Data Theorem Portal API Programmatic access to Mobile Apps information and scan results

Data Theorem Integrations

Jira Integration

Data Theorem issues can be automatically pushed to a Jira server. Please click here for more details about the Jira Integration.

Data Theorem APIs

There currently are three APIs available:

  • The Management API, which provides access to data related to users registered with your Data Theorem account.
  • The Results API, which provides access to the list of all mobile Apps registered within your Data Theorem account and the list of security issues found during the scans.
  • The Upload API, which can be used to upload PreProd mobile binaries directly to Data Theorem for scanning. For better integration with your developer teams’ workflow, it is usually better to use existing mobile beta-testing tools such as HockeyApp for sending builds, instead of the Upload API.

General Consideration

Schema

You should always access the API over HTTPS from https://api.securetheorem.com.

All data is sent as JSON.

Authentication

All requests must be authenticated using the corresponding API key:

  • The Upload API key only allows uploading mobile builds to Data Theorem; it does not give access to any of the data.
  • Other API keys can work across several APIs. However, these will not work with the Upload API.

The Upload API Key will be accessible by all users. All other API keys can be retrieved and managed by users with a role of Manager in the Data Theorem portal, at https://www.securetheorem.com/sdlc within the “API Access” section.

To create a new key, click on the “Create API Key” button within the “API Access” section of the SecDevOps page. Next, configure the API key on the Create API Key page. The name field allows an API key to be easily identifiable. The rest of the parameters will have to be set depending on the use case of the API key. When the API key is saved, the Edit API Key page will load with the actual generated key.

API keys can be customized for specific circumstances. For example, an API key can be configured to access a select number of apps through the Results API. Additionally, an API key can have its access to any API revoked.

Unauthenticated responses will return a 401 Unauthorized.

Timezone

All dates are formatted in UTC.

Rate Limiting

There is no rate limiting enforced at the moment, but we might add a per-day limit later if needed.

Reference Client

A Python client/library for accessing the API is available at https://bitbucket.org/datatheorem/dt-api-client.