Docs/API & Webhooks/API Overview

API Overview

The SecureCodingHub public REST API lets you provision users, create assignments, ingest scanner findings, and subscribe to events from your own systems — without scraping the admin UI.

When you should use the API

Use the public API when you want SecureCodingHub to behave like a piece of your infrastructure rather than a separate dashboard. Typical integrations:

  • CI/CD pipelines — feed SARIF output from CodeQL, Snyk, Semgrep, or any SAST tool to auto-create targeted training assignments for the commit author.
  • HR / IdP sync — provision users on hire and deactivate on departure, alongside SCIM.
  • Ticketing & SOAR — open a Jira ticket whenever a developer fails a required assignment, or call a PagerDuty incident when a certificate is overdue.
  • Custom reporting — pull progress and audit data into your own BI tool (Looker, Metabase, Tableau).
  • White-label dashboards — embed completion stats inside your internal portal.

Base URL & versioning

Every public endpoint is reached through a single base URL with the version pinned in the path:

https://api.limeplate.com/api/public/v1

The v1 contract is stable. Breaking changes will ship as v2 on a new path; v1 stays available for at least 12 months after a new major version becomes generally available.

Two surfaces, one platform

The admin web app under app.securecodinghub.com and the public API under api.limeplate.com/api/public/v1 are intentionally separate. They use different authentication schemes, different rate-limit policies, and a different identifier conventions. Internal endpoints (/api/sch/...) are subject to change without notice; only endpoints documented in this section are guaranteed.

A 30-second tour

The flow for a new integration almost always looks like this:

1

Create an API key in the admin console under Organization → API Keys. Grant only the scopes you need (users:read, assignments:write, etc.).

2

Copy the scs_live_… token. The token is shown once on creation — store it in your secrets manager immediately.

3

Make your first call by sending Authorization: Bearer scs_live_… on any endpoint.

4

For events that originate inside SecureCodingHub (an assignment was completed, a SARIF run was ingested), subscribe a webhook endpoint and verify the HMAC signature on each delivery.

Your first request

This call returns the metadata for the organization that owns the API key. It's the recommended health check after issuing a new token:

curl https://api.limeplate.com/api/public/v1/org \
  -H "Authorization: Bearer scs_live_yourkeyhere"

A successful response looks like:

{
  "id": "e188fc87-1334-48bd-84d7-5e3e64cecb52",
  "name": "Acme Corp",
  "slug": "acme",
  "domain": "acme.com",
  "plan": "growth",
  "maxSeats": 500,
  "trialExpiresAt": null,
  "isActive": true,
  "createdAt": "2026-01-12T08:42:11Z"
}

Conventions

TopicConvention
TransportHTTPS only. Plain HTTP requests are refused at the edge.
EncodingJSON request and response bodies. Content-Type: application/json on every POST, PATCH.
CasingAll field names use camelCase in both requests and responses (and webhook payloads).
TimestampsISO 8601 UTC strings (2026-05-29T13:45:12Z).
IdentifiersAll resource IDs are RFC 4122 v4 UUIDs.
Empty bodiesEndpoints that just acknowledge an operation return 200 OK with { "message": "..." }.
IdempotencyWhere it matters (e.g. SARIF ingestion), idempotency is keyed off natural identifiers in the request, not a separate header.

OpenAPI specification

An OpenAPI 3.0 document describing every public endpoint is served from the same host:

https://api.limeplate.com/openapi/v1.json

You can paste that URL directly into Postman, Insomnia, Stoplight, or any code-generation tool (openapi-generator, @hey-api/openapi-ts, NSwag) to scaffold a typed client.

Support & status

Operational issues, breaking changes, and deprecation notices are sent to the email address registered with your organization. For integration questions and bug reports, write to support@securecodinghub.com with the request X-Request-Id header if you can capture it from a failed call — it dramatically speeds up triage.