API reference
REST. JSON in, JSON out. Token auth.
Base URL
All endpoints below are rooted at {PUBLIC_URL}/api/v1.
Authentication
Generate an API key under Settings > API keys (/settings/api-keys) in the UI. Keys are formatted mlab_ + a unique identifier. Send the key in the Authorization header using the token scheme:
curl -H "Authorization: token mlab_a1b2c3d4e5f6" \ https://tprm.example.com/api/v1/providers
GET requests. POST, PUT, PATCH and DELETE require the Licensed tier and return 403 otherwise.
Errors
Standard HTTP codes. Body is { "error": "code", "message": "human-readable", "details": {...} }.
| Code | Meaning |
|---|---|
400 | Validation error — see details. |
401 | Missing or invalid token. |
403 | Token lacks the required role, or write attempted on Free tier. |
404 | Entity doesn't exist (or you can't see it). |
422 | Underlying SQL/constraint error surfaced from the write. |
423 | License grace period exceeded — org locked, read-only. |
429 | Rate limit; retry after Retry-After seconds. |
Providers
GET /providers — list ICT third-party providers
Filter: ?criticality=critical&status=active&cursor=.... Returns a paginated list.
POST /providers — register a provider (Licensed)
{
"name": "Acme Cloud",
"category": "cloud",
"criticality": "critical",
"lei": "000000EXAMPLE0000191",
"id_code_type": "eba_qCO:x1",
"person_type": "legal",
"country": "IE",
"service": "SaaS — core banking"
}
Returns { "id": "tp_01HZ...", "eba": "B_05.01 ready" }.
GET /providers/{uuid}
Returns the full provider record, including contracts, assessments, exit strategy and incidents.
Contracts
GET /contracts · POST /contracts (Licensed)
Contracts feed templates B_02.01, B_02.02, B_03.01, B_03.03 and B_04.01. The contract_reference field is mandatory and unique.
{
"provider_id": "tp_01HZ...",
"contract_reference": "CTR-2026-0042",
"arrangement_type": "eba_CO:x10",
"currency": "eba_CU:EUR",
"annual_cost": 120000,
"start_date": "2026-01-01",
"end_date": "2028-12-31"
}
Risk assessments
GET /assessments · POST /assessments (Licensed)
Overall score 1–100 plus per-category scores (operational, security, compliance, financial, concentration). Feeds B_07.01.
Third-party incidents
GET /incidents · POST /incidents (Licensed)
Body: { "provider_id": "tp_...", "severity": "high", "status": "open", "impact": "...", "occurred_at": "2026-06-02" }.
Other resources
| Resource | Endpoints | Feeds |
|---|---|---|
| Exit strategies | /exit-plans | Art. 30 / derived plan existence |
| Business functions | /functions | B_06.01 |
| Supply chains | /subcontractors | B_05.02 |
| Due diligence | /due-diligence | Art. 28(4) |
| Audits | /audits | Art. 28(5-6) |
| Art. 30 checklist | /article30 | Art. 30(2)/(3) |
| Reporting entity | /entity | B_01.01 |
| Scope entities | /scope-entities | B_01.02 |
| Branches | /branches | B_01.03 |
| Intra-group links | /intra-group | B_02.03 |
EBA export
GET /eba/templates/{code}
Returns the rows for a single template (e.g. B_05.01) with controlled eba_* codes resolved.
POST /eba/validate (Licensed)
Runs referential, format, mandatory-field and uniqueness checks. Returns an errors/warnings/infos report per template.
GET /eba/package (Licensed)
Streams the deposit-ready xBRL-CSV .zip. See EBA export for the package structure.
Healthcheck
GET /healthz returns {"status":"ok","db":"ok","ch":"ok","license":"licensed","grace_h":0}. Unauthenticated. Use it for your monitoring probes.