Authentication

Policy Engine uses API key authentication. Include your key in the Authorization header of every request.

Authorization: Bearer YOUR_API_KEY

You can find your API key in your Profile page. The /api/check endpoint also works without a key for anonymous (rate-limited) checks.

Rate Limiting

To ensure fair usage, API requests are rate-limited per user.

Plan Requests / Hour Max Code Size
Anonymous 10 50 KB
Free Account 100 500 KB
Pro 1,000 5 MB

When you exceed the limit, you'll receive a 429 Too Many Requests response with a Retry-After header.

Error Codes

Policy Engine uses standard HTTP status codes.

Code Meaning
200 Request successful
400 Bad Request — missing or invalid parameters
401 Unauthorized — invalid or missing API key
404 Not Found — resource does not exist
422 Unprocessable — code could not be parsed
429 Too Many Requests — rate limit exceeded
500 Internal Server Error
Endpoints
POST /api/check Check Terraform code for policy violations

Analyzes Terraform HCL code and returns a list of security violations grouped by severity. Works anonymously (rate-limited) or authenticated.

Request Body
Parameter Type Required Description
code string required The Terraform HCL code to analyze
filename string optional Label for the check (e.g., "main.tf") for history records
Example Request
curl -X POST https://tfgaurd.com/api/check \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_API_KEY" \ -d '{"code": "resource \"aws_s3_bucket\" \"b\" {\n acl = \"public-read\"\n}", "filename": "main.tf"}'
200 Success Response
{ "passed": false, "resource_count": 1, "violation_count": 2, "violations": [ { "resource_type": "aws_s3_bucket", "resource_name": "b", "violation": "S3 bucket has public ACL set to public-read", "severity": "CRITICAL" } ], "check_id": 42 // only for authenticated requests }
400 Error Response
{ "error": "Missing required field: code" }
GET /api/rules List all available policy rules

Returns all built-in and custom policy rules available in the system, organized by resource type.

Query Parameters
Parameter Type Required Description
resource_type string optional Filter by resource type (e.g., aws_s3_bucket)
Example Request
curl https://tfgaurd.com/api/rules \ -H "Authorization: Bearer YOUR_API_KEY"
200 Success Response
{ "rules": { "aws_s3_bucket": [ { "name": "check_public_access", "description": "S3 bucket must not have public ACL", "severity": "CRITICAL", "category": "built-in" } ] }, "total_rules": 63 }
GET /api/history Retrieve check history (auth required)

Returns the authenticated user's policy check history. Requires a valid API key.

Query Parameters
Parameter Type Required Description
limit integer optional Max results to return (default: 20, max: 100)
offset integer optional Pagination offset (default: 0)
Example Request
curl "https://tfgaurd.com/api/history?limit=5" \ -H "Authorization: Bearer YOUR_API_KEY"
200 Success Response
{ "checks": [ { "id": 42, "filename": "main.tf", "passed": false, "resource_count": 3, "violation_count": 5, "created_at": "2026-03-02T13:20:00Z" } ], "total": 15, "limit": 5, "offset": 0 }
GET /health Service health status

Returns the current health and version information. No authentication required. Useful for monitoring and uptime checks.

200 Success Response
{ "status": "healthy", "version": "1.0.0", "timestamp": "2026-03-02T13:20:46Z" }