Skip to main content
The ContraForce Partner API enables programmatic access to your security data. Build custom integrations, sync incidents with your ITSM, or create automated workflows with your existing tools.
Full API documentation, including detailed request/response schemas, is available on GitHub: ContraForce API Documentation

Why Use the Partner API?

ITSM Integration

Sync incidents with ServiceNow, Jira, Autotask, and more

Custom Dashboards

Build internal reporting within your custom dashboard

SOAR Automation

Trigger workflows in your existing SOAR platform

Common Use Cases

Use CaseDescription
Ticket CreationAutomatically create tickets in your PSA when incidents are detected
Bi-directional SyncKeep incident status synchronized between ContraForce and your ITSM
Executive ReportingPull incident data into custom reports and dashboards
Alert RoutingSend incident notifications to custom channels (Slack, Teams, PagerDuty)
Data WarehouseExport incident data to your data lake for long-term analysis

Getting Started

Prerequisites

Before using the API, you’ll need:
1

ContraForce Account

An active ContraForce account with API access enabled
2

API Credentials

Client ID and Client Secret from your ContraForce administrator
3

Workspace Access

Appropriate permissions to the workspaces you want to query

Obtaining API Credentials

1

Contact Your Administrator

Request API credentials from your ContraForce account administrator
2

Receive Credentials

You’ll receive a Client ID and Client Secret
3

Store Securely

Store credentials securely—never commit them to source control
Treat your API credentials like passwords. Never expose them in client-side code, public repositories, or logs.

Authentication

The ContraForce API uses OAuth 2.0 client credentials flow for authentication.

Getting an Access Token

curl -X POST https://api.contraforce.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Using the Token

Include the access token in the Authorization header for all API requests: 
curl -X GET https://api.contraforce.com/v1/incidents \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Access tokens expire after 1 hour. Implement token refresh logic in your integration to handle expiration gracefully.

API Endpoints

The Partner API provides access to incidents and their associated data.

Base URL

https://api.contraforce.com/v1

Available Endpoints

EndpointMethodDescription
/incidentsGETList all incidents
/incidents/{id}GETGet incident details
/incidents/{id}/entitiesGETList entities for an incident
/incidents/{id}/evidenceGETList evidence for an incident

API Components

The core data structure representing a security incident.Key Fields:
FieldTypeDescription
idstringUnique incident identifier
titlestringIncident title/name
severitystringHigh, Medium, Low, Informational
statusstringNew, Active, Closed
workspaceIdstringAssociated workspace
createdAtdatetimeWhen incident was created
updatedAtdatetimeLast modification time
Full Schema →

Example Requests

List High Severity Incidents

curl -X GET "https://api.contraforce.com/v1/incidents?severity=High&status=Active" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Get Incident Details

curl -X GET "https://api.contraforce.com/v1/incidents/INC-12345" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

List Incident Entities

curl -X GET "https://api.contraforce.com/v1/incidents/INC-12345/entities" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Example Response: List Incidents

{
  "data": [
    {
      "id": "INC-12345",
      "title": "Suspicious login activity detected",
      "severity": "High",
      "status": "Active",
      "workspaceId": "ws-abc123",
      "createdAt": "2024-01-15T10:30:00Z",
      "updatedAt": "2024-01-15T14:22:00Z"
    },
    {
      "id": "INC-12346",
      "title": "Malware detected on endpoint",
      "severity": "High",
      "status": "Active",
      "workspaceId": "ws-abc123",
      "createdAt": "2024-01-15T11:45:00Z",
      "updatedAt": "2024-01-15T11:45:00Z"
    }
  ],
  "pagination": {
    "total": 47,
    "limit": 100,
    "offset": 0
  }
}

Rate Limits

The API implements rate limiting to ensure fair usage and platform stability.
Limit TypeValue
Requests per minute60
Requests per hour1,000
Max results per request100

Rate Limit Headers

Each response includes rate limit information: 
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1705320000
If you exceed rate limits, you’ll receive a 429 Too Many Requests response. Implement exponential backoff in your integration.

Error Handling

The API uses standard HTTP status codes and returns detailed error messages.

HTTP Status Codes

CodeMeaningAction
200SuccessRequest completed successfully
400Bad RequestCheck request parameters
401UnauthorizedVerify credentials/token
403ForbiddenCheck workspace permissions
404Not FoundVerify resource ID exists
429Rate LimitedImplement backoff and retry
500Server ErrorRetry after delay; contact support if persistent

Error Response Format

{
  "error": {
    "code": "INVALID_PARAMETER",
    "message": "The 'severity' parameter must be one of: High, Medium, Low, Informational",
    "details": {
      "parameter": "severity",
      "provided": "Critical",
      "allowed": ["High", "Medium", "Low", "Informational"]
    }
  }
}

Best Practices

Always use pagination for list endpoints. Don’t assume you’ll receive all results in one request. Use limit and offset parameters to iterate through large result sets.
Monitor X-RateLimit-Remaining headers and implement exponential backoff when approaching limits. Don’t retry immediately on 429 responses.
Cache incident details that don’t change frequently. Use updatedAt timestamps to invalidate cache entries when data changes.
Instead of polling the API frequently, consider using webhooks (if available) or longer polling intervals with status filters.
Store API credentials in environment variables or a secrets manager. Never hardcode credentials or commit them to source control.
Maintain logs of API requests and responses for debugging. Mask sensitive data like tokens in logs.

SDK & Libraries

While the API can be called directly with HTTP requests, you may find these helpful:
LanguageOption
PythonUse requests library with OAuth2 session
JavaScriptUse axios or fetch with token management
PowerShellUse Invoke-RestMethod cmdlet
C#Use HttpClient with System.Net.Http
Check the GitHub repository for example code and community-contributed libraries.

Troubleshooting

Common Issues

IssuePossible CauseSolution
401 UnauthorizedExpired or invalid tokenRefresh your access token
403 ForbiddenMissing workspace accessVerify API credentials have access to the workspace
Empty resultsFilter too restrictiveBroaden filter criteria or check workspace ID
Timeout errorsLarge result setUse pagination with smaller limit values

API Documentation

GitHub: ContraForce API

Complete API documentation including schemas, examples, and changelog

ServiceNow Integration

Built-in ServiceNow ticketing integration

Jira Integration

Connect Jira Service Desk

API Enterprise Application

API permissions and authentication setup

Capabilities Matrix

Full integration capabilities
Questions about the Partner API? Contact us at [email protected].