Skip to main content
The Arcane Auditing Portal API gives you programmatic access to the full compliance workflow — disclosure cases, transaction reports, and activity logs — all scoped to the organization and application associated with your authenticated session. Every response you receive is bounded by your permissions; you cannot read data outside your organization or outside the applications you have been granted access to.

Authentication

The API uses session-based authentication from the Arcane portal. You must have an active portal session before calling any protected endpoint. All session and permission information is available from a single introspection endpoint: 
GET /auth/me
This endpoint returns your current organization, your owner-level permissions, and a permission map for every application you can access. The response follows this structure: 
{
  "organization_info": { "org_id": "org_...", "name": "Example Org" },
  "owner": { "applications:read": true },
  "applications": {
    "payments-demo": {
      "application_info": { "name": "Payments Demo" },
      "common": { "logs:view_activity": true },
      "administrator": { "cases:approve_creation": true },
      "auditor": { "reports:view_transactions": true }
    }
  }
}
The top-level key inside applications is the foreignId — a human-readable identifier for the application (for example, "payments-demo"). This same value is used as the :foreignId path segment in every application-scoped API route. You can determine which applications you may access, and what actions you may take within each, by reading your GET /auth/me response before issuing other requests.

Base URL

All API routes are relative to your Arcane portal deployment. If your portal is hosted at https://compliance.example.com, then the disclosure registry endpoint for the payments-demo application is: 
https://compliance.example.com/api/applications/payments-demo/disclosure-registry
There is no separate API subdomain — the portal UI and API share the same origin.

Route Structure

The API is organized into three route families:
Route prefixScopeDescription
/auth/*SessionSession identity and permission data
/api/*OrganizationEndpoints scoped to your organization (owner-level)
/api/applications/:foreignId/*ApplicationEndpoints scoped to a specific application
Use /auth/me to discover which foreignId values are available to you. Organization-scoped routes under /api/* require owner-level permissions. Application-scoped routes under /api/applications/:foreignId/* require at least one application permission bucket for that foreignId.

Permission Enforcement

All routes enforce access server-side. The portal UI uses your GET /auth/me response to shape navigation, but the API independently validates every request regardless of what the client sends. You cannot bypass permissions by modifying request headers, query parameters, or path segments. For application-scoped routes, the server resolves :foreignId to an internal application ID using your authenticated organization. The internal ID is never exposed to you, and you cannot substitute one for another. If your session does not have a permission bucket for the requested foreignId, the server returns 403 before any data is read. Case-level access adds further checks on top of application permissions. A case must belong to your organization and application, must be in an approved state, and — for auditors — you must be assigned to the case and within the access window defined by access_days.

Error Responses

HTTP statusMeaning
401Your session is missing or expired. Re-authenticate through the portal.
403Your session is valid but your account does not have the required permission for this action.
404The resource does not exist, or it exists outside your organization/application scope and is not visible to you.
400The request body or parameters are invalid. Check the field names and formats described in each endpoint’s documentation.

API Reference Pages

Disclosure API

Create, approve, close, and withdraw disclosure case requests.

Reports API

Generate, list, and download compliance transaction reports.

Activity Log API

Query and export the tamper-evident compliance activity log.