> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint a new API key

> Generates a new API key. **The full secret is returned exactly once** — save it immediately; subsequent reads only return the prefix.

## Key naming convention

Use descriptive, deployment-aware names. Good examples:

- `prod-splunk-2026q2`
- `staging-sentinel`
- `tom-laptop-dev`

Bad examples that make audit trails useless:

- `key1`, `my key`, `test`

## Expiration

Pass `expires_in_days` for time-bounded keys (recommended for any key handed to a partner or CI system). Omit for keys that never expire. You can revoke at any time via DELETE.

## Tier and scopes

Tier inherits from your account subscription (free or pro). Scopes default to your tier's full set; the response includes them so you know what the key can do.



## OpenAPI

````yaml https://socdefenders.ai/api/openapi.json post /api/v1/keys
openapi: 3.0.3
info:
  title: SOC Defenders Threat Intelligence API
  description: >-
    # Overview


    The SOC Defenders Threat Intelligence API provides programmatic access to
    aggregated threat intelligence from 30+ cybersecurity sources. Export IOCs
    (Indicators of Compromise) in various formats including JSON, CSV, STIX 2.1,
    MISP, CEF, and OpenIOC.


    ## Authentication


    All API endpoints require authentication using an API key. Include your key
    in one of these ways:


    - **Authorization Header** (recommended): `Authorization: Bearer
    sk_live_xxx`

    - **X-API-Key Header**: `X-API-Key: sk_live_xxx`

    - **Query Parameter**: `?api_key=sk_live_xxx`


    ## Rate Limiting


    Rate limits vary by tier. When limits are exceeded, the API returns a 429
    status code.


    | Tier | Requests/min | Requests/day | Lookback | Formats |

    |------|-------------|--------------|----------|---------|

    | Free | 10 | 1,000 | 1 day | JSON / CSV |

    | Pro ($299/mo) | 1,000 | 1,000,000 | 365 days | All (STIX, TAXII, MISP,
    CEF, OpenIOC, Sigma) |


    Rate limit headers are included in all responses:

    - `X-RateLimit-Limit`: Maximum requests per minute

    - `X-RateLimit-Remaining`: Requests remaining in current window

    - `X-RateLimit-Reset`: Unix timestamp when the limit resets


    ## Error Handling


    All errors follow a consistent format:


    ```json

    {
      "error": {
        "code": "error_code",
        "message": "Human readable message",
        "details": {},
        "request_id": "req_abc123"
      }
    }

    ```


    ## STIX/TAXII Support


    For STIX 2.1 and TAXII 2.1 integration, see the TAXII endpoints section.
    TAXII endpoints are available at `/api/taxii2/`.
  version: 1.0.0
  contact:
    name: SOC Defenders Support
    url: https://socdefenders.ai/contact
    email: support@socdefenders.ai
  license:
    name: Proprietary
    url: https://socdefenders.ai/terms
servers:
  - url: https://socdefenders.ai
    description: Production server
security: []
tags:
  - name: IOCs
    description: Indicators of Compromise endpoints
  - name: Statistics
    description: Feed and IOC statistics
  - name: API Keys
    description: API key management (requires session auth)
  - name: TAXII
    description: TAXII 2.1 threat intelligence sharing endpoints
  - name: Export Formats
    description: Specialized export format endpoints (MISP, CEF, OpenIOC)
  - name: Articles
    description: >-
      Aggregated news articles from 30+ cybersecurity sources, with rich
      filtering and bulk-export support
  - name: Lookup
    description: >-
      Single-IOC enrichment lookup. Auto-detects type, aggregates reporting
      sources, returns AI risk + MITRE techniques + hunting queries. Free-tier
      friendly.
  - name: Detection Rules
    description: >-
      Generate ready-to-deploy SIEM detection rules from recent IOCs. Sigma
      rules ship as multi-document YAML covering network / DNS / proxy /
      process_creation logsources.
paths:
  /api/v1/keys:
    post:
      tags:
        - API Keys
      summary: Mint a new API key
      description: >-
        Generates a new API key. **The full secret is returned exactly once** —
        save it immediately; subsequent reads only return the prefix.


        ## Key naming convention


        Use descriptive, deployment-aware names. Good examples:


        - `prod-splunk-2026q2`

        - `staging-sentinel`

        - `tom-laptop-dev`


        Bad examples that make audit trails useless:


        - `key1`, `my key`, `test`


        ## Expiration


        Pass `expires_in_days` for time-bounded keys (recommended for any key
        handed to a partner or CI system). Omit for keys that never expire. You
        can revoke at any time via DELETE.


        ## Tier and scopes


        Tier inherits from your account subscription (free or pro). Scopes
        default to your tier's full set; the response includes them so you know
        what the key can do.
      operationId: createAPIKey
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - name
              properties:
                name:
                  type: string
                  maxLength: 100
                  description: A friendly name for this key
                  example: Production SIEM Integration
                expires_in_days:
                  type: integer
                  minimum: 1
                  maximum: 365
                  description: Number of days until key expires (optional)
                  example: 90
      responses:
        '201':
          description: API key created successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/APIKeyCreated'
                  meta:
                    type: object
                    properties:
                      warning:
                        type: string
                        example: >-
                          Store this API key securely. It will not be shown
                          again.
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      security:
        - CookieAuth: []
      x-codeSamples:
        - lang: JavaScript
          label: Create a 90-day key
          source: |-
            const r = await fetch('/api/v1/keys', {
              method: 'POST',
              credentials: 'include',
              headers: { 'Content-Type': 'application/json' },
              body: JSON.stringify({ name: 'prod-splunk-2026q2', expires_in_days: 90 }),
            });
            const { data, meta } = await r.json();
            console.log(meta.warning);  // "Store this API key securely..."
            console.log(`Save: ${data.full_key}`);  // sk_live_... (shown ONCE)
components:
  schemas:
    APIKeyCreated:
      allOf:
        - $ref: '#/components/schemas/APIKeyInfo'
        - type: object
          properties:
            key:
              type: string
              description: The full API key. Only shown once!
              example: sk_live_abc123def456...
    APIKeyInfo:
      type: object
      properties:
        id:
          type: string
          format: uuid
        name:
          type: string
        key_preview:
          type: string
          example: sk_live_••••••••
        tier:
          type: string
          enum:
            - free
            - pro
        scopes:
          type: array
          items:
            type: string
        rate_limit_per_minute:
          type: integer
        rate_limit_per_day:
          type: integer
        total_requests:
          type: integer
        last_used_at:
          type: string
          format: date-time
          nullable: true
        created_at:
          type: string
          format: date-time
        expires_at:
          type: string
          format: date-time
          nullable: true
    Error:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
            - request_id
          properties:
            code:
              type: string
              description: Error code for programmatic handling
            message:
              type: string
              description: Human-readable error message
            details:
              type: object
              description: Additional error details
            request_id:
              type: string
              description: Unique request identifier for support
  responses:
    BadRequest:
      description: Invalid request parameters
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: invalid_parameter
              message: 'Invalid IOC type: invalid'
              details:
                valid_types:
                  - ipv4
                  - ipv6
                  - domain
                  - url
                  - md5
                  - sha1
                  - sha256
              request_id: req_abc123
    Unauthorized:
      description: Authentication required or invalid
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: missing_api_key
              message: >-
                API key is required. Include it in the Authorization header as
                "Bearer sk_live_..."
              request_id: req_abc123
  securitySchemes:
    CookieAuth:
      type: apiKey
      in: cookie
      name: sb-access-token
      description: Session cookie (for API key management endpoints)

````