Resource created204 No Content- Resource deleted400 Bad Request- Invalid request401 Unauthorized- Authentication required403 Forbidden- Access denied404 Not Found- Resource not found422 Unprocessable Entity- Validation errors500 Internal Server Error- Server error
Support
For API support, contact: saf@mitre.org