LiteSOC API Reference

Complete guide to integrate security observability

LiteSOC provides two primary APIs for comprehensive security observability:

Using an AI Editor?

Paste into Cursor or Claude to generate your integration code instantly.

Event Collection API

Ingestion

Send security events from your application to LiteSOC for analysis and threat detection.

POST /collect endpoint
26 standard event types
Auto geo-IP enrichment

Management API

Operations

Query events, manage alerts, and integrate with automation tools like n8n.

GET /events endpoint
GET/PATCH /alerts PRO
Forensics & enrichment data

Standard Events

<50ms

API Latency

Official SDKs

99.9%

Uptime SLA

Code Examples & Testing Tools

Browse examples in JavaScript, Python, cURL, and more on GitHub

View on GitHub

Authentication

All API requests require authentication using an API key. Include your API key in theX-API-Keyheader with every request.

Required Header

X-API-Key: lsoc_your_api_key_here

Where to find your API key

Go to Dashboard → Settings → API to generate or copy your API key. Keys start with lsoc_.

Base URL

All API requests should be made to the following base URL:

https://api.litesoc.io

Browser Security (CORS)

For security reasons, LiteSOC restricts browser-side API requests to authorized domains only. This prevents unauthorized websites from making API calls using your API key.

Server-Side Integrations Are Not Affected

CORS restrictions only apply to browser-side requests. Server-side integrations using Node.js, Python, PHP, Go, Ruby, cURL, or any other backend technology are not affected and will work without configuring authorized origins.

Setup Instructions

Configure authorized origins in 3 easy steps

Go to Settings

Navigate to Dashboard → Settings → General

Add Your Domain

In the Authorized Origins section, enter your domain including the protocol. You can use exact URLs or wildcard subdomains.

https://app.mydomain.comhttps://*.mydomain.com (matches all subdomains)

Save Changes

Click "Save Origins" to apply your changes immediately.

Plan Limits

Number of authorized origins per plan

Free

Pro

∞

Enterprise

✨ Wildcard Subdomains

Pro and Enterprise users can use wildcard patterns like https://*.yourdomain.com to authorize all subdomains at once.

Common CORS Error

If you receive a 403 Forbiddenerror with the message "Origin not authorized", add your domain to the Authorized Origins list in Settings.

Note: The following origins are always allowed for testing:

https://127.0.0.1:3000
http://localhost:3000

Install our SDKs

The fastest way to integrate LiteSOC. Our official SDKs provide a unified interface for both the Event Collection API and Management API, with automatic batching, retries, and type-safe methods.

Event Collection

track() methods for sending security events

Management API

getEvents(), getAlerts() for querying data

For detailed usage, advanced configuration, and more examples, visit our GitHub repositories:

Node.js SDK Python SDK PHP SDK

Installation

bash

npm install litesoc

Event Collection API

Send security events to LiteSOC

typescript

import { LiteSOC } from 'litesoc';

const litesoc = new LiteSOC('YOUR_API_KEY');

// Track events with the generic track() method
await litesoc.track('auth.login_failed', {
  actor: 'user_123',         // or { id: 'user_123', email: '...' }
  actorEmail: 'user@example.com',
  userIp: request.ip,        // Required for Behavioral AI
  metadata: { reason: 'invalid_password' }
});

// Or use convenience methods
await litesoc.trackLoginSuccess('user_123', { userIp: request.ip });
await litesoc.trackPrivilegeEscalation('admin_user');
await litesoc.trackSensitiveAccess('user_123', 'customer_pii_table');

// Events are automatically batched - flush before exit
await litesoc.flush();

Management APIPRO+

Query events and manage alerts programmatically

typescript

// Fetch recent security events
const { data: events, metadata } = await litesoc.getEvents({
  limit: 50,
  severity: 'critical',
  eventName: 'auth.login_failed'
});
console.log(`Plan: ${metadata.plan}, Retention: ${metadata.retentionDays} days`);

// Get a single event by ID
const { data: event } = await litesoc.getEvent('evt_abc123');

// List active alerts (Pro+ only)
const { data: alerts } = await litesoc.getAlerts({
  status: 'open',
  severity: 'critical'
});

// Get a single alert by ID (Pro+ only)
const { data: alert, metadata } = await litesoc.getAlert('alt_abc123');
console.log(`Alert: ${alert.title} (${alert.status})`);

// Resolve an alert (alertId, resolutionType, notes?)
// resolutionType: 'blocked_ip' | 'reset_password' | 'contacted_user' | 'false_positive' | 'other'
await litesoc.resolveAlert('alt_abc123', 'blocked_ip', 'IP blocked in firewall');

// Mark alert as safe (false positive)
await litesoc.markAlertSafe('alt_def456', 'Expected behavior from CI/CD pipeline');

Quick Start

Send your first security event in under a minute:

Get your API key

Copy your key from Dashboard → Settings → API

Send an event

POST to the collect endpoint:

Endpoint

POST https://api.litesoc.io/collect

View in Dashboard

Events appear in real-time on your dashboard

Event Collection API

Send security events to LiteSOC for analysis

Ingestion Endpoint

The Event Collection API is designed for high-volume event ingestion. Events are processed asynchronously and enriched with geo-IP, network intelligence, and threat scoring.

Use this API to send authentication events, admin actions, data access logs, and security incidents from your application. LiteSOC will automatically normalize, enrich, and analyze each event for potential threats.

Event Collection Endpoint

All API requests should be made to the following base URL:

Available Endpoints

Endpoint	Method	Purpose	Plan
/collect	POST	Ingest security events	All

Error Responses

Code	Status	Description
202	Accepted	Event queued for processing (production mode)
201	Created	Event directly inserted (debug mode only)
400	Bad Request	Invalid JSON or validation error
401	Unauthorized	Missing or invalid API key
403	Forbidden	Origin not authorized (CORS) or monthly quota exceeded
429	Too Many Requests	Rate limit exceeded, retry after cooldown
500	Internal Server Error	Unexpected server error
503	Service Unavailable	Event ingestion temporarily paused for maintenance

Example Responses

JSON

{
  "status": "queued",
  "quota": {
    "remaining": 4999,
    "limit": 5000
  }
}

POST /collectIngestion

Send a single security event to LiteSOC. Events are processed asynchronously and appear in your dashboard within seconds.

Endpoint

POST https://api.litesoc.io/collect

💡 First time here?Here's a complete example you can copy and run:

bash

# Replace YOUR_API_KEY with your actual key from the dashboard
# This sends a test login event

curl -X POST https://api.litesoc.io/collect \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{
    "event": "auth.login_success",
    "actor": {
      "id": "test_user_123",
      "email": "test@example.com"
    },
    "user_ip": "203.0.113.50",
    "metadata": {
      "method": "password",
      "test": true
    }
  }'

Request Headers

Header	Value	Required
Content-Type	application/json	Yes
X-API-Key	lsoc_your_api_key	Yes

Batch Ingestionv2.5+

Send up to 100 events in a single HTTP request by wrapping them in an events array. The server uses Redis pipelining so the entire batch costs one Upstash request unit instead of N — dramatically reducing latency and ingestion costs for high-volume workloads.

Performance note: Quota is reserved atomically for the full batch, and the rate-limit counter increments by the batch size — so batching cannot bypass per-event limits.

Same endpoint, new body shape

Single event (existing)

POST https://api.litesoc.io/collect{ "event": "auth.login_success", "actor": { … }, … }

Batch (new in v2.5)

POST https://api.litesoc.io/collect{ "events": [ { "event": "auth.login_success", … }, { "event": "data.export", … } ] }

Batch Body Schema

Field	Type	Required	Description
events	array	Yes	Array of event objects. Min 1, max 100.
events[].event	string	Yes	Event name (e.g. `auth.login_failed`).
events[].actor	object	No	`{ id, email }` — same as single-event.
events[].user_ip	string	No*	Per-event end-user IP. Required for Behavioral AI features.
events[].metadata	object	No	Arbitrary key-value metadata for the event.

Batch Response (202)

json

{
  "status": "queued",
  "queued": 3,
  "quota": {
    "remaining": 49997,
    "limit": 50000
  }
}

SDK Examples

typescript

import { LiteSOC } from 'litesoc-node';

const litesoc = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY! });

// Track up to 100 events in ONE HTTP request
const { queued } = await litesoc.trackBatch([
  {
    eventName: 'auth.login_success',
    actor: { id: user.id, email: user.email },
    userIp: clientIp,
  },
  {
    eventName: 'data.export',
    actor: user.id,
    userIp: clientIp,
    metadata: { rows: 500, table: 'orders' },
  },
  {
    eventName: 'admin.settings_changed',
    actor: adminId,
    userIp: adminIp,
    metadata: { field: 'mfa_required', old: false, new: true },
  },
]);

console.log(`${queued} events accepted`);

Raw API Examples

For Go, Ruby, Rust, or other languages without an official SDK, use the raw HTTP API. All examples show how to properly extract and forward the end-user's IP address.

bash

# ================================================
# LiteSOC API - cURL Example
# ================================================
# This example shows how to send a security event
# Replace YOUR_API_KEY with your actual API key
# ================================================

curl -X POST https://api.litesoc.io/collect \
  -H "Content-Type: application/json" \
  -H "x-api-key: lsoc_your_api_key_here" \
  -d '{
    "event": "auth.login_success",
    "actor": {
      "id": "user_123",
      "email": "user@example.com"
    },
    "user_ip": "203.0.113.50",
    "metadata": {
      "method": "password",
      "browser": "Chrome"
    }
  }'

Payload Schema

The request body must be a JSON object with the following structure:

Request Body Fields

Field	Type	Required	Description
event	string	Yes	Event type. Must start with a letter, only alphanumeric, dots, underscores, hyphens allowed. Max 255 chars.
actor	object \| null	Optional	User who performed the action
actor.id	string	Recommended	Unique user ID from your system
actor.email	string	Optional	User's email address
user_ip	string \| null	Critical	End-user's IP address (IPv4 or IPv6) for geo-detection
ip	string \| null	Optional	Alias for `user_ip`. If both provided, `user_ip` takes precedence.
metadata	object \| null	Optional	Additional context data. Max 50 keys, 64KB total size.

Complete Example

JSON

{
  "event": "auth.login_success",
  "actor": {
    "id": "user_abc123",
    "email": "user@example.com"
  },
  "user_ip": "203.0.113.50",
  "metadata": {
    "method": "password",
    "mfa_used": true,
    "browser": "Chrome",
    "os": "macOS",
    "source": "main-website",
    "environment": "production"
  }
}

Critical: user_ip Field

The user_ipfield is essential for accurate geo-location, impossible travel detection, and brute force analysis. Without it, all events will appear to originate from your server's location.

Tracking Multiple Websites or Services?

If your organization runs more than one website, app, or service under the same API key, add source and environmentkeys to every event's metadata object. This lets you filter and identify which asset an alert originated from directly in your activity feed.

"metadata": { "source": "admin-portal", "environment": "production" }

Recommended values for environment: production, staging, development.

Coming Soon: Multi-Project Support

In the next phase, each organization will be able to create multiple API keys — one per website, app, or service — making it effortless to isolate events, alerts, and reports by project without any manual tagging.

Free

1 Project

Pro

3 Projects

Enterprise

Unlimited

Standard Events

LiteSOC defines 26 standard security events organized into 5 categories. Events marked as criticaltrigger instant alerts on all plans.

auth.login_success

User successfully authenticated

info

auth.login_failed

Failed authentication attempt

warning

auth.logout

User session ended

info

auth.password_reset

Password reset requested or completed

info

auth.mfa_enabled

Multi-factor authentication activated

info

auth.mfa_disabled

Multi-factor authentication deactivated

warning

auth.session_expired

User session timed out

info

auth.token_refreshed

Authentication token renewed

info

authz.access_denied⚡ Instant Alert

User denied access to a resource

critical

authz.role_changed⚡ Instant Alert

User role or permissions modified

critical

authz.permission_granted

New permission assigned to user

info

authz.permission_revoked

Permission removed from user

warning

admin.user_created

New user account created

info

admin.user_deleted

User account removed

warning

admin.user_suspended

User account temporarily disabled

warning

admin.privilege_escalation⚡ Instant Alert

User gained elevated permissions

critical

admin.settings_changed

System or organization settings modified

info

admin.api_key_created

New API key generated

info

admin.api_key_revoked

API key disabled or deleted

warning

data.export

Data exported from the system

info

data.bulk_delete⚡ Instant Alert

Large-scale data deletion

critical

data.sensitive_access⚡ Instant Alert

Access to sensitive or private data

critical

security.suspicious_activity⚡ Instant Alert

Anomalous or suspicious behavior detected

critical

security.rate_limit_exceeded

API rate limit hit

warning

security.ip_blocked

IP address blocked due to suspicious activity

warning

security.brute_force_detected⚡ Instant Alert

Multiple failed login attempts from same source

critical

IP Address Tracking

Important: Forward the End-User's IP

For accurate Geo-IP location and Impossible Travel detection, you must forward the end-user's real IP address in the user_ip field.

If you don't send user_ip, we'll use your server's IP as fallback, which means all users will appear to be in the same location.

IP Field Reference

Field	Source	Used For
user_ip	You send this (recommended)	Geo-IP, Impossible Travel, Brute Force
ip	Alias for `user_ip`	Same as user_ip (fallback if user_ip not set)
server_ip	Auto-detected from headers	Audit trail, fallback if no user_ip

IP Fallback Chain

If user_ip is not provided, we use ip as fallback. If neither is set, we fall back to server_ip(auto-detected from your server's request).

How to Extract User IP

Most web frameworks provide helpers, but behind a reverse proxy (nginx, Cloudflare, AWS ALB), you need to check headers in order of priority:

JavaScript

// Common pattern for extracting real user IP
function getUserIP(request) {
  return (
    // Standard proxy header (nginx, AWS ALB, most proxies)
    request.headers['x-forwarded-for']?.split(',')[0]?.trim() ||
    // Cloudflare-specific header
    request.headers['cf-connecting-ip'] ||
    // Alternative proxy header
    request.headers['x-real-ip'] ||
    // Direct connection (no proxy)
    request.connection?.remoteAddress ||
    '127.0.0.1'
  );
}

Server IP Auto-Detection

The server_ip field is automatically populated from request headers in this order:

x-forwarded-for (first IP in the chain)
cf-connecting-ip (Cloudflare)
x-real-ip (nginx/other proxies)
Falls back to 127.0.0.1 if none found

Event Normalizer

LiteSOC accepts 60+ legacy event formats and automatically normalizes them to our 26 standard events. This means you can migrate from existing logging systems without changing your event names.

Example Normalizations

Send any of these formats—they'll be normalized automatically

user.login.failedauth.login_failed

permission.deniedauthz.access_denied

privilege.escalationadmin.privilege_escalation

rate_limit.exceededsecurity.rate_limit_exceeded

session.expiredauth.session_expired

user.bannedadmin.user_suspended

Unrecognized Events

Events that don't match our standard prefixes (auth.,admin., authz.,data., security.) are still accepted and logged, but flagged with unrecognized_format: true in metadata.

Management API

Retrieve and manage security data

Operations & Automation

The Management API is designed for querying events, managing alerts, and integrating with automation tools like n8n. Perfect for building custom security workflows and dashboards.

Use this API to programmatically read events and alerts, automate workflows, and integrate LiteSOC with tools like n8n, Zapier, or your own scripts. For n8n-specific setup and workflow examples, see the n8n Integration Guide.

Authentication Required

Include your API key in the X-API-Key header with every request.

Available Endpoints

The Management API provides the following endpoints for querying events and managing alerts. Endpoints marked with PRO+ require a Pro or Enterprise subscription.

Endpoint	Method	Description	Plan
/events	GET	Fetch raw event logs with filters	All
/events/:id	GET	Retrieve a single event by ID	All
/alerts	GET	List & filter security alerts	PRO+
/alerts/:id	GET	Retrieve a single alert by ID	PRO+
/alerts/:id	PATCH	Resolve or mark alert as safe	PRO+

All PlansEvents API

Query and retrieve security events. Available to all plans with retention limits (7 days Free, 30 days Pro, 90 days Enterprise).

PRO+Alerts API

Manage security alerts programmatically. Resolve alerts, mark as safe, and integrate with automation workflows like n8n.

Response Headers

Every Management API response includes these custom headers for transparency and debugging.

Header	Description	Example Value
X-LiteSOC-Plan	Your current subscription tier	pro
X-LiteSOC-Retention	Data retention window for your plan (in days)	30 days
X-LiteSOC-Cutoff	ISO timestamp of your oldest accessible log	2025-01-29T10:30:00.000Z
X-RateLimit-Limit	Maximum requests per minute	100
X-RateLimit-Remaining	Requests remaining in current window	99
Retry-After	Seconds to wait if rate limited (429 only)	60

Error Responses

All Management API endpoints return consistent error responses. Understanding these error codes will help you build robust integrations and handle edge cases gracefully.

Error Response Format

All errors follow a standard JSON structure:

JSON

{
  "success": false,
  "error": {
    "code": "ERROR_CODE",
    "message": "Human-readable error description",
    "details": { ... }  // Optional: additional context
  }
}

HTTP Status Codes

Status	Code	Description
200	OK	Request succeeded. Response body contains requested data.
400	BAD_REQUEST	Invalid request parameters or malformed request body.
401	UNAUTHORIZED	Missing or invalid API key in `X-API-Key` header.
403	FORBIDDEN	Valid API key but insufficient permissions (e.g., Free tier accessing Pro features).
403	RETENTION_EXPIRED	Resource exists but is outside your plan's retention window.
404	NOT_FOUND	Requested resource doesn't exist or belongs to another organization.
429	RATE_LIMIT_EXCEEDED	Too many requests. Wait and retry after the `Retry-After` duration.
500	INTERNAL_ERROR	Server error. Contact support if this persists.

Common Error Examples

401 Unauthorized

JSON

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid API key"
  }
}

403 Forbidden (Plan Restriction)

JSON

{
  "success": false,
  "error": {
    "code": "PLAN_REQUIRED",
    "message": "Alerts API is blocked for Free tier",
    "details": {
      "required_plan": "pro",
      "current_plan": "free",
      "upgrade_url": "https://www.litesoc.io/pricing"
    }
  }
}

403 Retention Expired

JSON

{
  "success": false,
  "error": {
    "code": "RETENTION_EXPIRED",
    "message": "Event expired based on your plan retention.",
    "details": {
      "event_age_days": 15,
      "plan_retention_days": 7,
      "upgrade_url": "https://www.litesoc.io/pricing"
    }
  }
}

429 Rate Limit Exceeded

JSON

{
  "success": false,
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Rate limit exceeded. Maximum 60 requests per minute.",
    "retry_after": 45
  }
}

Check the Retry-After response header for seconds until you can retry.

Best Practices

Always check the success field before processing response data
Implement exponential backoff for 429 and 5xx errors
Log the full error response for debugging
Handle RETENTION_EXPIRED gracefully in n8n workflows

GET /events

Fetch security events from your organization. Access is tiered based on your subscription plan.

Tiered Access

Plan	Limit	Pagination	Notes
Free	100 per request	Enabled	7-day retention, forensics redacted
Pro	100 per request	Enabled	30-day retention, full forensics
Enterprise	100 per request	Full historical	90-day retention, full forensics

Query Parameters

Parameter	Type	Description
event_name	string	Filter by event type (e.g., auth.login_failed)
actor_id	string	Filter by actor ID
severity	string	Filter by severity: critical, warning, info (auto-assigned by LiteSOC)
limit	number	Results per page (max 100)
offset	number	Pagination offset

Response Structure

The response includes the events array, pagination info, and metadata:

JSON

{
  "success": true,
  "data": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "event_name": "auth.login_success",
      "severity": "info",
      "actor_id": "user_abc123",
      "user_ip": "203.0.113.50",
      "server_ip": "10.0.0.1",
      "country_code": "US",
      "city": "San Francisco",
      "is_vpn": false,
      "is_tor": false,
      "is_proxy": false,
      "is_datacenter": false,
      "latitude": 37.7749,
      "longitude": -122.4194,
      "metadata": { ... },
      "created_at": "2024-01-15T10:30:00Z"
    }
  ],
  "pagination": {
    "total": 150,
    "limit": 50,
    "offset": 0,
    "has_more": true
  },
  "meta": {
    "plan": "pro",
    "retention_days": 30,
    "cutoff_date": "2024-01-01T00:00:00Z",
    "redacted": false,
    "max_limit": 100
  }
}

Event Object Fields

Each event object in the data array includes:

Field	Type	Description
id	string	Unique event identifier (UUID)
event_name	string	Event type (e.g., auth.login_success)
severity	string	Auto-assigned by LiteSOC: critical, warning, or info
actor_id	string \| null	User who performed the action
user_ip	string \| null	End-user's IP address (from your request)
server_ip	string \| null	Your server's IP address (auto-detected)
country_code	string \| null	ISO country code (e.g., US, GB)
city	string \| null	City name from geo-IP lookup
is_vpn	boolean \| null	Whether IP is from a VPN Pro+
is_tor	boolean \| null	Whether IP is a Tor exit node Pro+
is_proxy	boolean \| null	Whether IP is from a proxy Pro+
is_datacenter	boolean \| null	Whether IP is from a datacenter Pro+
latitude	number \| null	GPS latitude coordinate Pro+
longitude	number \| null	GPS longitude coordinate Pro+
metadata	object	Additional event context (includes network_intelligence, geolocation)
created_at	string	ISO 8601 timestamp

Pagination Object

Field	Type	Description
total	number	Total number of events matching the query
limit	number	Number of events per page (max 100)
offset	number	Current pagination offset
has_more	boolean	Whether more results exist beyond current page

Severity is Auto-Assigned

LiteSOC automatically assigns severity based on event type. Critical: privilege_escalation, bulk_delete, suspicious_activity, brute_force_detected, role_changed, access_denied, sensitive_access. Warning: login_failed, mfa_disabled, user_deleted, user_suspended, rate_limit_exceeded, ip_blocked, permission_revoked. Info: all other events. This field cannot be set during ingestion.

Retention Filtering

Results are strictly filtered by your plan's retention period: 7 days (Free), 30 days (Pro), or 90 days (Enterprise). Data outside your retention window is not accessible.

GET /events/:id

Retrieve a single security event by its unique identifier. Useful for fetching detailed information about a specific event or for audit trail purposes.

Path Parameters

Parameter	Type	Description
id	string (UUID)	The unique event identifier

Example Request

cURL

curl -X GET "https://api.litesoc.io/events/550e8400-e29b-41d4-a716-446655440000" \
  -H "X-API-Key: YOUR_API_KEY"

Response Structure

Returns the event wrapped in a standard response object:

JSON

{
  "success": true,
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "event_name": "auth.login_success",
    "severity": "info",
    "actor_id": "user_abc123",
    "user_ip": "203.0.113.50",
    "server_ip": "10.0.0.1",
    "country_code": "US",
    "city": "San Francisco",
    "is_vpn": false,
    "is_tor": false,
    "is_proxy": false,
    "is_datacenter": false,
    "latitude": 37.7749,
    "longitude": -122.4194,
    "metadata": { ... },
    "created_at": "2024-01-15T10:30:00Z"
  },
  "meta": {
    "plan": "pro",
    "retention_days": 30,
    "redacted": false
  }
}

Same Event Fields

The event object in data contains the same fields as events in the list endpoint. See GET /events for field details.

Retention Policy

If an event exists but falls outside your retention window (7 days Free, 30 days Pro, 90 days Enterprise), you'll receive a 403 RETENTION_EXPIRED error with details about the event age and upgrade options.

GET /alertsPro+

Pro & Enterprise Only

Alerts API is blocked for Free tier. Automation is a paid feature.Upgrade your plan →

Fetch security alerts with optional filters for status and severity.

Query Parameters

Parameter	Type	Values
status	string	open, acknowledged, resolved, dismissed
severity	string	critical, high, medium, low (auto-assigned by LiteSOC)
alert_type	string	impossible_travel, brute_force_attack, geo_anomaly, new_device, privilege_escalation, data_exfiltration, suspicious_activity, rate_limit_exceeded
limit	number	Pro: max 200, Enterprise: max 500
offset	number	Pagination offset

Response Fields

Each alert object in the response includes:

Field	Type	Description
id	string	Unique alert identifier (UUID)
alert_type	string	Type of alert (brute_force_attack, impossible_travel, etc.)
severity	string	Auto-assigned by LiteSOC: critical, high, medium, or low
status	string	Current status: open, acknowledged, resolved, dismissed
title	string	Human-readable alert title
description	string \| null	Detailed description of the alert
source_ip	string \| null	IP address that triggered the alert
actor_id	string \| null	User associated with the alert
metadata	object	Additional alert context and evidence
resolved_at	string \| null	ISO 8601 timestamp when alert was resolved
resolved_by	string \| null	User ID who resolved the alert
created_at	string	ISO 8601 timestamp when alert was created
updated_at	string	ISO 8601 timestamp when alert was last updated

Severity is Auto-Assigned

Alert severity is automatically assigned by LiteSOC's security engine based on threat analysis. This ensures consistent classification and cannot be overridden during ingestion.

GET /alerts/:idPro+

Retrieve a single alert by its unique identifier. Useful for fetching detailed information about a specific alert or for audit trail purposes.

Pro & Enterprise Only

This endpoint requires a Pro or Enterprise subscription.

Path Parameters

Parameter	Type	Description
id	string (UUID)	The unique alert identifier

Example Request

cURL

curl -X GET "https://api.litesoc.io/alerts/550e8400-e29b-41d4-a716-446655440000" \
  -H "X-API-Key: YOUR_API_KEY"

Response

Returns the complete alert object with all fields.

Same Response Format

The response contains the same fields as the alerts list endpoint. See the GET /alerts documentation for field details.

PATCH /alerts/:idPro+

Update an alert's status. Use this to resolve alerts or mark them as safe (false positives).

Request Body

Field	Type	Required	Description
action	string	✓	"resolve" or "mark_safe"
resolution_type	string	When action="resolve"	"blocked_ip", "reset_password", "contacted_user", "false_positive", or "other"
internal_notes	string	Optional	Note explaining the resolution (max 2000 characters)
resolved_by	string	Optional	User ID or identifier of who resolved the alert (defaults to "n8n-api")

Response Fields

Field	Type	Description
id	string	Alert UUID
status	string	New status: "resolved" or "dismissed"
action	string	Action performed: "resolve" or "mark_safe"
resolution_type	string \| null	Resolution type if action was "resolve"
resolved_at	string \| null	ISO 8601 timestamp when resolved (null for mark_safe)
resolved_by	string	User ID or identifier who resolved the alert
updated_at	string	ISO 8601 timestamp

Example: Resolve an Alert

curl -X PATCH "https://api.litesoc.io/alerts/550e8400-e29b-41d4-a716-446655440000" \
  -H "x-api-key: lsoc_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "resolve",
    "resolution_type": "contacted_user",
    "internal_notes": "Verified as legitimate user activity",
    "resolved_by": "user_abc123"
  }'

Example: Mark as Safe (False Positive)

curl -X PATCH "https://api.litesoc.io/alerts/550e8400-e29b-41d4-a716-446655440000" \
  -H "x-api-key: lsoc_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "mark_safe",
    "internal_notes": "Expected activity from automated deployment pipeline",
    "resolved_by": "user_abc123"
  }'

Enrichment DataPRO+

Security events include enrichment data in the metadata object for Pro and Enterprise plans. This includes network intelligence (VPN/Tor/proxy detection) and geolocation data.

Plan-Based Access

Free tier has enrichment fields nullified for privacy. Upgrade to Pro or Enterprise to access full network intelligence and precise geolocation.

Event Response with Enrichment Data

JSON

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "event_name": "auth.login_success",
  "actor_id": "user_abc123",
  "user_ip": "203.0.113.50",
  "country_code": "US",
  "city": "San Francisco",
  "is_vpn": false,
  "is_tor": false,
  "is_proxy": false,
  "is_datacenter": false,
  "latitude": 37.7749,
  "longitude": -122.4194,
  "metadata": {
    "actor_email": "user@example.com",
    "method": "password",
    "geolocation": {
      "country": "US",
      "city": "San Francisco",
      "latitude": 37.7749,
      "longitude": -122.4194
    },
    "network_intelligence": {
      "is_vpn": false,
      "is_tor": false,
      "is_proxy": false,
      "is_datacenter": false,
      "isp": "Comcast Cable Communications"
    }
  },
  "created_at": "2024-01-15T10:30:00Z"
}

Top-Level Enrichment Fields

These fields are available directly on event objects:

Field	Type	Description
is_vpn	boolean \| null	Whether IP is from a known VPN provider
is_tor	boolean \| null	Whether IP is a Tor exit node
is_proxy	boolean \| null	Whether IP is from a known proxy service
is_datacenter	boolean \| null	Whether IP is from a datacenter/hosting provider
latitude	number \| null	GPS latitude coordinate
longitude	number \| null	GPS longitude coordinate

Metadata Enrichment Objects

Additional enrichment data is also available in the metadata object:

Field	Type	Description
metadata.network_intelligence	object \| null	Network detection info (is_vpn, is_tor, is_proxy, is_datacenter, isp)
metadata.geolocation	object \| null	Location data (country, city, latitude, longitude)
metadata.network_intelligence.isp	string \| null	Internet Service Provider name

Free Tier Redaction

For Free tier users, the following fields are set to null: is_vpn, is_tor, is_proxy, is_datacenter, latitude, longitude, and the metadata.network_intelligence object. Basic geolocation (country_code, city) is still available.

Outgoing WebhooksPro+

LiteSOC sends real-time JSON alerts to your server when security threats are detected. Configure a webhook endpoint to receive instant notifications for brute force attacks, impossible travel, geo-anomalies, and critical security events.

Two Webhook Types

LiteSOC supports two outgoing webhook types: Alert Webhooks (this section) fire automatically when threats are detected, while Remediation Webhooks fire when an admin resolves an alert. Both are configured in Dashboard → Settings → Outgoing Webhooks.

How It Works

Configure your webhook URL in Dashboard → Settings → Outgoing Webhooks
LiteSOC detects a security threat (brute force, impossible travel, etc.)
We send a signed POST request to your endpoint with the alert payload
Your server verifies the signature and processes the alert

Security & Signature Verification

To ensure the integrity and authenticity of webhook requests, LiteSOC includes a signature in each request. This section explains how to verify these signatures and secure your webhook endpoints.

Critical: Always Verify Signatures

Every webhook request includes an HMAC-SHA256 signature in the X-LiteSOC-Signature header. You mustverify this signature to ensure the request came from LiteSOC and wasn't tampered with.

Webhook Headers

Header	Description
X-LiteSOC-Signature	HMAC-SHA256 signature: `sha256=...`
X-LiteSOC-Timestamp	ISO 8601 timestamp when the webhook was sent
X-LiteSOC-Webhook-Version	Webhook payload version (currently `2.0`)
Content-Type	`application/json`
X-LiteSOC-Event-Type	The event name (e.g., `security.brute_force_detected`)
X-LiteSOC-Retry-Count	Retry attempt number (`0` = first attempt)
User-Agent	`LiteSOC-Webhook/2.0`

Signature Verification (Node.js)

Verify the HMAC-SHA256 signature using your webhook_signing_secret from the dashboard.

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  timestamp: string,
  secret: string
): boolean {
  // Recreate the signed message: timestamp.payload
  const message = `${timestamp}.${payload}`;
  
  // Generate expected signature
  const expectedSignature = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');
  
  // Constant-time comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

// Usage in your webhook handler:
const isValid = verifyWebhookSignature(
  JSON.stringify(req.body),
  req.headers['x-litesoc-signature'],
  req.headers['x-litesoc-timestamp'],
  process.env.LITESOC_WEBHOOK_SECRET
);

if (!isValid) {
  return res.status(401).json({ error: 'Invalid signature' });
}

Save-Before-Send Guarantee

Every alert_id in webhook payloads is a real database UUID. The alert is always persisted to our database before the webhook is sent. You can use this UUID with our Management API to fetch full alert details: GET /api/manage/alerts?id={alert_id}

Standard Payload Schema

All LiteSOC webhooks follow a standardized JSON schema, regardless of the specific event type.

Webhook Payload Structure

All webhook payloads follow this standardized schema. Write one parser for all LiteSOC webhooks.

{
  "version": "2.0",
  "event": "security.alert",
  "timestamp": "2026-03-01T14:32:00.000Z",
  "data": {
    "alert_id": "550e8400-e29b-41d4-a716-446655440000",
    "trigger_event_id": "660e8400-e29b-41d4-a716-446655440001",
    "org_id": "org_abc123",
    "event_name": "security.brute_force_detected",
    "severity": "high",
    "actor": {
      "id": "user_12345",
      "email": "user@example.com"
    },
    "user_ip": "203.0.113.50",
    "country_code": "RU",
    "timestamp": "2026-03-01T14:32:00.000Z",
    "forensics": {
      "network": {
        "is_vpn": true,
        "is_tor": false,
        "is_proxy": false,
        "is_datacenter": false,
        "isp": "Example ISP"
      },
      "location": {
        "city": "Moscow",
        "country_code": "RU",
        "latitude": 55.7558,
        "longitude": 37.6173
      }
    },
    "metadata": {
      "failed_attempts": 15,
      "unique_actors": 3,
      "time_window_minutes": 5
    }
  }
}

Field Reference

Field	Type	Description
alert_id	string (UUID)	Unique identifier for the alert in our database
trigger_event_id	string \| null	UUID of the specific event that triggered the alert
org_id	string	Your organization ID
event_name	string	Type of security event (see Event Triggers below)
severity	string	info \| low \| medium \| high \| critical
actor	object	User who triggered the alert (id, email)
user_ip	string \| null	IP address associated with the alert
country_code	string \| null	ISO 3166-1 alpha-2 country code
forensics	object \| null	Network intelligence and location data (Pro+ only)
metadata	object	Alert-specific additional data

Plan-Based Forensics

The forensics object containing VPN detection, Tor/Proxy flags, ISP information, and GPS coordinates is only available on Pro and Enterprise plans. Free plan webhooks receive forensics: null.

Event Triggers

LiteSOC supports a wide range of security event triggers that can fire webhooks. Each event has a severity level and may be restricted to certain subscription plans. Below is a reference table of common events that can trigger outgoing webhooks.

Events That Trigger Webhooks

Event Name	Severity	Description	Plan
security.brute_force_detected	high	Multiple failed login attempts from same IP	All
security.impossible_travel	high	Same user logged in from distant locations	Pro+
security.geo_anomaly	medium	Login from high-risk or new country	Pro+
security.custom_rule_triggered	varies	Custom threat model rule matched	Enterprise
admin.privilege_escalation	critical	User performed privilege escalation	All
data.bulk_delete	critical	Bulk data deletion detected	All
data.sensitive_access	critical	Sensitive data accessed	All

Implementation Example

Next.js API Route Receiver

A complete webhook receiver that validates signatures and processes alerts.

// app/api/webhooks/litesoc/route.ts
import { NextRequest, NextResponse } from 'next/server';
import crypto from 'crypto';

const WEBHOOK_SECRET = process.env.LITESOC_WEBHOOK_SECRET!;

function verifySignature(payload: string, signature: string, timestamp: string): boolean {
  const message = `${timestamp}.${payload}`;
  const expected = 'sha256=' + crypto.createHmac('sha256', WEBHOOK_SECRET)
    .update(message).digest('hex');
  
  try {
    return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
  } catch {
    return false;
  }
}

export async function POST(request: NextRequest) {
  const signature = request.headers.get('x-litesoc-signature');
  const timestamp = request.headers.get('x-litesoc-timestamp');
  
  if (!signature || !timestamp) {
    return NextResponse.json({ error: 'Missing headers' }, { status: 400 });
  }
  
  // Get raw body for signature verification
  const payload = await request.text();
  
  // Verify signature
  if (!verifySignature(payload, signature, timestamp)) {
    return NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
  }
  
  // Parse the verified payload
  const webhook = JSON.parse(payload);
  const alert = webhook.data;
  
  console.log(`[LiteSOC] Received alert: ${alert.event_name}`);
  console.log(`[LiteSOC] Alert ID: ${alert.alert_id}`);
  console.log(`[LiteSOC] Severity: ${alert.severity}`);
  
  // Process based on event type
  switch (alert.event_name) {
    case 'security.brute_force_detected':
      // Block the IP, notify security team, etc.
      await handleBruteForce(alert);
      break;
    case 'security.impossible_travel':
      // Force re-authentication, notify user
      await handleImpossibleTravel(alert);
      break;
    case 'admin.privilege_escalation':
      // High priority: investigate immediately
      await handlePrivilegeEscalation(alert);
      break;
    default:
      console.log(`[LiteSOC] Unhandled event: ${alert.event_name}`);
  }
  
  // Always return 200 to acknowledge receipt
  return NextResponse.json({ received: true });
}

async function handleBruteForce(alert: any) {
  // Example: Add IP to blocklist
  console.log(`Blocking IP: ${alert.user_ip}`);
  // await blockIP(alert.user_ip);
}

async function handleImpossibleTravel(alert: any) {
  // Example: Revoke user sessions
  console.log(`Suspicious travel for actor: ${alert.actor.id}`);
  // await revokeUserSessions(alert.actor.id);
}

async function handlePrivilegeEscalation(alert: any) {
  // Example: Alert security team via Slack
  console.log(`CRITICAL: Privilege escalation by ${alert.actor.id}`);
  // await sendSlackAlert(alert);
}

Best Practices

To build a robust integration with LiteSOC webhooks, follow these best practices for security, reliability, and performance.

5-Second Timeout

LiteSOC waits up to 5 seconds for your endpoint to respond. If processing takes longer, acknowledge the webhook immediately and process asynchronously.

Async Processing

For complex operations (database writes, external API calls), use a background job queue like BullMQ, Inngest, or AWS SQS.

HTTPS Required

Your webhook endpoint must use HTTPS. We reject HTTP URLs to ensure payloads are encrypted in transit.

Retry Logic

We retry failed webhooks with exponential backoff (up to 4 total attempts: 1 initial + 3 retries). Delays are 1s, 2s, 4s with jitter. On persistent failure, we log to your dashboard audit trail.

Testing Webhooks

Use tools like webhook.site orngrok to test your webhook endpoint locally before deploying to production.

Infrastructure & Quotas

Rate limits, retention, and system headers

Platform Limits

Understanding rate limits and retention policies helps you build reliable integrations. All limits are enforced per-organization.

This section covers the technical infrastructure details you need to know: rate limits for both APIs, data retention policies, and the custom headers returned in API responses.

Event Collection

100-2,000

requests/min by plan

Management API

60-500

requests/min by plan

Data Retention

7-90

days by plan

Rate Limits

LiteSOC has two types of rate limits: Event Collection API (for sending security logs) and Management API (for reading data via n8n or custom integrations).

Event Collection API

Optimized for high-volume ingestion when sending security events from your application.

Plan	Rate Limit	Monthly Events	Data Retention
Free	100 req/min	5,000	7 days
Pro	500 req/min	50,000	30 days
Enterprise	2,000 req/min	500,000	90 days

Management API

Designed for stable polling when reading events and alerts via n8n or custom integrations.

Plan	Rate Limit	Events Access	Alerts Access
Free	60 req/min	100/req (redacted forensics)	Blocked
Pro	100 req/min	100/req (full forensics)	Full Access
Enterprise	500 req/min	100/req (full forensics)	Full Access

Rate Limit Design

Event Collection limits are optimized for high-volume ingestion, while Management API limits are designed for stable polling. Both are enforced per organization, per minute.

429 Too Many Requests

If you exceed your rate limit, you'll receive a 429 error with a JSON message and Retry-After header.

Retention Policy

Data retention determines how long your security events and alerts are stored. Results from the Management API are strictly filtered by your plan's retention window.

Plan	Retention	Cutoff Behavior	Upgrade Path
Free	7 days	Events older than 7 days return 403	→ Pro for 30 days
Pro	30 days	Events older than 30 days return 403	→ Enterprise for 90 days
Enterprise	90 days	Events older than 90 days return 403	Custom retention available

Retention Enforcement

When querying events outside your retention window, you'll receive a 403 error with codeRETENTION_EXPIRED. The X-LiteSOC-Cutoff header shows your oldest accessible timestamp.

JSON (403 Response)

{
  "success": false,
  "error": {
    "code": "RETENTION_EXPIRED",
    "message": "Event expired based on your plan retention.",
    "retention_days": 7
  }
}

Security Intelligence

LiteSOC automatically enriches every security event with powerful forensic data. When you provide the user_ip field, we unlock a comprehensive suite of security intelligence features.

Important: user_ip is Required

To unlock geolocation mapping and network intelligence features, you mustpass the end-user's IP address in the user_ip field. Without it, these forensic features will not be available for the event.

Geolocation

City and Country detection
Precise GPS coordinates (Latitude/Longitude)
Interactive map visualization
Country flag emoji display

Network Intelligence

VPN provider detection
Tor exit node identification
Proxy service detection
Datacenter IP detection (AWS, GCP, Azure, etc.)

Geolocation Enrichment

Every event with a valid user_ip is automatically enriched with geolocation data. This data is stored in the database and displayed in the Event Forensics view.

Field	Type	Description
country_code	string	ISO 3166-1 alpha-2 country code (e.g., "US", "GB")
city	string	City name (e.g., "San Francisco", "London")
latitude	float	GPS latitude coordinate
longitude	float	GPS longitude coordinate

Network Intelligence

LiteSOC analyzes every IP address against comprehensive databases of known VPN providers, Tor exit nodes, proxy services, and cloud/datacenter IP ranges. This helps you identify potentially suspicious traffic sources.

Flag	Risk Level	Description
🕵️ is_tor	High Risk	IP is a known Tor exit node. Traffic is fully anonymized.
🔒 is_vpn	Elevated	IP belongs to a known VPN provider (NordVPN, ExpressVPN, etc.)
🛡️ is_proxy	Moderate	IP is associated with a commercial proxy service
🖥️ is_datacenter	Informational	IP belongs to a cloud provider (AWS, GCP, Azure, DigitalOcean, etc.)

Network Type Classification

Each event also includes a network_type field with values: residential, vpn,tor, proxy,datacenter, or unknown. A network_providerfield identifies the specific provider when detected (e.g., "AWS", "NordVPN", "Tor Network").

Event Forensics UI

View comprehensive forensic data for any security event directly in your dashboard. Simply click any row in the Activity Feed table to open the Event Detail Sheet.

What You'll See

Click any event row to access these forensic details

Geolocation & Travel Path

• Interactive OpenStreetMap with location marker
• City, Region, and Country with flag emoji
• Precise GPS coordinates
• Travel Path Map for impossible travel alerts with:
- - Previous & current locations on Mapbox
- - Distance traveled in kilometers
- - Country flags for both locations

Network Intelligence Panel

• Security alert banner for VPN/Tor/Proxy detection
• Network type badge (residential, datacenter, etc.)
• Visual security check indicators (VPN, Tor, Proxy, Datacenter)
• Provider / ISP identification
• User IP & Server IP with copy buttons
• "Trusted" badge for whitelisted IPs

Event Details

• Event type with severity badge
• Actor identity (ID and email)
• Timestamps in your local timezone
• User agent parsing (browser, OS, device)

Raw Payload

• Full JSON metadata with syntax highlighting
• Copy-to-clipboard functionality
• Event ID for reference

Incident ResolutionPro+

• Mark events as resolved with resolution notes
• Track resolution status across your team
• IP Whitelisting option Enterprise

Enrichment Pipeline

When you submit an event to LiteSOC, it returns HTTP 202 Accepted immediately, meaning your data has been queued for processing. Behind the scenes, LiteSOC runs a powerful enrichment pipeline to transform raw events into actionable security intelligence.

Asynchronous Processing

Events are processed asynchronously within seconds. The 202 response confirms your event is queued—enriched data will appear in your dashboard shortly after.

Pipeline Stages

IP Reputation

Each IP address is checked against known threat databases:

Tor exit node detection
VPN provider identification
Proxy & datacenter flagging

Geo-Mapping

IP addresses are converted to geographic coordinates:

Country & city resolution
Latitude/longitude coordinates
Interactive map visualization

Threat Scoring

Each event receives a severity level based on risk signals:

LowNormal activity
MediumUnusual patterns
HighSuspicious behavior
CriticalActive threat

Enriched Event Example

After processing, your raw event is enriched with security intelligence data:

JSON

{
  "event": "auth.login_success",
  "actor_id": "user_123",
  "actor_email": "user@example.com",
  "user_ip": "185.220.101.42",
  
  // Geo-Mapping (auto-enriched)
  "country": "DE",
  "city": "Frankfurt",
  "latitude": 50.1109,
  "longitude": 8.6821,
  
  // IP Reputation (auto-enriched)
  "is_vpn": false,
  "is_tor": true,
  "is_proxy": false,
  "is_datacenter": false,
  "network_type": "tor",
  "network_provider": "Tor Exit Node",
  
  // Threat Scoring (auto-enriched)
  "severity": "critical",
  "risk_signals": ["tor_exit_node", "high_risk_country"]
}

Important

To enable full enrichment, always include user_ip in your event payload. Without it, geolocation and network intelligence features will be unavailable.

Plan Features

LiteSOC offers three tiers with progressively more powerful threat detection capabilities.

Free

$0/mo

For side projects and testing

5,000 events/month

7-day data retention

Basic brute force detection

Critical event alerts

Email notifications

Forensics redacted in API

ProPopular

$15/mo

For growing teams

50,000 events/month

Impossible Travel detection

Geo-Anomaly detection

Slack & Discord webhooks

30-day retention + full forensics

Strict brute force (5 attempts)

Enterprise

$99/mo

For security-conscious orgs

500,000 events/month

90-day retention + full forensics

Custom Threat Models

IP Whitelisting (CIDR support)

SAML/OIDC Single Sign-On

Compliance audit logs

Priority support

Threat Detection

LiteSOC automatically analyzes your security events to detect threats in real-time.

Brute Force Detection

All Plans

Detects repeated failed login attempts from the same IP. Free plan triggers at 20 failures in 15 minutes; Pro/Enterprise triggers at 5 failures in 5 minutes.

Impossible Travel

Pro+

Detects when a user logs in from two geographically distant locations within an impossibly short timeframe (e.g., NYC to Tokyo in 10 minutes).

Geo-Anomaly Detection

Pro+

Alerts when a user logs in from a new country for the first time, or from high-risk regions. Learns your organization's normal geographic patterns over a 30-day baseline period.

High-Risk Countries:

🇰🇵 North Korea🇮🇷 Iran🇷🇺 Russia🇨🇳 China🇧🇾 Belarus🇻🇪 Venezuela🇸🇾 Syria🇨🇺 Cuba

Custom Threat Models

Enterprise

Build your own detection rules. Define conditions like "5+ data.export events from the same user in 10 minutes" and get custom alerts with your chosen severity.

Critical Event Alerts

All Plans

Instant notifications for high-severity events like admin.privilege_escalation,data.bulk_delete, andsecurity.suspicious_activity.

Remediation WebhooksPro+

Automatically receive webhook notifications when admins resolve security alerts. Use this to trigger automated remediation in your application—like blocking users, resetting passwords, or revoking sessions.

How It Works

When an admin clicks "Resolve" on a security alert in the LiteSOC dashboard, we send a POST request to your configured endpoint with the action details.

Setup

Create a POST /api/security-callback endpoint in your app
Go to Dashboard → Settings → Outgoing Webhooks
Enter your endpoint URL in the Remediation Webhook URL field
Save and you're ready to receive webhook calls

Webhook Payload

When an admin resolves an alert, you'll receive this JSON payload:

{
  "event_type": "alert.resolved",
  "timestamp": "2024-01-15T14:32:00Z",
  "alert": {
    "id": "alert_abc123",
    "type": "impossible_travel",
    "status": "resolved",
    "severity": "high"
  },
  "resolution": {
    "type": "blocked_ip",        // or: reset_password, contacted_user, false_positive, other
    "notes": "User confirmed they weren't traveling. Blocking suspicious IP.",
    "resolved_by": "admin@company.com",
    "resolved_at": "2024-01-15T14:32:00Z"
  },
  "actor": {
    "id": "user_12345",          // The affected user's ID
    "ip": "203.0.113.50"         // The suspicious IP address
  },
  "organization": {
    "id": "org_xyz789"
  }
}

Resolution Types

Type	Description	Suggested Action
blocked_ip	Admin blocked the IP address	Add IP to firewall blocklist
reset_password	Admin reset user's password	Force password reset, invalidate sessions
contacted_user	Admin contacted the user	Log the interaction, no automated action
false_positive	Alert was a false alarm	No action needed, update ML training data
other	Custom resolution	Check notes field for details

Example Handler (Node.js/Express)

// POST /api/security-callback
app.post('/api/security-callback', async (req, res) => {
  const { event_type, resolution, actor } = req.body;

  if (event_type !== 'alert.resolved') {
    return res.status(200).json({ received: true });
  }

  // Handle different resolution types
  switch (resolution.type) {
    case 'blocked_ip':
      // Add IP to your blocklist
      await firewall.blockIP(actor.ip);
      break;

    case 'reset_password':
      // Force password reset for the user
      await db.users.update({
        where: { id: actor.id },
        data: { 
          password_reset_required: true,
          sessions: { deleteMany: {} }  // Invalidate all sessions
        }
      });
      break;

    case 'contacted_user':
      // Log the interaction
      await db.audit_log.create({
        data: {
          user_id: actor.id,
          action: 'security_contact',
          notes: resolution.notes,
          admin: resolution.resolved_by
        }
      });
      break;

    case 'false_positive':
      // Maybe whitelist this pattern
      console.log('False positive logged:', actor.id, actor.ip);
      break;
  }

  res.json({ success: true });
});

Verifying Webhook Signatures (Enterprise)

All outgoing webhooks include an X-LiteSOC-Signature header for verification. Enterprise users should always verify this signature to ensure requests originate from LiteSOC.

Webhook Headers

X-LiteSOC-Signature — HMAC-SHA256 signature (format: sha256=<hex>)
X-LiteSOC-Event — Event type (e.g., alert.resolved)
X-LiteSOC-Timestamp — ISO 8601 timestamp when the request was sent

Signature Computation

signature = HMAC-SHA256(
  key: signing_secret,
  message: timestamp + "." + JSON.stringify(payload)
)

const crypto = require('crypto');

function verifyLiteSOCWebhook(payload, signature, timestamp, secret) {
  // Signature is computed over: timestamp.payload
  // This prevents replay attacks
  const signedPayload = timestamp + '.' + JSON.stringify(payload);
  
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex');
  
  // Use timing-safe comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
app.post('/api/security-callback', (req, res) => {
  const signature = req.headers['x-litesoc-signature'];
  const timestamp = req.headers['x-litesoc-timestamp'];
  
  // Optional: Reject requests older than 5 minutes (anti-replay)
  const requestTime = new Date(timestamp).getTime();
  const now = Date.now();
  if (Math.abs(now - requestTime) > 5 * 60 * 1000) {
    return res.status(401).json({ error: 'Request too old' });
  }
  
  if (!signature || !verifyLiteSOCWebhook(req.body, signature, timestamp, WEBHOOK_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // Process the webhook...
});

Security Best Practice: Always verify the signature before processing webhook payloads. Store your signing secret securely (e.g., environment variables) and never expose it in client-side code.

Enterprise SSOEnterprise

Enable SAML 2.0-based Single Sign-On for your organization. Enterprise SSO allows your team members to authenticate using your identity provider (IdP) such as Okta, Azure AD, Google Workspace, or OneLogin.

Setting Up SAML SSO

Navigate to Dashboard → Settings → Single Sign-On (SSO)
Copy the ACS URL and Entity ID from the Service Provider Details section to your IdP
Enter your Identity Provider Metadata URL (e.g., https://your-idp.com/metadata.xml)
Configure the SSO Domain (your company email domain like company.com)
Click Save Configuration, then enable the SSO toggle

SSO Login Flow

When SSO is enabled, users with matching email domains will be automatically routed to your identity provider. The flow detects the SSO domain from the email address.

// Automatic domain detection on login
user@company.com → SSO enabled → Redirect to IdP

Service Provider Details

Use these values when configuring your Identity Provider:

ACS URL:https://<project-ref>.supabase.co/auth/v1/sso/saml/acs

Entity ID:https://<project-ref>.supabase.co/auth/v1/sso/saml/metadata

The actual values are shown in your Dashboard → Settings → SSO page.

Audit LogsPro & Enterprise

Comprehensive audit logging tracks all administrative actions and security-relevant events across your organization. Essential for compliance (SOC 2, GDPR, HIPAA) and security investigations.

Tracked Actions

API & Webhooks

api_key.regenerated
webhook.slack_updated
cors.origins_updated

Security

sso.enabled
ip_whitelist.added
mfa.enrolled

Organization

organization.member_invited
organization.role_changed
billing.plan_changed

Account

account.password_changed
session.revoked
settings.profile_updated

Threat Models

threat_model.created
threat_model.updated
threat_model.deleted

Billing

billing.subscription_created
billing.payment_succeeded
billing.payment_failed

Compliance Export

Enterprise Only

Export audit logs as CSV for compliance reporting and external analysis. Navigate to Dashboard → Settings → Audit Logs and click the Export CSV button.

Exports include: timestamp, actor email, action, target, IP address, user agent, and detailed metadata for each event.

CSV export requires Enterprise plan. Pro users can view audit logs but cannot export.

IP WhitelistingEnterprise

Bypass threat detection alerts for trusted IP addresses. When an IP is whitelisted, events from that IP will still be logged but will not trigger brute force, impossible travel, or geo-anomaly alerts.

How It Works

Whitelisted IPs are excluded from threat detection analysis. This is useful for:

Office IPs that generate high-volume legitimate traffic
CI/CD servers running automated tests
VPN exit nodes used by your team
Staging and development environments

⚠️ Events are still recorded — only alerting is bypassed.

CIDR Notation Support

Configure IP whitelists using individual IPs or CIDR notation for entire ranges:

192.168.1.100 // Single IP

10.0.0.0/24 // 256 IPs (10.0.0.0 - 10.0.0.255)

172.16.0.0/16 // 65,536 IPs (172.16.0.0 - 172.16.255.255)

10.0.0.0/8 // Entire 10.x.x.x range

Configuration

Go to Dashboard → Settings → Security tab → IP Whitelist
Click Add IP Address and enter an IP or CIDR range
Add a label and optional description for reference
Toggle individual entries on/off using the switch

Changes take effect immediately. Whitelisted IPs will bypass threat detection on the next processing cycle.

Whitelist Entry Fields

ip_addressIPv4 address or CIDR range (e.g., 192.168.1.0/24)

labelShort identifier (e.g., "Office", "VPN", "CI Server")

descriptionOptional notes about the IP source

is_activeToggle to enable/disable the entry without deleting it

LiteSOC API Reference

Code Examples & Testing Tools

Authentication

Required Header

Where to find your API key

Base URL

Browser Security (CORS)

Server-Side Integrations Are Not Affected

Go to Settings

Add Your Domain

Save Changes

Common CORS Error

Install our SDKs

Installation

Event Collection API

Management APIPRO+

Quick Start

Get your API key

Send an event

View in Dashboard

Event Collection API

Ingestion Endpoint

Event Collection Endpoint

Available Endpoints

Error Responses

Example Responses

POST /collectIngestion

Request Headers

Batch Ingestionv2.5+

Batch Body Schema

Batch Response (202)

SDK Examples

Raw API Examples

Payload Schema

Complete Example

Critical: user_ip Field

Tracking Multiple Websites or Services?

Coming Soon: Multi-Project Support

Standard Events

Authentication8 events

Authorization4 events

Admin Actions7 events

Data Access3 events

Security4 events

IP Address Tracking

Important: Forward the End-User's IP

IP Field Reference

IP Fallback Chain

How to Extract User IP

Server IP Auto-Detection

Event Normalizer

Unrecognized Events

Management API

Operations & Automation

Authentication Required

Available Endpoints

Response Headers

Error Responses

Error Response Format

HTTP Status Codes

Common Error Examples

Best Practices

GET /events

Query Parameters

Response Structure

Event Object Fields

Pagination Object

Severity is Auto-Assigned

Retention Filtering

GET /events/:id

Path Parameters

Example Request

Response Structure

Same Event Fields

Retention Policy

GET /alertsPro+

Pro & Enterprise Only

Query Parameters

Response Fields

Severity is Auto-Assigned