Pangea AuthN API
Hosted user authentication and identity - sign-up/sign-in flows, user lifecycle, session and client-token management, and JWKS - exposed as REST and secured with a Bearer service token.
OpenAPI Specification
openapi: 3.0.1
info:
title: Pangea Security Services API
description: >-
Specification of representative Pangea security service APIs. Pangea exposes
each security capability as its own REST service reachable at
https://{service}.{csp}.{geo}.pangea.cloud (for example
https://redact.aws.us.pangea.cloud). All requests are POST with a JSON body
and are authenticated with a Bearer service token (or OAuth 2 access token)
in the Authorization header. This document models several representative
services - AuthN, Secure Audit Log, Redact, Vault, File Scan, IP Intel,
Domain Intel, and AI Guard - and is not exhaustive of every endpoint or
field.
termsOfService: https://pangea.cloud/legal/terms-of-service/
contact:
name: Pangea Support
url: https://pangea.cloud/contact/
version: '1.0'
servers:
- url: https://{service}.{csp}.{geo}.pangea.cloud
description: Per-service Pangea host. Each service is reached at its own subdomain.
variables:
service:
default: redact
description: Service name (authn, audit, redact, vault, file-scan, ip-intel, domain-intel, ai-guard).
csp:
default: aws
description: Cloud service provider hosting the service.
geo:
default: us
description: Geographic region (us, eu).
security:
- bearerAuth: []
tags:
- name: AuthN
description: Hosted authentication, user lifecycle, and session management.
- name: Secure Audit Log
description: Tamper-proof, cryptographically verifiable audit logging.
- name: Redact
description: Detect and remove sensitive information from text and structured data.
- name: Vault
description: Secrets and cryptographic key management.
- name: File Scan
description: Scan files for malicious content.
- name: IP Intel
description: IP reputation, geolocation, and VPN/proxy enrichment.
- name: Domain Intel
description: Domain and URL reputation lookups.
- name: AI Guard
description: Detect and redact malicious content in LLM inputs and outputs.
paths:
/v2/user/create:
servers:
- url: https://authn.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: authnUserCreate
tags:
- AuthN
summary: Create a user.
description: Create a new user account in the project's AuthN instance.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UserCreateRequest'
responses:
'200':
description: User created.
content:
application/json:
schema:
$ref: '#/components/schemas/UserResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/user/list:
servers:
- url: https://authn.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: authnUserList
tags:
- AuthN
summary: List users.
description: Look up users by scope and return a paginated list.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UserListRequest'
responses:
'200':
description: A page of users.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/flow/start:
servers:
- url: https://authn.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: authnFlowStart
tags:
- AuthN
summary: Start a sign-up / sign-in flow.
description: Initiate a new authentication flow and return the available flow choices.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
cb_uri:
type: string
description: Callback URI for the redirect-based flow.
email:
type: string
flow_types:
type: array
items:
type: string
enum: [signin, signup]
responses:
'200':
description: Flow started.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/client/session/refresh:
servers:
- url: https://authn.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: authnClientSessionRefresh
tags:
- AuthN
summary: Refresh a session.
description: Refresh a session token using a refresh token.
requestBody:
required: true
content:
application/json:
schema:
type: object
required: [refresh_token]
properties:
refresh_token:
type: string
user_token:
type: string
responses:
'200':
description: Session refreshed.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/log:
servers:
- url: https://audit.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: auditLog
tags:
- Secure Audit Log
summary: Log an entry.
description: Create a log entry in the Secure Audit Log.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AuditLogRequest'
responses:
'200':
description: Entry logged with cryptographic proof material.
content:
application/json:
schema:
$ref: '#/components/schemas/AuditLogResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/log:
servers:
- url: https://audit.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: auditLogBulk
tags:
- Secure Audit Log
summary: Log multiple entries.
description: Create up to 1000 log entries in a single request.
requestBody:
required: true
content:
application/json:
schema:
type: object
required: [events]
properties:
events:
type: array
minItems: 1
maxItems: 1000
items:
$ref: '#/components/schemas/AuditEvent'
verbose:
type: boolean
config_id:
type: string
responses:
'200':
description: Entries logged.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/search:
servers:
- url: https://audit.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: auditSearch
tags:
- Secure Audit Log
summary: Search the audit log.
description: Search the Secure Audit Log and return matching, verifiable events.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AuditSearchRequest'
responses:
'200':
description: Search results.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/root:
servers:
- url: https://audit.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: auditRoot
tags:
- Secure Audit Log
summary: Get the Merkle tree root.
description: Return the current root hash and consistency proof for verification.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tree_size:
type: integer
config_id:
type: string
responses:
'200':
description: Root hash and proof.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/redact:
servers:
- url: https://redact.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: redactText
tags:
- Redact
summary: Redact text.
description: Redact sensitive information from provided text.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RedactRequest'
responses:
'200':
description: Redacted text and report.
content:
application/json:
schema:
$ref: '#/components/schemas/RedactResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/redact_structured:
servers:
- url: https://redact.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: redactStructured
tags:
- Redact
summary: Redact structured data.
description: Redact sensitive information from structured data such as JSON.
requestBody:
required: true
content:
application/json:
schema:
type: object
required: [data]
properties:
data:
type: object
description: Structured content to redact.
jsonp:
type: array
items:
type: string
description: JSON paths to fields to redact.
format:
type: string
rulesets:
type: array
items:
type: string
responses:
'200':
description: Redacted structured data.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/encrypt:
servers:
- url: https://vault.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: vaultEncrypt
tags:
- Vault
summary: Encrypt data.
description: Encrypt a message using a key stored in Vault.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VaultEncryptRequest'
responses:
'200':
description: Cipher text.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/decrypt:
servers:
- url: https://vault.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: vaultDecrypt
tags:
- Vault
summary: Decrypt data.
description: Decrypt cipher text using a key stored in Vault.
requestBody:
required: true
content:
application/json:
schema:
type: object
required: [id, cipher_text]
properties:
id:
type: string
cipher_text:
type: string
version:
type: integer
responses:
'200':
description: Plain text.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/secret/store:
servers:
- url: https://vault.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: vaultSecretStore
tags:
- Vault
summary: Store a secret.
description: Store a secret value in Vault.
requestBody:
required: true
content:
application/json:
schema:
type: object
required: [secret]
properties:
secret:
type: string
name:
type: string
folder:
type: string
responses:
'200':
description: Secret stored.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/scan:
servers:
- url: https://file-scan.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: fileScan
tags:
- File Scan
summary: Scan a file.
description: Scan a file for malicious content using the configured provider.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/FileScanRequest'
responses:
'200':
description: Scan verdict.
content:
application/json:
schema:
$ref: '#/components/schemas/IntelResponse'
'202':
description: Accepted - scan running asynchronously.
'401':
$ref: '#/components/responses/Unauthorized'
/v2/reputation:
servers:
- url: https://ip-intel.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: ipReputation
tags:
- IP Intel
summary: Get IP reputation.
description: Retrieve a reputation score and verdict for one or more IP addresses.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IpIntelRequest'
responses:
'200':
description: Reputation result.
content:
application/json:
schema:
$ref: '#/components/schemas/IntelResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v2/geolocate:
servers:
- url: https://ip-intel.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: ipGeolocate
tags:
- IP Intel
summary: Geolocate an IP.
description: Retrieve geographic location information for one or more IP addresses.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IpIntelRequest'
responses:
'200':
description: Geolocation result.
content:
application/json:
schema:
$ref: '#/components/schemas/IntelResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/reputation:
servers:
- url: https://domain-intel.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: domainReputation
tags:
- Domain Intel
summary: Get domain reputation.
description: Retrieve a reputation score and verdict for a domain.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
domain:
type: string
provider:
type: string
verbose:
type: boolean
raw:
type: boolean
responses:
'200':
description: Domain reputation result.
content:
application/json:
schema:
$ref: '#/components/schemas/IntelResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/v1/text/guard:
servers:
- url: https://ai-guard.{csp}.{geo}.pangea.cloud
variables:
csp:
default: aws
geo:
default: us
post:
operationId: aiGuardText
tags:
- AI Guard
summary: Guard LLM text.
description: >-
Detect, remove, or block malicious content and intent in LLM inputs and
outputs to prevent model manipulation and data leakage.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AiGuardRequest'
responses:
'200':
description: Guard result.
content:
application/json:
schema:
$ref: '#/components/schemas/AiGuardResponse'
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: Pangea service token or OAuth 2 access token passed as a Bearer token.
responses:
Unauthorized:
description: Missing or invalid authentication token.
content:
application/json:
schema:
$ref: '#/components/schemas/PangeaResponse'
schemas:
PangeaResponse:
type: object
description: Standard Pangea response envelope wrapping every service result.
properties:
request_id:
type: string
request_time:
type: string
format: date-time
response_time:
type: string
format: date-time
status:
type: string
example: Success
summary:
type: string
result:
type: object
UserCreateRequest:
type: object
required: [email]
properties:
email:
type: string
profile:
type: object
additionalProperties:
type: string
username:
type: string
UserListRequest:
type: object
properties:
filter:
type: object
last:
type: string
order:
type: string
enum: [asc, desc]
size:
type: integer
UserResponse:
allOf:
- $ref: '#/components/schemas/PangeaResponse'
- type: object
properties:
result:
type: object
properties:
id:
type: string
email:
type: string
profile:
type: object
verified:
type: boolean
disabled:
type: boolean
AuditEvent:
type: object
properties:
message:
type: string
description: Main log message.
actor:
type: string
action:
type: string
target:
type: string
status:
type: string
source:
type: string
timestamp:
type: string
format: date-time
AuditLogRequest:
type: object
properties:
event:
$ref: '#/components/schemas/AuditEvent'
verbose:
type: boolean
signature:
type: string
public_key:
type: string
config_id:
type: string
AuditLogResponse:
allOf:
- $ref: '#/components/schemas/PangeaResponse'
- type: object
properties:
result:
type: object
properties:
hash:
type: string
unpublished_root:
type: string
membership_proof:
type: string
consistency_proof:
type: array
items:
type: string
AuditSearchRequest:
type: object
required: [query]
properties:
query:
type: string
start:
type: string
format: date-time
end:
type: string
format: date-time
max_results:
type: integer
order:
type: string
enum: [asc, desc]
config_id:
type: string
RedactRequest:
type: object
required: [text]
properties:
text:
type: string
description: The content to redact.
config_id:
type: string
rules:
type: array
items:
type: string
rulesets:
type: array
items:
type: string
return_result:
type: boolean
debug:
type: boolean
RedactResponse:
allOf:
- $ref: '#/components/schemas/PangeaResponse'
- type: object
properties:
result:
type: object
properties:
redacted_text:
type: string
count:
type: integer
report:
type: object
VaultEncryptRequest:
type: object
required: [id, plain_text]
properties:
id:
type: string
description: The ID of the key to use.
plain_text:
type: string
description: Base64-encoded message to encrypt.
version:
type: integer
additional_data:
type: string
FileScanRequest:
type: object
properties:
provider:
type: string
verbose:
type: boolean
raw:
type: boolean
transfer_method:
type: string
enum: [direct, multipart, post-url, source-url]
sha256:
type: string
size:
type: integer
source_url:
type: string
IpIntelRequest:
type: object
required: [ips]
properties:
ips:
type: array
minItems: 1
maxItems: 100
items:
type: string
provider:
type: string
verbose:
type: boolean
raw:
type: boolean
IntelResponse:
allOf:
- $ref: '#/components/schemas/PangeaResponse'
- type: object
properties:
result:
type: object
properties:
data:
type: object
properties:
verdict:
type: string
example: malicious
score:
type: integer
category:
type: array
items:
type: string
raw_data:
type: object
AiGuardRequest:
type: object
properties:
text:
type: string
description: Plain text input (up to 20 KiB).
messages:
type: array
items:
type: object
properties:
role:
type: string
content:
type: string
recipe:
type: string
default: pangea_prompt_guard
debug:
type: boolean
default: false
AiGuardResponse:
allOf:
- $ref: '#/components/schemas/PangeaResponse'
- type: object
properties:
result:
type: object
properties:
blocked:
type: boolean
transformed:
type: boolean
recipe:
type: string
detectors:
type: object
description: Per-detector analysis (prompt_injection, pii, secrets, malicious_entity).
prompt_text:
type: string