API Reference

The ThretVyn REST API lets you query alerts, retrieve correlated incidents, and manage integrations programmatically. Base URL: https://api.thretvyn.com/v1

Authentication

All API requests require an Authorization header with a Bearer token. Generate API tokens under Settings → API Keys in your ThretVyn workspace.

Example request

$ curl -X GET https://api.thretvyn.com/v1/alerts \
     -H "Authorization: Bearer tvn_live_f7c3a9b2d1e4..." \
     -H "Content-Type: application/json"

Rate Limits

API rate limits are applied per API key:

Plan	Requests/minute	Requests/day
Starter	60	10,000
Growth	300	100,000
Enterprise	Custom	Unlimited

Rate limit headers are included in all responses:

Response headers

X-RateLimit-Limit:     300
X-RateLimit-Remaining: 287
X-RateLimit-Reset:     1749387600

Alerts

An alert is a single detection signal from one data source. Correlated alerts that form a kill-chain pattern are grouped into incidents (see below).

GET /alerts

List alerts for the authenticated workspace. Results are paginated; default page size is 50.

Query parameters

Parameter	Type	Description
`status`	string	`new`, `in_progress`, `resolved`, `suppressed`
`severity`	string	`P1`, `P2`, `P3`
`source`	string	`crowdstrike`, `cloudtrail`, `okta`, etc.
`from`	ISO 8601	Start of time range. Default: 24h ago.
`limit`	integer	Results per page. Max 200.
`cursor`	string	Pagination cursor from previous response.

GET /alerts — Response 200

{
  "data": [
    {
      "id": "alt_9c2f1a4b",
      "severity": "P1",
      "source": "crowdstrike",
      "type": "lateral_movement",
      "correlated": true,
      "incident_id": "inc_3b7e8f1d",
      "created_at": "2026-04-22T14:23:07Z"
    }
  ],
  "pagination": {
    "total": 38,
    "cursor": "eyJvZmZzZXQiOjUwfQ"
  }
}

Incidents

An incident is a correlated kill-chain event grouping two or more individual alerts. ThretVyn's correlation engine assembles incidents automatically.

GET /incidents/{incident_id}

Retrieve a single correlated incident with full alert chain and timeline.

GET /incidents/inc_3b7e8f1d — Response 200

{
  "id": "inc_3b7e8f1d",
  "severity": "P1",
  "pattern": "credential_theft_to_cloud_access",
  "sources": ["crowdstrike", "cloudtrail", "okta"],
  "kill_chain_stage": "lateral_movement",
  "alert_count": 4,
  "timeline_start": "2026-04-22T14:18:31Z",
  "timeline_end": "2026-04-22T14:23:07Z",
  "status": "new"
}

Integrations

GET /integrations

List all configured integrations and their health status.

GET /integrations — Response 200

{
  "data": [
    {
      "id": "int_crowdstrike",
      "type": "edr",
      "provider": "crowdstrike",
      "status": "active",
      "last_event_at": "2026-04-22T14:23:07Z"
    },
    {
      "id": "int_cloudtrail",
      "type": "cloud",
      "provider": "aws_cloudtrail",
      "status": "active",
      "last_event_at": "2026-04-22T14:22:51Z"
    }
  ]
}

Next steps

Quickstart Guide Get your first integration connected API Support Talk to our engineering team