Compliance Controls
Real-time compliance health checks and financial controls monitoring.
Overview
The compliance endpoint runs live checks against your organization's security and regulatory controls. Use it to verify that encryption keys are configured, API keys have proper permissions, and webhook secrets are encrypted at rest.
Endpoint: GET /v1/internal/compliance
Authentication: Requires a valid API key with admin-level access.
Response
{
"status": "compliant",
"summary": {
"total": 6,
"passed": 5,
"failed": 0,
"warnings": 1
},
"controls": [
{
"control": "access_control.no_null_permissions",
"status": "pass",
"detail": "All active API keys have explicit permissions",
"lastChecked": "2026-02-12T00:00:00.000Z"
}
],
"checkedAt": "2026-02-12T00:00:00.000Z"
}Top-level fields
| Field | Type | Description |
|---|---|---|
status | string | compliant, warnings, or non_compliant |
summary.total | number | Total controls checked |
summary.passed | number | Controls that passed |
summary.failed | number | Controls that failed |
summary.warnings | number | Controls with warnings |
controls | array | Individual control results |
checkedAt | string | ISO 8601 timestamp of the check |
Controls
access_control.no_null_permissions
Verifies that all active (non-revoked) API keys have explicit permissions set. Keys without permissions could bypass access controls.
| Status | Meaning |
|---|---|
pass | All active API keys have explicit permissions |
fail | One or more active keys have NULL permissions |
access_control.expired_keys_revoked
Checks that expired API keys have been revoked. Expired but unrevoked keys may indicate a gap in key lifecycle management.
| Status | Meaning |
|---|---|
pass | All expired keys are revoked |
warn | Expired keys still active (auto-revocation worker handles this) |
encryption.webhook_secrets
Samples up to 10 webhook secrets and verifies they follow the AES-256-GCM encrypted format (iv:authTag:ciphertext).
| Status | Meaning |
|---|---|
pass | All sampled secrets are encrypted at rest |
fail | Unencrypted secrets found |
warn | No webhooks registered to verify |
encryption.key_configured
Checks that the WEBHOOK_ENCRYPTION_KEY environment variable is set. Without it, webhook secret encryption cannot function.
| Status | Meaning |
|---|---|
pass | Encryption key is configured |
fail | WEBHOOK_ENCRYPTION_KEY not set |
headers.security_headers
Confirms that security headers are configured in the middleware: HSTS, Content-Security-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, and Permissions-Policy.
| Status | Meaning |
|---|---|
pass | All security headers are configured |
access_control.mcp_auth_token
Verifies that the MCP server authentication token is configured, ensuring the MCP transport layer requires authentication.
| Status | Meaning |
|---|---|
pass | MCP auth token configured |
warn | MCP_AUTH_TOKEN not set |
Status logic
- compliant — All controls pass (no failures, no warnings)
- warnings — No failures, but one or more warnings exist
- non_compliant — One or more controls failed
Usage
Use the compliance endpoint in CI/CD pipelines, scheduled health checks, or operational dashboards to continuously verify your security posture.
curl -H "Authorization: Bearer wg_live_xxx" \
https://api.wallgent.com/v1/internal/complianceA non-compliant response (any fail status) should trigger investigation. Common remediations:
| Control | Remediation |
|---|---|
no_null_permissions | Update API keys to include explicit permissions |
expired_keys_revoked | Revoke expired keys or verify the auto-revocation worker is running |
webhook_secrets | Re-register webhooks to encrypt secrets with the current encryption key |
key_configured | Set WEBHOOK_ENCRYPTION_KEY in environment variables |
mcp_auth_token | Set MCP_AUTH_TOKEN in environment variables |