Use this guide to get started with the Seemplicity API quickly. This guide will show you how to:

1. Generate a Seemplicity API token in the production environment.
2. Make your first API call using the production endpoint.

Get started in the production environment

This guide uses cURL.

Prerequisites

Confirm in the Seemplicity platform that your organization has access to the Authentication - API Token settings.

The following procedure explains how to acquire the required parameters for your company:

• <API_TOKEN>
• <API_URL>

Generate a Bearer Token and start using the Seemplicity API

To access the Seemplicity API:

1. From Seemplicity's top menu bar, go to Settings > Authentication - API Tokens.
2. Select +Add API Token. The API Token dialog displays.
3. Enter a descriptive Name and select Create.
4. Copy the generated token and save it for future use. When finished, select Close.
5. Next, generate a JWT from the token in step 4 by running the script in your preferred coding platform. See the Note and the example scripts in Bash and Python, below.
6. Copy the JWT. It will be valid for a limited period of time. This is the Bearer <JWT> token.

Example Scripts (in Bash and Python)

 
#!/bin/bash
REGION="eu-central-1"

token=$(echo "$1" | base64 -d | curl -s -X POST \
-d @- \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
"https://cognito-idp."$REGION".amazonaws.com/" | jq -r ".AuthenticationResult.AccessToken")

echo $token

 
import requests
import base64
import json

REGION = 'eu-central-1'


def get_token(api_key: str) -> str:
    cognito_data = base64.b64decode(api_key)
    cognito_url = f'https://cognito-idp.{REGION}.amazonaws.com'
    cognito_headers = {'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth',
                       'Content-Type': 'application/x-amz-json-1.1'}
    cognito_response = requests.post(cognito_url, headers=cognito_headers,      data=cognito_data)
    return json.loads(cognito_response.content)['AuthenticationResult']['AccessToken']

Make your API call: example in cURL

 
curl --location 'https://api.seemplicity.io/api/v1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <JWT>' \
--data '{"query":"query get_finding_by_id($id: ID!) {\n  finding(id: $id) {\n    id\n    id_int\n    finding_id\n    last_reported_time\n    cloud_provider\n    original_status\n    discovered_time\n    cloud_account\n    package_name\n    datasource {\n      friendly_name\n    }\n    main_resource {\n      resource_name\n    }\n    title\n    finding_score {\n      score\n      severity\n      original_score\n    }\n    age\n    description\n  }\n}","variables":{"id":"RmluZGluZzoxODAxNTA="}}'

 
{
    "data": {
        "finding": {
            "id": "RmluZGluZzoxODAxNTA=",
          "id_int": 180150,
            "finding_id": "1-1-findings.id IN (902, 905) and (1 is not null)",
            "last_reported_time": "2021-04-07T14:52:29+00:00",
            "cloud_provider": "github",
            "original_status": "",
            "discovered_time": "2022-02-19T06:58:31+00:00",
            "cloud_account": "github:mobile-app",
            "package_name": null,
            "datasource": {
                "friendly_name": "GHB"
            },
            "main_resource": {
                "resource_name": "mobile-app"
            },
            "title": "Code Injection in js-yaml - Multiple Vulnerabilities",
            "finding_score": {
                "score": 10.0,
                "severity": 3,
                "original_score": null
            },
            "age": 709,
            "description": "Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{{ toString: !<tag:yaml.org,2002:js/function> 'function (){{return Date.now()}}' }} : 1` \nwhich returns the object \n{{\n  \"1553107949161\": 1\n}}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1."
        }
    }
}

27 November, 2025

To ensure service stability and to prevent abuse, the Seemplicity API now applies rate limits. For details, see API Rate Limiting. For customized assistance, get in touch with Customer Services.

To ensure service stability and to prevent abuse, as of 26 November, 2025, Seemplicity applies rate limits on requests with the API token.

The limits are according to the following contexts:

• Global - Seemplicity limits all requests to the API, no matter the identity of the token. We do this to protect the platform from extensive usage.
• Customer - Seemplicity limits API requests per customer so that one customer cannot block the usage of other customers. By default, this limit is smaller than the global limit.
• Token - Seemplicity limits API requests per token within the context of the customer. One customer may manage/have multiple token keys, and each is limited. By default, this limit is smaller than the customer limit.

A request can be independently blocked according to any one of these limits (Global, Customer, or Token).

In cases where a limit is breached, the user receives a response informing them how long to wait before attempting another request.

 
{
    "error": "rate_limited",
    "message": "Too Many Requests"
}

Queries are your read-only operations — the way to pull exactly the data you need from the API without changing anything. Each query here can be shaped to your task: filter to the right scope, choose just the fields you need, and get results that are ready for analysis or action. Think of this section as your toolkit for building precise, efficient data requests.

Mutations are your change operations. They’re how you add, update, or remove things in the system — from findings and rules to scopes and resources. Each mutation here requires the right permissions, and each is designed to target a specific kind of change. Use them to keep your data, rules, and workflows aligned with the way your team operates.

The Subscription type in GraphQL enables real-time communication between clients and the server. It defines a set of events or data streams that clients can subscribe to and receive updates whenever the subscribed events occur.

Objects define the shapes of the data in this API and how those pieces connect. Every query or mutation will return one or more of these objects, and the fields inside tell you what you can request. Understanding objects (and how they nest or relate) is key to building queries that return exactly the context you need.

Scalars are the basic building blocks — the primitive types like String, Int, Boolean, and Float, plus any custom ones this API defines. They tell you what kind of value a field holds, so you can send the right data in a request and interpret results correctly.

Directives in the API offer users the ability to customize query and mutation execution behavior. They empower users to alter query results, adjust execution order, conditionally include or skip fields, and apply personalized logic to the resolution process. With directives, users can fine-tune API responses to meet their specific requirements and optimize performance.

Enums are predefined sets of allowed values for a field. They keep your requests valid and your intent clear — no guessing at the right string or magic number. Pick one of the listed options, and you’ll know it’s accepted by the API. They’re especially useful for filters, sort orders, and state fields.

The Unions section enables users to combine multiple object types into a single type in GraphQL. This feature is helpful when a field may return different types of objects, allowing users to specify all possible types in the schema. By utilizing unions, users can create more dynamic and flexible data structures within their API.