Developer preview

Complair API

Programmatic access for product teams shipping into the EU. Currently scoped to SBOM upload for CRA workflows; further surfaces (vulnerability matches, incident events) are planned and will land behind explicit scopes.

Base URL

https://complair.eu/api/v1

Authentication

Every request must carry a Authorization: Bearer <token> header. Tokens are per-product: mint them from the product's API tokens tab inside the workspace. The bearer identifies the company, the product, and the scopes the token may use; tenant scoping is applied automatically.

curl https://complair.eu/api/v1/sboms \
  -H "Authorization: Bearer cplr_live_…" \
  ...

Each call stamps last_used_at and the request IP on the token row for audit. Tokens can be rotated or revoked at any time without re-deploying CI.

Scopes

Scope	Endpoints	Notes
sboms:write	POST /api/v1/sboms	Granted by default to product tokens. The only scope currently enforced.

Endpoints

POST /api/v1/sboms

Upload a CycloneDX, SPDX, package-lock.json, or Gemfile.lock SBOM to the product the token belongs to.

Full SBOM upload reference →

Token management

Tokens are issued and rotated from the workspace UI:

Issue · POST /app/products/<product_id>/api_tokens (workspace UI)
Rotate · POST /app/products/<product_id>/api_tokens/<id>/rotate — issues a new token; old token is revoked after the configured grace window.
Revoke · DELETE /app/products/<product_id>/api_tokens/<id>

Treat tokens like secrets. Store them in your CI provider's secret manager (GitHub Actions secrets.*, GitLab masked variables, etc.).

Error format

All non-2xx responses use the same shape:

{
  "error": {
    "code": "missing_scope",
    "message": "Token lacks required scope: sboms:write"
  }
}

Workspace-only features (no public API yet)

These features ship in the authenticated workspace today and are not exposed over the public API. CI / data-pipeline access is on the roadmap below.

Workspace Buyer-facing CRA Evidence Pack · POST /app/products/<product_id>/cra_evidence_pack — generates a PDF + XLSX + README ZIP for the signed-in user. Plan-gated on :cra_compliance (Scale, Business, CRA Full add-on).
Workspace NIS2 supplier security questionnaire · Templated as a buyer questionnaire; answered through the in-app editor. Reads / writes only via the workspace (no /api/v1/questionnaires surface yet).
Workspace Cross-module readiness snapshots · Computed nightly per tenant by Compliance::ReadinessRecomputeJob. Surfaced on the dashboard, Trust Center, and admin inspector — no external read endpoint yet.

Roadmap

Planned Vulnerability match read API (vulnerabilities:read).
Planned Incident event ingest (incidents:write).
Planned CRA Evidence Pack generate API (products:write with evidence_pack action) — programmatic buyer-facing bundles.
Planned Readiness snapshot read API (readiness:read) — pull daily module scores into BI tools.
Planned Webhook delivery for vulnerability + incident state transitions.

Where to go next

SBOM upload reference GitHub Action workflow Back to CRA readiness