myctrl.tools
Home / Developers / API

API Reference

myctrl.tools exposes an authenticated /api/v1/* API family for framework, control, crosswalk, guidance, and search workflows.

Authenticated API

/api/v1/*

API key-protected endpoints for frameworks, controls, crosswalks, guidance, and unified search.

https://myctrl.tools/api/v1
External Resource

Upstream NIST CMVP API

The CMVP explorer uses an upstream static dataset that remains outside the supported myctrl.tools API contract.

View the upstream CMVP API guide

Authentication

All supported myctrl.tools API access goes through the authenticated /api/v1/* surface.

Create and manage keys from the Developers hub.

# Option 1: Authorization header
Authorization: Bearer mct_live_your_key_here
# Option 2: x-api-key header
x-api-key: mct_live_your_key_here

Authenticated Endpoints

The authenticated API is optimized for compliance data retrieval and automation inside external systems.

GET /api/v1/frameworks

List all available frameworks with pagination.

Param Type Description
category string Filter by tag such as `us-federal`, `ai`, or `privacy`.
limit number Results per page. Default `50`, maximum `200`.
cursor string Pagination cursor from the previous response. 
curl -H "Authorization: Bearer mct_live_..." \
  "https://myctrl.tools/api/v1/frameworks?category=ai&limit=10"
GET /api/v1/frameworks/{slug}

Get metadata for a single framework, including family list and framework-level context.

curl -H "x-api-key: mct_live_..." \
  "https://myctrl.tools/api/v1/frameworks/nist-800-53-r5"
GET /api/v1/controls/{frameworkSlug}/{controlId}

Look up a single control with framework-specific fields and crosswalk mappings.

Supports exact IDs such as `AC-2` and slugified forms such as `ac-2`. Matching is case-insensitive.

curl -H "Authorization: Bearer mct_live_..." \
  "https://myctrl.tools/api/v1/controls/nist-800-53-r5/AC-2"
GET /api/v1/crosswalks

Query cross-framework control mappings.

Param Type Description
from string Required source framework slug.
to string Target framework slug.
control string Source control ID to narrow the mapping set. 
curl -H "Authorization: Bearer mct_live_..." \
  "https://myctrl.tools/api/v1/crosswalks?from=nist-csf-v2&to=nist-800-53-r5&control=PR.AA-01"
GET /api/v1/guidance/{technologySlug}

Retrieve technology-specific implementation guidance with sources, commands, and control mappings.

curl -H "Authorization: Bearer mct_live_..." \
  "https://myctrl.tools/api/v1/guidance/okta"
GET /api/v1/search

Search across controls, frameworks, and guidance with exact-ID boosting.

Param Type Description
q string Required search query. Maximum 200 characters.
type string `control`, `framework`, or `all`.
limit number Maximum results. Default `10`, maximum `50`. 
curl -H "Authorization: Bearer mct_live_..." \
  "https://myctrl.tools/api/v1/search?q=account+management&type=control&limit=5"

Error Handling

Authenticated API errors return JSON with a consistent structure:

{
  "error": {
    "code": "not_found",
    "message": "Control 'XY-99' not found in framework 'nist-800-53-r5'."
  }
}
HTTP Code When
400bad_requestInvalid params or malformed slugs.
401unauthorizedMissing or invalid API key.
403forbiddenRevoked or suspended key.
404not_foundFramework, control, or guide not found.
429rate_limit_exceededPer-key rate limit hit.
500internal_errorUnexpected server error.

Rate Limiting

Authenticated responses include the standard rate limit headers. See the Developers hub for tier details.

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1710700000
Upstream Resource

Upstream NIST CMVP API

The upstream static CMVP dataset is documented separately so it stays clearly outside the myctrl.tools product API contract.

View the upstream CMVP API guide