Enterprise REST API · OpenAPI Reference
ClawGuru API v1
Integrate ClawGuru Security-Intel directly into your SIEM, SOAR, or CI/CD pipeline. Authenticated with API keys. Usage-based billing via Stripe Metered.
Base URL
https://clawguru.org/api/v1Authentication
All endpoints require an Enterprise API key. Pass it in the X-Api-Key header or as a Bearer token.
# Option A – X-Api-Key header (recommended)
curl -H "X-Api-Key: cg_live_your_key_here" \
https://clawguru.org/api/v1/intel-feed/latest
# Option B – Bearer token
curl -H "Authorization: Bearer cg_live_your_key_here" \
https://clawguru.org/api/v1/intel-feed/latestUsage-Based Billing
ClawGuru API uses Stripe Metered Billing. Each successful API call is automatically reported as one unit of usage to your Stripe subscription. You are only billed for what you use — no seat licenses, no flat-fee waste.
Billing Architecture
- →Each API call reports 1 unit to your
SubscriptionItemviastripe.subscriptionItems.createUsageRecord() - →Stripe aggregates usage and bills at the end of each billing period
- →Price per call is defined in your Stripe Price object (
billing_scheme: per_unit, usage_type: metered) - →Overage alerts and spend caps are configurable in the Stripe dashboard
// Stripe Metered Billing setup (server-side)
const price = await stripe.prices.create({
currency: "usd",
unit_amount: 5, // $0.05 per API call (in cents)
billing_scheme: "per_unit",
recurring: {
interval: "month",
usage_type: "metered", // aggregated per billing period
aggregate_usage: "sum",
},
product: "prod_ClawGuruEnterpriseAPI",
})
// Each API call increments usage by 1 unit:
await stripe.subscriptionItems.createUsageRecord(subscriptionItemId, {
quantity: 1,
timestamp: Math.floor(Date.now() / 1000),
action: "increment",
})Rate Limits
| Plan | Requests / minute | Monthly cap (default) |
|---|---|---|
| Starter | 60 req/min | 10,000 calls |
| Growth | 300 req/min | 100,000 calls |
| Enterprise | Unlimited | Custom SLA |
Endpoints
POST/v1/check-indicator
Check Security Indicator
Assess the risk level of a security indicator (IP address, domain, file hash, or URL) against ClawGuru threat intelligence. Returns a risk score, tags, and recommended actions.
Headers
| X-Api-Key* | string | Your Enterprise API key |
Request Body Fields
| indicator* | string | The indicator to assess (IP, domain, hash, or URL) |
| type | "ip" | "domain" | "hash" | "url" | Indicator type. Defaults to "domain" |
Example Request Body
{
"indicator": "192.0.2.1",
"type": "ip"
}Responses
200Risk assessment returned
{
"indicator": "192.0.2.1",
"type": "ip",
"risk": "high",
"score": 82,
"tags": ["threat-intel", "active-ioc", "immediate-action"],
"summary": "Indicator \"192.0.2.1\" matches known threat-intel patterns. Immediate containment recommended.",
"actions": [
"Block indicator in firewall / SIEM rule immediately",
"Scan internal logs for historic matches",
"Rotate credentials if indicator interacted with auth systems",
"Open incident ticket and notify SOC"
],
"timestamp": "2026-03-01T22:00:00.000Z"
}400Missing or invalid input
{ "error": "Missing required field: indicator" }401Missing API key
{ "error": "Missing API key. Provide X-Api-Key header or Authorization: Bearer <key>." }403Invalid API key
{ "error": "Invalid API key." }GET/v1/intel-feed/latest
Latest Intel Feed
Returns the latest curated security intelligence items from ClawGuru's threat analysts. Optionally filtered by severity and category. Ideal for feeding IOC data directly into SIEM detection rules.
Headers
| X-Api-Key* | string | Your Enterprise API key |
Query Parameters
| severity | "high" | "medium" | "low" | Filter by severity level |
| category | "exposure" | "websocket" | "secrets" | "supply-chain" | "ops" | Filter by threat category |
| limit | integer (1–50) | Maximum number of items to return (default: 20) |
Responses
200Intel feed returned
{
"items": [
{
"id": "ioc-001",
"title": "Exposed Gateway (public) → Token Leakage",
"severity": "high",
"category": "exposure",
"when": "2026-02-25T12:00:00Z",
"summary": "Public gateway endpoints without private networking + weak auth repeatedly lead to key/token leaks.",
"actions": ["Enforce private subnet/VPN", "Firewall deny-by-default", "Rotate all keys", "Enable auth-fail alerts"],
"tags": ["gateway", "token", "exposure", "critical-infrastructure"]
}
],
"total": 1,
"updatedAt": "2026-03-01T22:00:00.000Z"
}401Missing API key
{ "error": "Missing API key. Provide X-Api-Key header or Authorization: Bearer <key>." }403Invalid API key
{ "error": "Invalid API key." }GET/v1/runbook/{id}
Get Runbook by ID
Returns the full content of a ClawGuru runbook by its slug identifier. Runbooks contain step-by-step remediation guides, FAQ entries, and related playbooks — ready to be ingested by SOAR automation engines.
Headers
| X-Api-Key* | string | Your Enterprise API key |
Path Parameters
| id* | string | Runbook slug (e.g. ssh-hardening-ubuntu, docker-firewall-setup) |
Responses
200Runbook returned
{
"id": "ssh-hardening-ubuntu",
"title": "SSH Hardening: Ubuntu 22.04",
"summary": "Step-by-step SSH lockdown for Ubuntu: keys-only auth, fail2ban, port change.",
"tags": ["ssh", "hardening", "ubuntu", "security"],
"clawScore": 94,
"steps": [
"Disable password authentication in /etc/ssh/sshd_config",
"Generate and deploy SSH key pairs",
"Change SSH port from 22 to a non-standard port",
"Install and configure fail2ban",
"Restrict SSH to specific IP ranges via UFW"
],
"faq": [
{
"q": "Should I always disable root SSH login?",
"a": "Yes. Disable PermitRootLogin in sshd_config and use sudo for privileged operations."
}
],
"relatedIds": ["firewall-ufw-ubuntu", "fail2ban-setup"],
"updatedAt": "2026-02-25"
}404Runbook not found
{ "error": "Runbook not found" }401Missing API key
{ "error": "Missing API key. Provide X-Api-Key header or Authorization: Bearer <key>." }403Invalid API key
{ "error": "Invalid API key." }Error Codes
| Status | Code | Description |
|---|---|---|
| 400 | BAD_REQUEST | Invalid input — check required fields and types |
| 401 | UNAUTHORIZED | Missing API key in request headers |
| 403 | FORBIDDEN | Invalid or revoked API key |
| 404 | NOT_FOUND | Resource does not exist (e.g. unknown runbook ID) |
| 429 | RATE_LIMITED | Too many requests — retry after the Retry-After header value |
| 500 | INTERNAL_ERROR | Unexpected server error — contact support if persistent |
Ready to integrate?
Get your Enterprise API key and start querying threat intel in minutes.
Enterprise API Overview →