Skip to main content
Security endpoints are restricted to Staff users unless noted. All state-changing requests require a CSRF token.

CSRF tokens

Get a CSRF token

GET /api/security/csrf-token Issues a new CSRF token scoped to the current session. Include this token in every POST, PUT, and DELETE request. Permission: All authenticated users 
curl -X GET "https://propops.yourcompany.com/api/security/csrf-token" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "token": "abc123def456abc123def456abc123def456abc123def456abc123def456abc123de"
  },
  "message": "CSRF token issued"
}
CSRF tokens are single-use and session-scoped. Fetch a fresh token before each state-changing operation, or once at session start and reuse it until the session expires.

Session management

List active sessions

GET /api/security/sessions?action=list Returns all active sessions for all users. Each entry includes device info, IP address, and last-seen timestamp. Required permission: api.security.sessions.list
Account types: Staff only 
curl -X GET "https://propops.yourcompany.com/api/security/sessions?action=list" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "session_id": "sess_abc123",
      "user_id": 42,
      "user_name": "Jane Smith",
      "ip_address": "203.0.113.10",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
      "location": "London, GB",
      "last_active": "2024-06-14T10:05:00Z",
      "is_current": false
    }
  ],
  "count": 14
}

Terminate a session

POST /api/security/sessions Terminates (force-logs-out) a specific session. You can terminate any other user’s session if you have the api.security.sessions.terminate permission. To end your own current session, use the standard logout endpoint (GET /logout) — you cannot terminate your own active session via this endpoint. Required permission: api.security.sessions.terminate (for terminating other users’ sessions)
Requires CSRF token.
action
string
required
Must be terminate.
session_id
string
required
The session ID to terminate. Cannot be the caller’s own current session.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/security/sessions" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "terminate",
    "session_id": "sess_abc123",
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "message": "Session terminated"
}

Blacklist a user

POST /api/security/sessions Adds a user to the session blacklist, immediately revoking all their active sessions and preventing new logins until removed. Required permission: api.security.sessions.manage
Requires CSRF token.
action
string
required
Must be blacklist_add.
user_id
integer
required
ID of the user to blacklist.
reason
string
required
Human-readable reason for the blacklist (recorded in the audit log).
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/security/sessions" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "blacklist_add",
    "user_id": 55,
    "reason": "Suspicious login activity detected",
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "message": "User blacklisted and all sessions terminated"
}

Remove a user from the blacklist

POST /api/security/sessions Removes a user from the session blacklist, restoring their ability to log in. Required permission: api.security.sessions.manage
Requires CSRF token.
action
string
required
Must be blacklist_remove.
user_id
integer
required
ID of the user to remove from the blacklist.
csrf_token
string
required
CSRF token.

List blacklisted users

GET /api/security/sessions?action=blacklist_list Returns all users currently on the session blacklist. Required permission: api.security.sessions.manage 
curl -X GET "https://propops.yourcompany.com/api/security/sessions?action=blacklist_list" \
  -H "Authorization: Bearer <token>"

File integrity monitoring

List file integrity alerts

GET /api/security/file-integrity-alerts Returns paginated file-integrity violation alerts. Alerts are raised when a monitored file is modified, added, or deleted outside of a planned deployment. Required permission: api.security.file_integrity_alerts.manage
Account types: Staff only
status
integer
Filter by status: 0 = new, 1 = resolved, 2 = ignored.
severity
string
Filter by severity: critical, high, medium, low.
sortBy
string
default:"created_at_desc"
Sort order: created_at_desc, created_at_asc, severity_desc.
page
integer
default:"1"
Page number.
limit
integer
default:"25"
Results per page (max 100).
curl -X GET "https://propops.yourcompany.com/api/security/file-integrity-alerts?status=0&severity=critical" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 12,
      "file_path": "/var/www/html/index.php",
      "alert_type": "file_integrity_violation",
      "severity": "critical",
      "status": 0,
      "details": "File hash mismatch — expected: abc123, got: def456",
      "created_at": "2024-06-14T03:12:00Z"
    }
  ],
  "total": 3,
  "page": 1
}

Resolve a file integrity alert

POST /api/security/resolve-alert Marks a single file-integrity alert as resolved. Required permission: api.security.file_integrity_alerts.manage
Requires CSRF token.
alert_id
integer
required
ID of the alert to resolve.
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/security/resolve-alert" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"alert_id": 12, "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "Alert resolved"
}

Bulk resolve alerts

POST /api/security/bulk-resolve-alerts Resolves multiple file-integrity alerts in one request. Required permission: api.security.file_integrity_alerts.manage
Requires CSRF token.
alert_ids
array
required
Array of alert IDs to resolve.
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/security/bulk-resolve-alerts" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"alert_ids": [12, 13, 14], "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "3 alert(s) resolved"
}

Bulk delete alerts

POST /api/security/bulk-delete-alerts Permanently deletes multiple file-integrity alerts. Required permission: api.security.file_integrity_alerts.manage
Requires CSRF token.
alert_ids
array
required
Array of alert IDs to delete.
csrf_token
string
required
CSRF token.

Run a file integrity check

POST /api/security/run-integrity-check Triggers an on-demand file integrity scan. Returns a job ID that can be polled for progress. Required permission: api.security.file_integrity_alerts.manage
Account types: Staff only
Requires CSRF token. 
curl -X POST "https://propops.yourcompany.com/api/security/run-integrity-check" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"csrf_token": "<csrf-token>"}'

{
  "success": true,
  "data": {
    "check_id": "chk_a1b2c3",
    "status": "running"
  },
  "message": "File integrity check started"
}

Get file integrity scan progress

GET /api/security/file-integrity-progress Polls the progress of an in-progress file integrity scan. Required permission: api.security.file_integrity_alerts.manage
check_id
string
required
ID returned by POST /api/security/run-integrity-check.
curl -X GET "https://propops.yourcompany.com/api/security/file-integrity-progress?check_id=chk_a1b2c3" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "check_id": "chk_a1b2c3",
    "status": "complete",
    "files_scanned": 1842,
    "violations_found": 1,
    "duration_ms": 4200
  }
}

View a file diff

GET /api/security/file-diff Returns the line-by-line diff between the current version of a monitored file and the known-good baseline. Required permission: api.security.file_integrity_alerts.manage
Account types: Staff only
alert_id
integer
required
ID of the file-integrity alert to diff.
curl -X GET "https://propops.yourcompany.com/api/security/file-diff?alert_id=12" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "file_path": "/var/www/html/index.php",
    "diff": "--- a/index.php\n+++ b/index.php\n@@ -1,5 +1,6 @@\n ...",
    "lines_added": 3,
    "lines_removed": 1
  }
}

Password breach checks

Check if a password has been breached

GET /api/security/password-breach-check Checks whether a given password hash prefix appears in the HaveIBeenPwned database using k-anonymity (only the first 5 characters of the SHA-1 hash are sent). Permission: All authenticated users
hash_prefix
string
required
First 5 characters of the SHA-1 hash of the password to check (uppercase).
curl -X GET "https://propops.yourcompany.com/api/security/password-breach-check?hash_prefix=21BD1" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "breached": true,
    "count": 3621
  }
}

Security reports

Generate a security report

GET /api/admin/security-report Generates a full security audit report including login activity, session history, failed authentication attempts, and file integrity summary. Required permission: api.admin.security_report.manage
Account types: Staff only
from
string
ISO 8601 start date for the report period.
to
string
ISO 8601 end date for the report period.
curl -X GET "https://propops.yourcompany.com/api/admin/security-report?from=2024-06-01&to=2024-06-14" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "period": { "from": "2024-06-01", "to": "2024-06-14" },
    "logins": { "successful": 284, "failed": 17 },
    "new_ip_verifications": 8,
    "sessions_terminated": 3,
    "blacklisted_users": 0,
    "file_integrity_violations": 1,
    "password_breaches_detected": 2
  }
}

Mobile authentication

Request a Bearer token

POST /api/security/mobile-auth Authenticates a user with their email and password and returns a long-lived Bearer token for use by mobile or API clients. See Authentication for full details. Permission: None — unauthenticated endpoint
email
string
required
User’s email address.
password
string
required
User’s password.
curl -X POST "https://propops.yourcompany.com/api/security/mobile-auth" \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "your-password"}'

{
  "success": true,
  "data": {
    "token": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
  },
  "message": "Mobile authentication token issued"
}

Revoke a Bearer token

DELETE /api/security/mobile-auth Revokes the Bearer token included in the Authorization header, immediately invalidating it. Permission: All authenticated Bearer token users 
curl -X DELETE "https://propops.yourcompany.com/api/security/mobile-auth" \
  -H "Authorization: Bearer a1b2c3d4..."

{
  "success": true,
  "message": "Token revoked"
}