The Public API Settings module enables secure external access to the Shift Left API platform for CI/CD pipelines, automation tools, and third-party integrations. It allows administrators to control API exposure, enforce security policies, and manage usage limits.
API Access Information #
| Item | Value |
|---|---|
| Swagger UI | http://app.totalshiftleft.ai/api-docs |
| Base URL | http://app.totalshiftleft.ai/api/v1 |
| API Version | v1 (read-only) |
Swagger UI provides interactive documentation where users can explore endpoints, request formats, and responses.
General Settings #
Enable Public API #
Toggle this setting to allow external systems to interact with the platform programmatically.
⚠️ Disable if API integration is not required to reduce attack surface.
Rate Limiting #
Rate limiting protects the system from misuse or excessive requests.
| Setting | Value |
|---|---|
| Max Requests Per Minute | 100 |
| Max Requests Per Hour | 1000 |
When enabled, the platform throttles requests exceeding limits to maintain performance and stability.
Authentication #
Public API Token Expiry #
Recommended: 7 Days
Defines how long generated API tokens remain valid.
Shorter durations increase security by limiting token exposure.
Allowed Roles #
Only users with these roles can generate and use Public API tokens:
- Administrator
- Tester
- Contributor
- Reader
Role restrictions ensure API access aligns with organizational permissions.
CORS (Cross-Origin Resource Sharing) #
| Setting | Description |
|---|---|
| Enable CORS | Allows API requests from web applications hosted on different domains |
| Allowed Origins | * (all) or specific comma-separated URLs |
⚠️ Security Warning:
Using * is convenient but less secure. In production, specify trusted domains only.
Available Endpoints #
| Method | Endpoint | Purpose |
|---|---|---|
| POST | /api/v1/login | Authentication |
| GET | /api/v1/health | System health check |
| GET | /api/v1/test-packs | List test packs |
| GET | /api/v1/test-packs/{packId} | Get pack details |
| POST | /api/v1/test-packs/{packId}/run | Trigger test execution |
| GET | /api/v1/test-packs/{packId}/status | Execution status |
| GET | /api/v1/test-packs/{packId}/results | Test results |
| GET | /api/v1/test-packs/{packId}/history | Execution history |
These endpoints enable automation of authentication, test execution, monitoring, and reporting workflows.
Best Practices #
- Enable API only when integration is required
- Use strict rate limits in production
- Restrict roles to minimum required
- Rotate API tokens periodically
- Avoid using wildcard CORS in enterprise environments
Summary #
The Public API Settings module enables secure, scalable integration between Shift Left API and external systems. With configurable authentication, rate limiting, and CORS policies, organizations can automate testing workflows while maintaining control and security.
