API Documentation — OnlyHIPAA

Overview

The OnlyHIPAA API allows you to programmatically access your organization's findings, assessments, and remediation data. All requests must be made over HTTPS.

Base URL	`https://app.onlyhipaa.com/api/v1/`
Format	JSON (`Content-Type: application/json`)
Authentication	`Authorization: Bearer <api_key>`
Rate limit	100 requests per minute per API key. Exceeding the limit returns `429 Too Many Requests`.

Authentication

All API requests require a Bearer token. To create an API key, go to Settings → API Keys in your dashboard and click Generate new key. Store the key securely — it will only be shown once.

Include the key in every request using the Authorization header:

Authorization: Bearer ohk_live_••••••••••••••••

Scopes

Each API key is issued with one or more scopes that control which resources it can access.

Scope	Access granted
`findings:read`	Read findings for the organization
`assessments:read`	Read assessments and their status
`remediation:read`	Read remediation tasks
`audit:read`	Read audit log entries

Endpoints

GET /api/v1/findings.php

Returns a list of findings for your organization.

Required scope: findings:read

Query parameters

Parameter	Type	Description
`status`	string	Filter by status: `open`, `in_progress`, `resolved`
`risk_level`	string	Filter by risk: `critical`, `high`, `medium`, `low`

GET /api/v1/assessments.php

Returns a list of assessments for your organization.

Required scope: assessments:read

Query parameters

Parameter	Type	Description
`status`	string	Filter by status: `draft`, `in_progress`, `completed`

GET /api/v1/remediation.php

Returns a list of remediation tasks linked to your organization's findings.

Required scope: remediation:read

Query parameters

Parameter	Type	Description
`status`	string	Filter by status: `open`, `in_progress`, `completed`
`priority`	string	Filter by priority: `critical`, `high`, `medium`, `low`

Response format

All successful responses return HTTP 200 with a JSON body containing a data array and a count of total records.

{
  "data": [
    { "id": "abc123", "title": "...", "status": "open", ... }
  ],
  "count": 1
}

Error responses

Errors return a non-2xx HTTP status with a JSON body:

{
  "error": "Unauthorized",
  "message": "Invalid or expired API key."
}

HTTP status	Meaning
`401`	Missing or invalid API key
`403`	Valid key but insufficient scope
`429`	Rate limit exceeded
`500`	Internal server error

Example

Fetch all open critical findings using curl:

curl -s \
  -H "Authorization: Bearer ohk_live_••••••••••••••••" \
  -H "Accept: application/json" \
  "https://app.onlyhipaa.com/api/v1/findings.php?status=open&risk_level=critical"

Example response:

{
  "data": [
    {
      "id": "fnd_01j9kx4",
      "title": "Unencrypted ePHI at rest on workstation",
      "risk_level": "critical",
      "status": "open",
      "created_at": "2026-01-15T09:32:00Z"
    }
  ],
  "count": 1
}