VaultGuard360 exposes a REST API from the Function App. All endpoints are under the /api/ path prefix.
Authentication
All API endpoints (except /api/health) require authentication via an EasyAuth session cookie. Obtain a session by signing in through the dashboard in a browser.
For programmatic access, include the Cookie header with your EasyAuth session token:
curl https://<function-app>.azurewebsites.net/api/stats \
-H "Cookie: AppServiceAuthSession=<your-session-token>"
Unauthenticated requests to protected endpoints return 401 Unauthorized.
Endpoint Reference
System & Health
GET /api/health
Health check. The only endpoint accessible without authentication.
Response:
{
"status": "healthy",
"tier": "professional",
"identity": "configured",
"version": "1.0.0"
}
GET /api/license
Returns the current tier, feature availability, and trial status. Exempt from the trial expiry hard lock.
Response:
{
"tier": "trial",
"trialActive": true,
"trialExpiresAt": "2026-04-12T00:00:00Z",
"daysRemaining": 13,
"subscriptionLimit": 15,
"itemLimit": 200,
"webhookEnabled": true
}
GET /api/me
Returns the currently authenticated user. Exempt from the trial expiry hard lock.
Response:
{
"userId": "user-object-id",
"userEmail": "jane@contoso.com",
"userName": "Jane Smith"
}
GET /api/permission-status
Returns RBAC permission status per subscription. Use this to diagnose missing role assignments.
Response:
{
"subscriptions": [
{
"subscriptionId": "b6c588f1-...",
"subscriptionName": "Production",
"hasKeyVaultAccess": true,
"vaultCount": 12
}
],
"totalAccessible": 1,
"totalSubscriptions": 1
}
Scanning & Results
POST /api/trigger
Trigger a manual scan immediately.
Request: No body required.
Response:
{
"message": "Scan triggered",
"correlationId": "abc123"
}
GET /api/stats
Returns dashboard summary statistics from the most recent scan.
Response:
{
"totalItems": 87,
"warning": 12,
"severe": 5,
"critical": 2,
"expired": 1,
"lastScanAt": "2026-03-30T08:00:00Z",
"vaultCount": 12,
"subscriptionCount": 3
}
GET /api/scans
Returns recent scan history entries.
Response:
{
"scans": [
{
"scanId": "scan-20260330-080000",
"timestamp": "2026-03-30T08:00:00Z",
"subscriptionsScanned": 3,
"vaultsFound": 12,
"itemsScanned": 87,
"warning": 12,
"severe": 5,
"critical": 2,
"expired": 1,
"durationSeconds": 18
}
]
}
GET /api/expiring-items
Returns all currently expiring items with severity levels from the most recent scan.
Response:
{
"items": [
{
"itemName": "db-password",
"vaultName": "kv-production",
"subscriptionName": "Production",
"itemType": "secret",
"expiresAt": "2026-04-02T00:00:00Z",
"daysRemaining": 3,
"severity": "critical"
}
]
}
GET /api/subscriptions
Returns all Azure subscriptions accessible to the managed identity.
Response:
{
"subscriptions": [
{
"subscriptionId": "b6c588f1-...",
"subscriptionName": "Production",
"tenantId": "tenant-guid"
}
]
}
Settings & Thresholds
GET /api/thresholds
Returns current alert threshold configuration.
POST /api/thresholds
Updates alert threshold configuration.
Request body:
{
"warningDays": 30,
"severeDays": 14,
"criticalDays": 5
}
GET /api/settings
Returns general settings (default notification email, per-threshold enable flags).
POST /api/settings
Updates general settings.
Request body:
{
"notificationEmail": "security@contoso.com",
"days30Enabled": true,
"days14Enabled": true,
"days7Enabled": true
}
GET /api/reminder-mode
Returns the reminder frequency setting per threshold level.
POST /api/reminder-mode
Updates reminder frequency settings.
Request body:
{
"warning": "daily",
"severe": "every_scan",
"critical": "every_scan"
}
Valid values: every_scan, daily, weekly, once
Team Routing
GET /api/routes
Returns all team routing rules.
POST /api/routes
Creates or updates a routing rule.
Request body:
{
"subscriptionId": "b6c588f1-...",
"subscriptionName": "Production",
"teamName": "Infrastructure Team",
"notificationEmail": "infra@contoso.com",
"webhookUrl": ""
}
DELETE /api/routes/{id}
Deletes the routing rule with the specified ID.
Email & Notifications
GET /api/smtp-config
Returns current email configuration (credentials are excluded from the response).
POST /api/smtp-config
Updates email configuration.
POST /api/smtp/test
Tests the configured email provider by sending a test message.
Request body:
{
"testEmail": "test@contoso.com"
}
GET /api/webhook-config
Returns webhook channel configuration (URLs and secrets are excluded from the response).
POST /api/webhook-config
Updates webhook channel configuration.
POST /api/webhook-config/test
Tests webhook delivery for a specified channel.
Request body:
{
"channelType": "slack"
}
POST /api/test-notification
Sends a test notification through all configured channels.
Custom Email Domain
GET /api/email-domain
Returns the current custom email sender domain configuration.
POST /api/email-domain
Configures a custom ACS email sender domain.
Request body:
{
"domainName": "alerts.contoso.com"
}
DELETE /api/email-domain
Removes the custom email sender domain.
POST /api/email-domain/verify
Initiates DNS verification for the configured custom domain.
GET /api/email-domain/status
Polls the DNS record verification status.
Export & Import
GET /api/export
Exports the current configuration as a JSON document. Works even after trial expiry.
Response: JSON configuration file (see Data Export & Import for schema).
POST /api/import
Imports a configuration JSON document.
Request body: Configuration JSON (see Data Export & Import for schema).
Error Codes
| HTTP Status | Meaning | Common Cause |
|---|---|---|
400 Bad Request | Invalid request body or parameters | Malformed JSON, missing required fields, invalid values |
401 Unauthorized | Not authenticated | Missing or expired EasyAuth session cookie |
402 Payment Required | Trial expired | Trial has passed 14 days; upgrade to a paid plan |
403 Forbidden | Not authorized | User not assigned to the Enterprise Application (if assignment required) |
404 Not Found | Route not found | Incorrect endpoint path |
429 Too Many Requests | Rate limited | Exceeded request rate; back off and retry |
500 Internal Server Error | Unexpected error | Check Application Insights for details |
402 Trial Expired
When a Trial deployment expires, all API endpoints (except /api/health, /api/license, and /api/me) return 402 Payment Required. The /api/export endpoint remains accessible to allow configuration backup before upgrading.
{
"error": "trial_expired",
"message": "Your 14-day trial has expired. Subscribe to a paid plan to continue.",
"licenseUrl": "https://marketplace.microsoft.com/en-us/product/azure-application/sentinelvaultsystems.vaultguard360?tab=Overview"
}
Rate Limiting
API endpoints are subject to Azure Functions platform rate limits. If you receive 429 Too Many Requests, implement exponential backoff before retrying. The retry-after interval is included in the Retry-After response header when present.