Content Catalog
The catalog is the source of truth for the category, module, and topic identifiers used everywhere else in the public API. Look up identifiers here before you call POST /assignments, build custom course items, or interpret compliance responses. Required scope: content:read.
Endpoints
| Method | Path | Scope | Purpose |
|---|---|---|---|
GET | /api/public/v1/content/categories | content:read | All top-level categories. |
GET | /api/public/v1/content/categories/{categoryId}/topics | content:read | All topics inside a category, with module and CWE info. |
GET | /api/public/v1/content/cwes/{cweId}/topics | content:read | Resolve a CWE id to the list of topics that cover it. |
List categories
Returns every visible category for your organization. Categories mirror the four OWASP families used in the compliance endpoints — web, api, mobile, client.
GET /api/public/v1/content/categories
Authorization: Bearer scs_live_…Response
{
"count": 4,
"categories": [
{ "categoryId": "web", "title": "OWASP Top 10 (Web)" },
{ "categoryId": "api", "title": "OWASP API Security Top 10" },
{ "categoryId": "mobile", "title": "OWASP Mobile Top 10" },
{ "categoryId": "client", "title": "OWASP Client-Side Top 10" }
]
}Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/content/categoriesList topics in a category
Returns every topic that rolls up to the given category, each annotated with its parent module and the CWE set used for SARIF mapping. Returns 404 category_not_found if the categoryId is not one of the four above.
GET /api/public/v1/content/categories/web/topics
Authorization: Bearer scs_live_…Response
{
"categoryId": "web",
"categoryTitle": "OWASP Top 10 (Web)",
"count": 2,
"topics": [
{
"topicId": "sql-injection",
"title": "SQL Injection",
"moduleId": "a03-injection",
"moduleTitle": "A03: Injection",
"cwes": ["CWE-89"]
},
{
"topicId": "xss-reflected",
"title": "Reflected Cross-Site Scripting",
"moduleId": "a03-injection",
"moduleTitle": "A03: Injection",
"cwes": ["CWE-79", "CWE-80"]
}
]
}topicIdis the value you pass toPOST /assignmentsand to custom course items.moduleIdmatches themoduleIdused in the compliance framework detail responses, so you can join the two endpoints client-side.moduleTitlemay benullfor topics that are not grouped under an OWASP module (rare; reserved for ad-hoc content).
Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/content/categories/api/topicsResolve a CWE to topics
Given a CWE identifier, returns every topic that covers it. This is the same lookup the SARIF ingestion uses internally — call it directly when you want to map a finding to training without ingesting a full report.
GET /api/public/v1/content/cwes/CWE-89/topics
Authorization: Bearer scs_live_…Accepted CWE formats
The {cweId} path segment is normalized server-side. All of the following resolve identically:
89cwe-89CWE-89external/cwe/cwe-89
The response's cwe field always echoes the normalized canonical form (CWE-89). Unknown CWEs return 200 with count: 0 and an empty topics array — not a 404 — so the client does not need to special-case unmapped IDs.
Response
{
"cwe": "CWE-89",
"count": 1,
"topics": [
{
"topicId": "sql-injection",
"title": "SQL Injection",
"moduleId": "a03-injection",
"moduleTitle": "A03: Injection",
"categoryId": "web",
"categoryTitle": "OWASP Top 10 (Web)"
}
]
}Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/content/cwes/external/cwe/cwe-79/topicsIdentifier stability
Category, module, and topic identifiers are stable strings — they will not change once published. New topics may be added under existing modules, and new modules under existing categories, but renames are avoided to keep integrations resilient. If a topic is ever retired, the identifier is preserved and the topic is hidden from the catalog rather than recycled.