API
Bastion Platform API
Read-only, programmatic access to your Microsoft 365 / Entra security posture — findings plus the correlated inventory (users, devices, apps, domains). REST, JSON, bearer-token auth.
Machine-readable spec: OpenAPI 3.1
Base URL
https://api.bastionsecurity.dev/api/v1All endpoints are under /api/v1 on the api. subdomain. GET /api/v1 lists what's available (authenticated, like every endpoint); the full contract is at /api/v1/openapi.json.
Authentication
Every request carries an API key as a bearer token. Create and revoke keys in the console under Settings — the raw key is shown once. Keys are read-only by default; a write-scoped key is required for POST /findings/status. Your plan must include API access — any Monitor plan or an Assessment (Self-Serve / Discovery).
curl https://api.bastionsecurity.dev/api/v1/findings \
-H "Authorization: Bearer bstn_YOUR_KEY"Endpoints
| Findings | ||
| GET | /findings | Findings, prioritized. Filters: ?severity=Critical,High ?status=open,fixed ?format=ocsf |
| POST | /findings/status | Write-back — set a finding's status / disposition / assignee. Requires a write-scoped key. |
| Inventory | ||
| GET | /users | Identity inventory (Entra users) — global_admin / mfa_gap / risky flags + device_count. |
| GET | /users/{id}/devices | Devices a user is the primary user of / signs into. |
| GET | /devices | Device inventory (Intune / Defender / Entra) — OS, sources, risk, primary_user, per-device CVE rollup. |
| GET | /apps | Applications — Entra app registrations + enterprise apps. |
| GET | /domains | Email / DNS domains (SPF / DMARC / DKIM posture). |
| Vulnerabilities | ||
| GET | /vulnerabilities | Vulnerability catalog (CVE + Defender TVM). Paged; ?severity= ?min_cvss= ?exploit_available= ?type= |
| GET | /vulnerabilities/{id} | One vulnerability + every impacted device. |
| GET | /devices/{id}/cves | A single device's vulnerabilities. |
| GET | /device-vulnerabilities | Flat fleet-wide device↔CVE edge feed. Keyset cursor (HMAC-signed, snapshot-bound). |
| GET | /vuln-changes | ?since_scan=N — added/removed delta; the honest source of REMOVALS (auto-close tickets). |
| Compliance | ||
| GET | /compliance | CIS M365 scorecard + SOC 2 / ISO 27001 / NIST CSF crosswalk. |
| Discovery | ||
| GET | / | Lists the endpoints + your base URL. Requires a key, like every endpoint. |
Inventory endpoints return active items by default; add ?include_archived=true to include soft-archived ones.
Example: high-severity findings
curl -G https://api.bastionsecurity.dev/api/v1/findings \
-H "Authorization: Bearer bstn_YOUR_KEY" \
--data-urlencode "severity=Critical,High"Response:
{
"workspace": "Contoso",
"generated_at": "2026-07-04T18:20:00.000Z",
"count": 2,
"findings": [
{
"id": "…",
"control": "ROLE-GA-MANY",
"severity": "High",
"priority": 88,
"status": "open",
"title": "7 standing Global Administrators",
"affected_count": 7,
"exploitability": 6,
"remediation": "Microsoft Entra admin center → Roles → …",
"remediation_source": "canonical"
}
]
}remediation_source is canonical (tenant-exact), catalog (vetted), or ai (AI-suggested — verify first).
Vulnerability change-feed
/device-vulnerabilities streams every device↔CVE edge with a keyset cursor (HMAC-signed + bound to the scan snapshot) — page forward with no skips or dupes; a 409 means the snapshot advanced (re-fetch from the top). /vuln-changes?since_scan=N returns the added/removed delta since scan N — the only honest source of removals, so a SIEM can auto-close a ticket the moment Bastion confirms a CVE is gone.
curl -G https://api.bastionsecurity.dev/api/v1/vuln-changes \
-H "Authorization: Bearer bstn_YOUR_KEY" \
--data-urlencode "since_scan=41"Rate limits & errors
120 requests / minute per key (429 when exceeded). Errors are standard HTTP codes with a JSON body:
401 { "error": "Invalid or revoked API key." }
403 { "error": "This workspace's plan does not include API access." }
429 { "error": "Rate limit exceeded (120/min)." }Webhooks
After each scan, Bastion POSTs any new Critical/High findings to your endpoint, HMAC-signed (X-Bastion-Signature: sha256=…). Configure the URL and view the payload in the console under Settings → Webhook.
Threat Intelligence Feeds API planned
A separate feeds product (threat intel, IOCs, advisories) is on the roadmap and not yet generally available. The shipped API above covers your assessment findings + inventory. Ask us about early access.