The Gridlock REST API gives you programmatic access to every capability available through the dashboard — running AI agents, querying threat data, managing accounts, pulling compliance reports, and more. Whether you're building integrations, automating MSP workflows, or embedding Gridlock data into your own tooling, the API is your entry point.
This reference covers the foundational concepts that apply across every endpoint: the base URL, how authentication works, request and response conventions, rate limits, and error handling. Read this first before diving into specific endpoint documentation.
The Gridlock API is currently at version 1. No version prefix is required in the URL — all requests
to https://lockthegrid.com/api/* are served by v1. When a breaking version is introduced,
it will be announced with at least 6 months of parallel support for the prior version.
All API requests are made over HTTPS to the following base URL. HTTP requests are automatically redirected to HTTPS and all non-HTTPS traffic is rejected at the edge.
https://lockthegrid.com/api
Example: to fetch the currently authenticated user's profile, you would request:
GET https://lockthegrid.com/api/user/profile
Unlike some APIs, Gridlock does not require a /v1/ path segment. Requests to
/api/agents/run are correct. Requests to /api/v1/agents/run will return 404.
This will remain true for the lifetime of v1.
The Gridlock API supports two authentication methods depending on your use case. Both are passed via the
standard HTTP Authorization header.
| Method | Header Value | Best For | Expiry |
|---|---|---|---|
| JWT Bearer Token | Bearer <token> |
Web app sessions, dashboard interactions | 7 days |
| API Key | Bearer gl_live_<key> |
Server-to-server, scripts, integrations | Configurable or never |
See the Authentication guide for full details on obtaining tokens, generating API keys, scopes, rotation, and security best practices.
All requests that include a body (POST, PUT, PATCH) must send JSON and set the appropriate content type header. GET and DELETE requests do not include a body.
Content-Type: application/json
A typical POST request looks like:
POST https://lockthegrid.com/api/agents/run
Authorization: Bearer gl_live_abc123xyz
Content-Type: application/json
{
"agent": "threat-researcher",
"target": "acmecorp.com",
"options": {
"include_cve": true,
"mitre_mapping": true
}
}
All string values must be UTF-8 encoded. The API will reject requests with malformed encoding with
a 400 Bad Request response.
Every response from the Gridlock API is JSON. Successful responses always include a top-level
success: true field alongside the relevant data payload. Error responses use
success: false and include an error message string.
{
"success": true,
"data": {
"agent_run_id": "run_9f3a1b2c",
"agent": "threat-researcher",
"status": "queued",
"estimated_completion_seconds": 45
}
}
{
"error": "Invalid agent name. Must be one of: msp-hunter, threat-researcher, tech-support, compliance, account-manager, onboarding"
}
Error messages are human-readable and safe to surface in developer tooling. They never include stack traces, internal service names, or database details.
The API uses standard HTTP status codes to indicate the result of every request. Your client should handle all of the following.
| Code | Name | Meaning |
|---|---|---|
| 200 | OK | Request succeeded. Response body contains the requested data. |
| 201 | Created | Resource was created successfully. Used for POST requests that create new entities. |
| 400 | Bad Request | The request was malformed, missing required fields, or contained invalid values. Check the error field for specifics. |
| 401 | Unauthorized | No valid credentials were provided, or the token has expired. Re-authenticate and retry. |
| 403 | Forbidden | Valid credentials were provided, but they do not have permission to perform this action. Check your API key scopes. |
| 404 | Not Found | The requested resource does not exist. Double-check the path and any resource IDs in the URL. |
| 429 | Too Many Requests | Rate limit exceeded. See the Retry-After response header for how many seconds to wait before retrying. |
| 500 | Internal Server Error | An unexpected error occurred on the Gridlock side. These are automatically reported to our monitoring. If persistent, contact support. |
Rate limits are enforced per IP address and per API key. Limits vary by plan and endpoint category.
When a limit is exceeded, the API returns 429 Too Many Requests and includes a
Retry-After header indicating when you may retry.
| Endpoint Category | Limit | Window | Notes |
|---|---|---|---|
| General API | 100 requests | per minute, per IP | Applies to all authenticated requests |
Auth endpoints (/api/auth/*) |
10 requests | per minute, per IP | Stricter limit to prevent brute force |
| Agent execution | 20 runs | per minute, per account | Applies across all agent types combined |
| Webhook delivery | N/A — inbound only | — | Gridlock does not rate limit webhook receipt |
Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and
X-RateLimit-Reset headers so your client can track consumption proactively. Build retry
logic around these headers rather than relying on catching 429 responses after the fact.
The Gridlock API is currently at version 1. There is no version prefix in the URL path —
all requests to /api/* target v1 automatically. This design keeps integration code simple
and avoids version drift in stored URLs or configuration.
When a breaking change requires a new version, Gridlock will:
Non-breaking additions — new optional fields in responses, new optional request parameters, new endpoints — are released without versioning and will not require any changes to existing integrations.
There is currently no official Gridlock SDK. All integrations use raw HTTP requests. The API is intentionally simple enough that a thin wrapper in any language takes under an hour to build.
Any HTTP client works. Examples in this documentation use curl for shell and the
native fetch API for JavaScript. The patterns shown apply directly to libraries like
axios, Python's requests, Go's net/http, or any other HTTP
client you prefer.
If you build a client library for Gridlock, we want to hear about it. Reach out via support and we'll consider featuring it in the documentation. First-party SDKs for Node.js and Python are on the roadmap for late 2026.
API keys are generated in the Gridlock dashboard. Each key can be scoped to specific permissions and given an optional expiry date.
The full API key value is only displayed at creation time. If you lose a key, you cannot recover it — you must revoke it and generate a new one. Store keys in a secrets manager (AWS Secrets Manager, HashiCorp Vault, GitHub Secrets, etc.) immediately after generation. Never commit API keys to source control.
Here is a minimal example showing a complete authenticated API request. This call fetches the current account's threat summary using a curl command.
curl -s \
-H "Authorization: Bearer gl_live_your_key_here" \
-H "Content-Type: application/json" \
https://lockthegrid.com/api/threats/summary
And the same request in JavaScript using the native fetch API:
const response = await fetch('https://lockthegrid.com/api/threats/summary', {
method: 'GET',
headers: {
'Authorization': 'Bearer gl_live_your_key_here',
'Content-Type': 'application/json'
}
});
if (!response.ok) {
const err = await response.json();
throw new Error(err.error);
}
const data = await response.json();
console.log(data);
That's the complete mental model for the Gridlock API. Authenticated HTTP requests, JSON in, JSON out, standard status codes. Continue to the Authentication guide for details on token handling, or jump straight to Endpoints for the full endpoint reference.
JWT tokens vs API keys, how to obtain and rotate credentials, scopes, and security best practices for server-to-server integrations.
Configure Gridlock to push events to your system in real time. Covers event types, payload structure, signature verification, and retry behavior.
The complete endpoint reference: every route, required parameters, response schemas, and example requests for all Gridlock API resources.