-
Notifications
You must be signed in to change notification settings - Fork 0
REST API Reference
Eric Fitzgerald edited this page Nov 21, 2025
·
2 revisions
This page provides a comprehensive reference to TMI's REST API endpoints organized by resource category.
The complete API specification is available in OpenAPI 3.0.3 format:
Source Specification:
- File: tmi-openapi.json
- Version: 1.0.0
- Format: JSON with $ref references
Processed Specifications (all references resolved):
Interactive Documentation:
- HTML Documentation
- Swagger Editor - Import tmi-openapi.json
Development: http://localhost:8080
Production: https://api.tmi.dev
API Prefix: /api/v1 (coming soon, currently endpoints at root)
All API endpoints are subject to rate limiting to ensure fair usage and system stability. TMI implements a four-tier rate limiting strategy:
- Public Discovery: 10 requests/minute (IP-based)
- Auth Flows: Multi-scope limits (session, IP, user identifier)
- Resource Operations: 100 requests/minute per user (configurable)
- Webhooks: Multiple limits including subscriptions and events (configurable)
When rate limited, the API returns 429 Too Many Requests with X-RateLimit-* and Retry-After headers.
See: API-Rate-Limiting for complete rate limiting documentation including client integration examples.
- Threat Models - Threat modeling workspaces
- Diagrams - Data flow diagrams
- Threats - Security threats
- Assets - System assets
- Documents - Reference documents
- Notes - Markdown notes
- Repositories - Source code repositories
- Metadata - Custom metadata
- Webhooks - Webhook subscriptions and deliveries
- Addons - Addon registrations and invocations
- Authorization - Access control
- Users - User management
- Health - System health and readiness
- Authentication - OAuth endpoints
Threat models are the primary workspace for security analysis.
GET /threat_models
Authorization: Bearer {token}Query Parameters:
-
limit(integer): Number of results (default: 50, max: 500) -
offset(integer): Pagination offset (default: 0) -
owner(string): Filter by owner email -
created_after(RFC3339): Filter by creation date -
sort(string): Sort field (e.g.,-created_at)
Response (200 OK):
{
"items": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "Production API Security",
"description": "Threat model for production API",
"owner": "[email protected]",
"created_at": "2025-01-15T10:00:00Z",
"modified_at": "2025-01-15T15:30:00Z",
"diagram_count": 3,
"threat_count": 12,
"document_count": 2
}
],
"total": 25,
"limit": 50,
"offset": 0
}GET /threat_models/{id}
Authorization: Bearer {token}Response (200 OK):
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "Production API Security",
"description": "Comprehensive threat model for production API services",
"owner": "[email protected]",
"created_by": "[email protected]",
"created_at": "2025-01-15T10:00:00Z",
"modified_at": "2025-01-15T15:30:00Z",
"authorization": [
{
"subject": "security-team",
"subject_type": "group",
"role": "writer"
}
],
"metadata": {
"project": "API-Gateway",
"compliance": "GDPR"
}
}POST /threat_models
Authorization: Bearer {token}
Content-Type: application/json
{
"name": "My Threat Model",
"description": "Security analysis for new feature",
"authorization": [
{
"subject": "security-team",
"subject_type": "group",
"role": "writer"
}
],
"metadata": {
"project": "MyProject"
}
}Response (201 Created):
{
"id": "7d8f6e5c-4b3a-2190-8765-fedcba987654",
"name": "My Threat Model",
"owner": "[email protected]",
"created_at": "2025-01-15T16:00:00Z"
}Important: Do NOT include server-generated fields:
-
id- Server generates UUID -
owner- Extracted from JWT token -
created_at,modified_at- Set by server - Calculated counts (
diagram_count, etc.)
Full Update (PUT):
PUT /threat_models/{id}
Authorization: Bearer {token}
Content-Type: application/json
{
"name": "Updated Name",
"description": "Updated description",
"authorization": [...]
}Partial Update (PATCH):
PATCH /threat_models/{id}
Authorization: Bearer {token}
Content-Type: application/json
{
"name": "New Name Only"
}Response (200 OK): Returns updated resource
DELETE /threat_models/{id}
Authorization: Bearer {token}Response (204 No Content)
Note: Requires owner role. Cascades to all related resources.
Data flow diagrams visualize system architecture.
GET /threat_models/{threat_model_id}/diagrams
Authorization: Bearer {token}Query Parameters: Same as threat models (limit, offset, sort)
Response (200 OK):
{
"items": [
{
"id": "diagram-uuid",
"threat_model_id": "tm-uuid",
"title": "System Architecture",
"diagram_type": "data_flow",
"version": 3,
"created_at": "2025-01-15T10:00:00Z"
}
]
}GET /diagrams/{id}
Authorization: Bearer {token}Response (200 OK):
{
"id": "diagram-uuid",
"threat_model_id": "tm-uuid",
"title": "System Architecture",
"diagram_type": "data_flow",
"diagram_json": {
"cells": [...],
"assets": [...]
},
"version": 3,
"created_at": "2025-01-15T10:00:00Z",
"modified_at": "2025-01-15T14:30:00Z"
}POST /threat_models/{threat_model_id}/diagrams
Authorization: Bearer {token}
Content-Type: application/json
{
"title": "System Architecture",
"diagram_type": "data_flow",
"diagram_json": {
"cells": [],
"assets": []
}
}Similar patterns to threat models.
Real-time editing: Use WebSocket API for collaborative diagram editing (see WebSocket-API-Reference).
Security threats identified in threat models.
GET /threats
Authorization: Bearer {token}Query Parameters:
-
threat_model_id(UUID): Filter by threat model -
severity(string): Filter by severity (critical, high, medium, low) -
status(string): Filter by status -
category(string): Filter by category
Response (200 OK):
{
"items": [
{
"id": "threat-uuid",
"threat_model_id": "tm-uuid",
"title": "SQL Injection Vulnerability",
"description": "User input not sanitized",
"category": "injection",
"severity": "high",
"likelihood": "medium",
"status": "open",
"mitigation": "Use parameterized queries",
"created_at": "2025-01-15T11:00:00Z"
}
]
}POST /threats
Authorization: Bearer {token}
Content-Type: application/json
{
"threat_model_id": "tm-uuid",
"title": "SQL Injection Vulnerability",
"description": "Detailed description",
"category": "injection",
"severity": "high",
"likelihood": "medium",
"mitigation": "Use parameterized queries"
}Webhook subscriptions for real-time event notifications.
POST /webhook/subscriptions
Authorization: Bearer {token}
Content-Type: application/json
{
"name": "My Integration",
"url": "https://your-domain.com/webhooks/tmi",
"events": ["threat_model.created", "threat_model.updated"],
"secret": "your-hmac-secret",
"threat_model_id": "tm-uuid"
}Response (201 Created):
{
"id": "webhook-uuid",
"status": "pending_verification",
"name": "My Integration",
"url": "https://your-domain.com/webhooks/tmi",
"events": ["threat_model.created", "threat_model.updated"],
"created_at": "2025-01-15T10:00:00Z"
}Challenge-Response: TMI sends challenge to verify endpoint before activating subscription.
GET /webhook/subscriptions
Authorization: Bearer {token}GET /webhook/subscriptions/{id}
Authorization: Bearer {token}DELETE /webhook/subscriptions/{id}
Authorization: Bearer {token}GET /webhook/deliveries
Authorization: Bearer {token}Query Parameters:
-
subscription_id(UUID): Filter by subscription -
status(string): Filter by status (pending, delivered, failed)
Response (200 OK):
{
"items": [
{
"id": "delivery-uuid",
"subscription_id": "webhook-uuid",
"event_type": "threat_model.created",
"status": "delivered",
"attempts": 1,
"created_at": "2025-01-15T12:00:00Z",
"delivered_at": "2025-01-15T12:00:01Z"
}
]
}See Webhook-Integration for complete webhook documentation.
Addon registrations and invocations.
GET /addons
Authorization: Bearer {token}Query Parameters:
-
threat_model_id(UUID): Filter by threat model
Response (200 OK):
{
"addons": [
{
"id": "addon-uuid",
"name": "STRIDE Analysis",
"description": "Automated STRIDE analysis",
"icon": "material-symbols:security",
"objects": ["threat_model", "asset"],
"created_at": "2025-01-15T10:00:00Z"
}
]
}POST /addons
Authorization: Bearer {admin-token}
Content-Type: application/json
{
"name": "STRIDE Analysis",
"webhook_id": "webhook-uuid",
"description": "Automated STRIDE analysis",
"icon": "material-symbols:security",
"objects": ["threat_model", "asset"]
}POST /addons/{addon_id}/invoke
Authorization: Bearer {token}
Content-Type: application/json
{
"threat_model_id": "tm-uuid",
"object_type": "asset",
"object_id": "asset-uuid",
"payload": {
"analysis_type": "full"
}
}Response (202 Accepted):
{
"invocation_id": "invocation-uuid",
"status": "pending",
"created_at": "2025-01-15T12:00:00Z"
}GET /invocations/{invocation_id}
Authorization: Bearer {token}Response (200 OK):
{
"id": "invocation-uuid",
"addon_id": "addon-uuid",
"status": "in_progress",
"status_percent": 75,
"status_message": "Analyzing assets...",
"created_at": "2025-01-15T12:00:00Z",
"status_updated_at": "2025-01-15T12:02:30Z"
}See Addon-System for complete addon documentation.
Manage access control for resources.
GET /threat_models/{id}/authorization
Authorization: Bearer {token}Response (200 OK):
{
"owner": "[email protected]",
"authorization": [
{
"subject": "security-team",
"subject_type": "group",
"role": "writer"
},
{
"subject": "[email protected]",
"subject_type": "user",
"role": "reader"
}
]
}PUT /threat_models/{id}/authorization
Authorization: Bearer {token}
Content-Type: application/json
{
"authorization": [
{
"subject": "security-team",
"subject_type": "group",
"role": "writer"
}
]
}Roles:
-
owner- Full permissions (set via owner field, not authorization array) -
writer- Read and write, cannot delete or change permissions -
reader- Read-only access
Subject Types:
-
user- Individual user (by email) -
group- Group of users
Special Groups:
-
everyone- All authenticated users
User management and profile information.
GET /users/me
Authorization: Bearer {token}Response (200 OK):
{
"id": "user-uuid",
"email": "[email protected]",
"name": "Alice Smith",
"created_at": "2025-01-01T00:00:00Z"
}GET /users
Authorization: Bearer {admin-token}System health and readiness endpoints.
GET /healthResponse (200 OK):
{
"status": "healthy",
"version": "1.0.0",
"timestamp": "2025-01-15T12:00:00Z"
}GET /readyResponse:
- 200 OK: System ready (database and Redis connected)
- 503 Service Unavailable: System not ready
OAuth authentication endpoints.
GET /auth/{provider}/loginProviders: github, google, microsoft, saml
Response: Redirects to OAuth provider
GET /auth/{provider}/callback?code={code}Response: Returns JWT token or redirects to application
All errors follow standard format:
{
"error": "error_code",
"message": "Human-readable error message",
"details": {
"field": "Additional context"
}
}Example Usage:
try {
const response = await fetch('/api/v1/threat-models', {
headers: { 'Authorization': `Bearer ${token}` }
});
if (!response.ok) {
const error = await response.json();
console.error(`Error: ${error.message}`);
// Handle specific error codes
if (error.error === 'unauthorized') {
// Re-authenticate
}
}
const data = await response.json();
// Process data
} catch (e) {
console.error('Network error:', e);
}async function fetchAllThreatModels() {
const allModels = [];
let offset = 0;
const limit = 50;
while (true) {
const response = await fetch(
`/api/v1/threat-models?limit=${limit}&offset=${offset}`,
{ headers: { 'Authorization': `Bearer ${token}` }}
);
const data = await response.json();
allModels.push(...data.items);
if (allModels.length >= data.total) {
break;
}
offset += limit;
}
return allModels;
}# Combine filters and sorting
GET /api/v1/threat-models?[email protected]&created_after=2025-01-01&sort=-created_at&limit=20from tmi_client import TMIClient
client = TMIClient(
base_url='https://api.tmi.dev',
token='your-jwt-token'
)
# List threat models
threat_models = client.threat_models.list(
owner='[email protected]',
limit=10
)
# Create threat model
new_tm = client.threat_models.create({
'name': 'My Threat Model',
'description': 'Security analysis'
})
# Get threat model
tm = client.threat_models.get(new_tm['id'])
# Update threat model
client.threat_models.update(tm['id'], {
'description': 'Updated description'
})import { TMIClient } from '@tmi/client';
const client = new TMIClient({
baseUrl: 'https://api.tmi.dev',
token: 'your-jwt-token'
});
// List threat models
const threatModels = await client.threatModels.list({
owner: '[email protected]',
limit: 10
});
// Create threat model
const newTm = await client.threatModels.create({
name: 'My Threat Model',
description: 'Security analysis'
});- API-Overview - API design and authentication
- WebSocket-API-Reference - WebSocket API details
- API-Workflows - Common usage patterns
- API-Integration - Integration guide
- API-Specifications - Complete OpenAPI spec
- Webhook-Integration - Webhook documentation
- Addon-System - Addon documentation
- Using TMI for Threat Modeling
- Accessing TMI
- Creating Your First Threat Model
- Understanding the User Interface
- Working with Data Flow Diagrams
- Managing Threats
- Collaborative Threat Modeling
- Using Notes and Documentation
- Metadata and Extensions
- Planning Your Deployment
- Deploying TMI Server
- Deploying TMI Web Application
- Setting Up Authentication
- Database Setup
- Component Integration
- Post-Deployment
- Monitoring and Health
- Database Operations
- Security Operations
- Performance and Scaling
- Maintenance Tasks