SARA Open API

Programmatic access to analyst-grade security intelligence. Integrate SARA into your SOAR, SIEM, or custom workflows.

Authentication

All API requests require an API key sent in the x-api-key header.

curl -H "x-api-key: sara_your_key_here" https://sara-open.sirp.io/api/v1/chat

Generate API keys in Settings → API. Keys start with sara_.

Plan	Rate Limit	Max Keys
Pro	200 requests/hour	3
Team	500 requests/hour	10

Endpoints

POST /api/v1/chat/completions Pro+ OpenAI Compatible

Drop-in replacement for OpenAI's chat completions API. Works with any OpenAI SDK client, LangChain, LlamaIndex, or SOAR integration. Same pipeline as /api/v1/chat.

Request (OpenAI format)

{
  "model": "sara",
  "messages": [
    {"role": "user", "content": "What is CVE-2024-3400?"}
  ]
}

Response (OpenAI format)

{
  "id": "chatcmpl-abc123",
  "object": "chat.completion",
  "created": 1711000000,
  "model": "sara",
  "choices": [{
    "index": 0,
    "message": {"role": "assistant", "content": "..."},
    "finish_reason": "stop"
  }],
  "usage": {"prompt_tokens": 150, "completion_tokens": 200, "total_tokens": 350}
}

Usage with OpenAI Python SDK

from openai import OpenAI

client = OpenAI(
    base_url="https://sara-open.sirp.io/api/v1",
    api_key="sara_your_key_here",
)

response = client.chat.completions.create(
    model="sara",
    messages=[{"role": "user", "content": "Analyze IP 185.220.101.34"}],
)
print(response.choices[0].message.content)

Usage with LangChain

from langchain_openai import ChatOpenAI

llm = ChatOpenAI(
    base_url="https://sara-open.sirp.io/api/v1",
    api_key="sara_your_key_here",
    model="sara",
)
response = llm.invoke("What is APT29?")

POST /api/v1/chat Pro+ SARA Native

SARA's native format with response mode, sources, and detected IOCs. Same pipeline as chat/completions.

Request

{
  "message": "What is CVE-2024-3400?",
  "web_browse": true
}

For multi-turn conversations:

{
  "messages": [
    {"role": "user", "content": "Tell me about APT28"},
    {"role": "assistant", "content": "APT28 is..."},
    {"role": "user", "content": "What TTPs do they use?"}
  ]
}

Response

{
  "response": "CVE-2024-3400 is a critical vulnerability in PAN-OS...",
  "mode": "threat_intel",
  "sources": ["Knowledge Base", "NVD"],
  "iocs_detected": [],
  "remaining_this_hour": 499,
  "hourly_limit": 500
}

Field	Type	Description
`response`	string	SARA's full analysis
`mode`	string	Response mode used (threat_intel, case_analysis, definition, etc.)
`sources`	array	Data sources used (Knowledge Base, NVD, Web Search, etc.)
`iocs_detected`	array	IOCs found in the query

POST /api/v1/enrich Pro+

Enrich IOCs (IPs, hashes, domains, URLs) with threat intelligence from multiple sources.

Request

{
  "iocs": [
    {"value": "185.220.101.34", "type": "ip"},
    {"value": "44d88612fea8a8f36de82e1278abb02f", "type": "hash"}
  ]
}

Max 20 IOCs per request. Types: ip, hash, domain, url.

Response

{
  "results": "### 185.220.101.34\n**Verdict:** SUSPICIOUS...",
  "ioc_count": 2,
  "verdicts": [
    {"value": "185.220.101.34", "type": "ip", "verdict": "SUSPICIOUS", "score": 60},
    {"value": "44d886...", "type": "hash", "verdict": "MALICIOUS", "score": 90}
  ]
}

POST /api/v1/analyze Pro+

Analyze security content — alerts, phishing emails, or CVEs.

Request

// Alert triage
{
  "content": "EventID=4625 LogonType=3 TargetUserName=admin...",
  "type": "alert"
}

// Phishing email analysis
{
  "content": "From: [email protected]\nReply-To: [email protected]...",
  "type": "email"
}

// CVE lookup
{
  "content": "CVE-2024-3400",
  "type": "cve"
}

// Auto-detect
{
  "content": "CEF:0|Palo Alto|Cortex XDR|...",
  "type": "auto"
}

Types: alert (CEF, syslog, Kibana, JSON), email (phishing), cve, auto (auto-detect).

Response

{
  "analysis": "## Facts\n- Observed: EventID 4625...",
  "type": "windows_event"
}

POST /api/v1/keys

Create a new API key.

{"name": "My SOAR Integration"}

Returns the key once — save it immediately.

GET /api/v1/keys

List your API keys (prefixes only, not full keys).

DELETE /api/v1/keys/{key_id}

Revoke an API key. Integrations using it will stop working immediately.

Response Modes

SARA automatically selects the best response mode based on your query:

Mode	Triggers When
`threat_intel`	CVE lookups, threat actor queries, vulnerability research
`case_analysis`	Incident analysis with real evidence
`ioc_enrichment`	IP, hash, domain, or URL detected in query
`definition`	"What is X?" questions
`generic_guidance`	"How do I?" questions
`comparison`	"X vs Y" comparisons
`phishing_analysis`	Email headers/body pasted
`alert_triage`	Alert payload pasted (CEF, syslog, JSON, Kibana)

Error Codes

Code	Meaning
`400`	Bad request — missing or invalid parameters
`401`	Invalid or missing API key
`403`	Plan doesn't support API access
`429`	Rate limit exceeded — wait and retry
`503`	LLM or processing temporarily unavailable

Examples

Python

import requests

resp = requests.post(
    "https://sara-open.sirp.io/api/v1/chat",
    headers={"x-api-key": "sara_your_key"},
    json={"message": "What is CVE-2024-3400?"},
)
print(resp.json()["response"])

JavaScript

const resp = await fetch("https://sara-open.sirp.io/api/v1/chat", {
  method: "POST",
  headers: { "x-api-key": "sara_your_key", "Content-Type": "application/json" },
  body: JSON.stringify({ message: "Analyze this IP: 185.220.101.34" }),
});
const data = await resp.json();
console.log(data.response, data.verdicts);