CaseForge Platform API

Enterprise REST API for case management, compliance workflows, policy automation, and graph analytics. Integrate alerts, manage investigations, and automate compliance operations at scale.

https://{your-instance}.caseforge.io/api/v1

✓ SOC 2 Type II ✓ ISO 27001 ✓ FinCEN BSA Compliant ✓ GDPR Ready ✓ FATF Aligned ⚙ FedRAMP In Process

Authentication

CaseForge uses session-based authentication with CSRF protection. To authenticate, send a POST request with your credentials to the login endpoint. On success, the server returns a session cookie and a CSRF token in the response headers. Include both on all subsequent requests.

All API requests must be made over HTTPS. Calls made over plain HTTP will be rejected. API requests without authentication will return 401 Unauthorized.

ℹ

For service-to-service integrations, use API key authentication by including your key in the X-API-Key header. API keys can be created in Administration → API Keys.

🖥

Your Client

→

🔑

POST /auth/login

→

🍪

Session Cookie
+ CSRF Token

→

🛡

Include Both
on Every Request

→

✓

API Response

cURLPythonNode.js

curl -X POST https://acme.caseforge.io/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "analyst@acme.com", "password": "••••••••"}' \
  -c cookies.txt # Save session cookie

# Use session cookie + CSRF token on subsequent requests:
curl https://acme.caseforge.io/api/v1/work-items/WI-20250001 \
  -b cookies.txt \
  -H "X-CSRF-Token: <token-from-login-response>"

Error Handling

CaseForge returns standard HTTP status codes. Errors include a structured JSON body with a machine-readable code, a human-readable message, and a request_id for support ticket reference.

Error Response

{
  "error": {
    "type": "validation_error",
    "code": "missing_required_field",
    "message": "The 'workItemTypeIdentifier' field is required.",
    "param": "workItemTypeIdentifier",
    "request_id": "req_8xK9mRtL3vN2"
  }
}

HTTP Status Codes

200OK — Request succeeded

201Created — Resource successfully created

204No Content — Successful deletion, no body returned

400Bad Request — Invalid parameters, malformed JSON, or validation failure

401Unauthorized — Missing or expired session. Re-authenticate via /auth/login

402Payment Required — Feature requires a license not present on this instance

403Forbidden — Authenticated but lacking the required permission for this action

404Not Found — The requested resource does not exist or was deleted

406Not Acceptable — Malformed file upload (import endpoints)

409Conflict — Duplicate resource or concurrent modification detected

412Precondition Failed — Feature not supported for this resource type

413Payload Too Large — Request exceeds maximum batch size (typically 200 items)

422Unprocessable Entity — Parameters are valid but the operation cannot proceed

429Too Many Requests — Rate limit exceeded. See Retry-After header

500Internal Server Error — Unexpected error. Include request_id in support tickets

503Service Unavailable — Upstream dependency (analytics engine, database) unreachable

Rate Limits

Rate limits are enforced per authenticated session. When exceeded, subsequent requests return 429 Too Many Requests. Check the Retry-After header for wait time in seconds. Bulk operations (ingest, export) have separate, lower limits.

Standard

200

requests / minute

Single-user sessions
10 concurrent sessions

Enterprise

1,000

requests / minute

API key auth
50 concurrent sessions

Bulk Operations

requests / minute

Import, export, ingest
Max 200 items per request

⚠

Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. Monitor these proactively.

Pagination

List endpoints support offset-based pagination with startIndex and maxNumOfRows query parameters. Responses include a rowLimitExceeded flag indicating whether additional pages are available. The default page size is 20 and the maximum is 200.

Pattern

// First page
GET /api/v1/work-items?maxNumOfRows=50&startIndex=0

// Next page
GET /api/v1/work-items?maxNumOfRows=50&startIndex=50

// Check response: "rowLimitExceeded": true → more pages available

ℹ

Data Querying (DDQ) endpoints additionally support a timeoutInSeconds parameter. Results are capped at the configured maximum result set size (default: 10 MB).

Permissions & Licensing

Most endpoints require specific permissions and/or active license modules. If a required permission is missing, the API returns 403 Forbidden. If a required license is missing, you'll receive 402 Payment Required. This documentation marks required permissions and licenses on each endpoint.

Common permission categories include: Execute Web Services Work Item View Work Item Edit Policy Manager Graph Analytics Self Services

Session Authentication

POST/api/v1/auth/loginAuthenticate and create a session▾

Authenticates a user with explicit username and password. On success, creates a user session and returns a session cookie and a CSRF token in the response headers. Both must be included in all subsequent requests.

Request Body

Parameter	Type	Required	Description
username	string	Required	The login name or email address of the user.
password	string	Required	The user's password. Transmitted securely over HTTPS.

Request

cURL

curl -X POST https://acme.caseforge.io/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "analyst@acme.com", "password": "s3cur3P@ss"}'

Response Headers

200 OK

Set-Cookie: CFSESSION=abc123xyz...; Path=/; Secure; HttpOnly; SameSite=Strict
X-CSRF-Token: f7d2a9c1-4e8b-4f3a-a6d1-9e7c2b8f0d4e

Status Codes

200Login successful. Session cookie and CSRF token set in headers.

401Invalid credentials. Check username and password.

403Account locked or disabled. Contact your administrator.

POST/api/v1/auth/logoutTerminate the authenticated session▾

Ends the current user session and invalidates the session cookie. After logout, the client must re-authenticate to make further API calls. No request body is required.

ℹ

Sessions automatically expire after 30 minutes of inactivity (configurable). Explicit logout is recommended to free server resources.

POST/api/v1/user/passwordChange user password (pre-login)▾

Changes a user's password before login. This is typically used for password reset flows or first-time login scenarios where the user must set a new password.

Admin Util — Change Password

Parameter	Type	Required	Description
loginName	string	Required	Login name of the user to change the password for.
oldPassword	string	Required	Current password for verification.
newPassword	string	Required	New password. Must meet complexity requirements configured in system settings.

200Password changed successfully.

400New password does not meet complexity requirements.

403Missing permission: Change Password.

500Incorrect old password was specified.

Work Items

Work items are the core objects in CaseForge — representing alerts, cases, SARs, and investigation records. Each work item has a type, a workflow lifecycle, custom fields, relations to other items, and a full audit trail.

POST/api/v1/work-itemsCreate a new work item▾

Creates a new work item (alert, case, or entity) of the specified type. The work item is initialized in the first workflow step with default field values. Custom field values can be provided at creation time.

Execute Web Services Create Work Item

Request Body

Parameter	Type	Required	Description
alertName	string	Required	Display name for the work item. Max 255 characters.
alertTypeIdentifier	string	Required	The identifier of the work item type (e.g., `SAR`, `ALERT`, `CASE`).
alertTypeVersion	string	Optional	Version of the work item type. Defaults to latest version.
score	string	Optional	Risk score. Numeric string value.
priorityIdentifier	string	Optional	Priority level: `high`, `medium`, `low`.
ownerIdentifier	string	Optional	User identifier of the assigned owner.
buIdentifier	string	Optional	Business unit identifier for multi-tenant isolation.
content	string	Optional	XML or JSON payload containing the work item's source data.
customFields	array	Optional	Array of `{identifier, value}` objects for setting custom field values.
reasons	array	Optional	Array of reason codes explaining why this work item was generated.

Request

cURL

curl -X POST https://acme.caseforge.io/api/v1/work-items \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: f7d2a9c1-..." \
  -b cookies.txt \
  -d '{
    "alertName": "Suspicious Wire Transfer — $250,000",
    "alertTypeIdentifier": "SAR",
    "score": "87",
    "priorityIdentifier": "high",
    "ownerIdentifier": "analyst_jsmith",
    "customFields": [
      {"identifier": "Transaction_Amount", "value": "250000"},
      {"identifier": "Originator_Country", "value": "US"}
    ],
    "reasons": [
      {"identifier": "velocity_check", "name": "Velocity threshold exceeded"},
      {"identifier": "geo_risk", "name": "High-risk geography"}
    ]
  }'

Response

201 Created

{
  "status": true,
  "workItemIdentifier": "WI-20250227-0042",
  "message": "Work item created successfully"
}

201Work item created successfully. Returns the new identifier.

400Invalid parameters — missing required fields or malformed payload.

403Missing permission: Create Work Item.

404Work item type identifier not found.

413Content payload exceeds maximum allowed size.

GET/api/v1/work-items/{workItemId}Retrieve a work item by ID▾

Retrieves the full details of an existing work item including all field values, current workflow state, assigned owner, audit history, and related entities.

Work Item View

Parameter	Type	Required	Description
workItemId	string	Required	Unique identifier of the work item, e.g. `WI-20250227-0042`

200 OK

{
  "alertIdentifier": "WI-20250227-0042",
  "alertName": "Suspicious Wire Transfer — $250,000",
  "alertTypeIdentifier": "SAR",
  "alertDate": "2025-02-27 14:32:07",
  "state": "Open",
  "statusIdentifier": "UNDER_REVIEW",
  "score": "87",
  "priorityIdentifier": "high",
  "ownerIdentifier": "analyst_jsmith",
  "buIdentifier": "compliance_us",
  "customFields": [
    {"identifier": "Transaction_Amount", "value": "250000"},
    {"identifier": "Originator_Country", "value": "US"}
  ],
  "reasons": [
    {"identifier": "velocity_check", "name": "Velocity threshold exceeded"}
  ],
  "lastUpdateDate": "2025-02-27 15:10:44",
  "lastUpdateUserIdentifier": "analyst_jsmith"
}

PUT/api/v1/work-items/{workItemId}Update work item fields▾

Updates one or more fields on an existing work item. Only the fields provided in the request body are modified — omitted fields retain their current values. Fields restricted by the current workflow step cannot be updated.

Work Item Edit

⚠

Some fields are read-only in certain workflow steps. Attempting to modify a restricted field returns 422 Unprocessable Entity with the specific field listed in the error response.

POST/api/v1/work-items/searchSearch work items with filters▾

Searches work items using a flexible filter object. Supports filtering by type, status, owner, date range, custom field values, and full-text search on the work item content. Results are paginated.

Work Item View

Parameter	Type	Required	Description
workItemTypeIdentifier	string	Optional	Filter by work item type.
statusIdentifier	string	Optional	Filter by current workflow status.
ownerIdentifier	string	Optional	Filter by assigned owner.
dateFrom	string	Optional	Start date filter (ISO 8601). Format: `yyyy-MM-dd HH:mm:ss`
dateTo	string	Optional	End date filter (ISO 8601).
maxNumOfRows	integer	Optional	Page size (1–200). Default: 20.
startIndex	integer	Optional	Zero-based offset for pagination.

POST/api/v1/work-items/{workItemId}/workflow/stepAdvance workflow step▾

Changes the workflow step (status) of a work item. The target step must be a valid next step from the current position in the workflow. The response includes the list of permitted actions, any unresolved mandatory tasks, and available next steps.

Work Item Edit Change Workflow Step

Parameter	Type	Required	Description
targetStepIdentifier	string	Required	Identifier of the target workflow step to transition to.
comment	string	Optional	Audit comment for the transition. Max 4,000 characters.

All mandatory tasks for the current workflow step must be completed before transitioning. If unresolved tasks exist, the API returns 422 with the list of blocking tasks in unresolvedMandatoryTasks.

Data Ingestion

POST/api/v1/work-items/ingestIngest a work item from external system▾

Ingests a work item from an external source system using a pre-defined field mapping. The API maps incoming JSON fields to the corresponding platform fields, validates data types, and creates the work item with all associated entities in a single atomic operation.

Execute Web Services Easy Ingest

ℹ

Mapping definitions must be created first via the Save Mapping endpoint. The mapping name specified in the request must match an existing mapping for the target work item type.

Parameter	Type	Required	Description
mappingName	string	Required	Name of the pre-defined field mapping to apply.
workItemTypeIdentifier	string	Required	Target work item type for the ingested data.
payload	object	Required	JSON payload containing the source data. Structure must match the mapping definition.

POST/api/v1/work-item-types/{typeId}/mappingsSave a data mapping definition▾

Saves a field mapping definition for a work item type. Mappings define how incoming data fields from external systems are mapped to platform fields. Each mapping has a unique name and can be saved as draft (for testing) or production (for live use).

Execute Web Services

Example Request Body

{
  "name": "external-sar-v2",
  "description": "Maps SAR data from upstream detection engine",
  "fileType": "JSON",
  "dateFormat": "yyyy-MM-dd HH:mm:ss",
  "draft": false,
  "root": {
    "path": "alert",
    "fields": [
      {"identifier": "alertId", "path": "alertId"},
      {"identifier": "score", "path": "riskScore"}
    ],
    "children": [
      {
        "workItemTypeIdentifier": "Party",
        "path": "parties[*]",
        "relationTypeIdentifier": "alert-to-party",
        "fields": [
          {"identifier": "First_Name", "path": "fname"},
          {"identifier": "Last_Name", "path": "lname"}
        ]
      }
    ]
  }
}

Groups & Users

POST/api/v1/groups/{groupId}/members/usersAdd users to a group▾

Adds the specified users to a group. The response separates successfully added users from unrecognized user identifiers. Supports batch operations up to 200 users per request.

Assign Users to Groups

Parameter	Type	Required	Description
groupId	string	Required	Path parameter. The identifier of the target group.
removeOthers	boolean	Optional	If `true`, removes users not in this request from the group. Default: `false`.
[body]	string[]	Required	JSON array of user identifier strings to add.

200All users added. See assignedObjects in response.

206Partial success. Unrecognized users listed in notFoundObjects.

413Exceeded maximum batch limit of 200 users.

DELETE/api/v1/groups/{groupId}/members/usersRemove users from a group▾

Removes the specified users from a group. The response separates successfully removed users from unrecognized identifiers.

Assign Users to Groups

Policy Engine

The Policy Engine enables rule-based automation of compliance decisions. Define rules with conditions and actions, simulate their impact, and activate them to run against live work items. Supports dynamic workflow policies and custom rule types.

GET/api/v1/policiesList all policy types▾

Returns a list of all policy types configured in the system. Each policy type contains rules, a workflow lifecycle, and associated work item types.

Policy Manager — View Draft Tab, View Active Tab Policy Manager — Run Time

ℹ

Returns a maximum of 200 policy types. For systems with more types, use the search/filter endpoint.

GET/api/v1/policies/rules/{ruleId}/detailsGet policy rule details▾

Retrieves the full configuration of a policy rule including conditions, actions, associated work item types, audit events, version history, and current activation state.

Policy Manager — View Rule, Edit Rule Policy Manager — Run Time

Parameter	Type	Required	Description
ruleId	string	Required	The unique identifier of the rule.
ruleVersionNumber	integer	Optional	Specific version to retrieve. Defaults to latest version.

PUT/api/v1/policies/{policyTypeId}/rulesCreate a new policy rule▾

Creates a new rule within the specified policy type. The rule is created in Draft state and must be activated via the workflow step update endpoint. Alert type and audit events are applicable only for Dynamic Workflow policy types.

Policy Manager — Edit Rule Policy Manager — Run Time

200Rule created successfully. Returns rule identifiers.

400Invalid rule definition or missing required conditions.

409Duplicate — rule with this name already exists in the policy.

422Rule validation failed — conditions reference unknown fields.

PUT/api/v1/policies/{policyTypeId}/simulationsStart a policy simulation▾

Initiates a simulation run for the specified policy type. Simulations evaluate draft rules against historical data without affecting live operations. Returns a simulation identifier for tracking progress and retrieving results.

Policy Manager — Edit Rule Policy Manager — Design Time, Run Time, Advanced

200Simulation started. Returns simulation identifier and status.

402Missing required license: Policy Manager Advanced.

409A simulation is already running for this policy type.

412This policy type does not support simulations.

System Configuration

PUT/api/v1/system/connectionsCreate a data source connection▾

Creates a new data source connection. Connections define how CaseForge communicates with analytics engines, external databases, and upstream detection systems. Supports Standard, Virtual (multi-tenant routing), and Tenant connection types.

Add Connection

Parameter	Type	Required	Description
type	string	Required	Connection type: `Standard`, `Virtual`, or `Tenant`.
identifier	string	Required	Unique identifier for this connection.
url	string	Required	Connection URL to the target server.
user	string	Required	Username for authentication.
password	string	Required	Password for authentication.
keepAlive	boolean	Optional	Enable connection keep-alive. Default: `false`.
poolSize	integer	Optional	Connection pool size. Default: `10`.
callTimeoutMs	integer	Optional	Connection timeout in milliseconds. Default: `-1` (no timeout).

POST/api/v1/metadata/custom-fieldsAdd custom fields to a work item type▾

Adds one or more custom fields (up to 20 per request) to a specified work item type. Custom fields extend the schema of work items with business-specific data points. Virtual fields can reference external entities.

Parameter	Type	Required	Description
fields	array	Required	Array of field definitions. At least one required.
fields[].displayName	string	Required	Human-readable field label.
fields[].fieldType.type	string	Required	Data type: `string`, `number`, `date`, `boolean`.
fields[].fieldType.sizeCode	string	Conditional	Required if type is `string`. Size code: `S` (50), `M` (255), `L` (4000).
fields[].indexed	boolean	Optional	Enable search indexing. Default: `true`. Always `false` for virtual fields.
fields[].targetWorkItemTypeIdentifier	string	Conditional	Required for virtual fields. Specifies the external entity type.

201Custom fields created successfully.

413Exceeded maximum of 20 fields per request.

422No matching field type/size combination found.

Graph Analytics

Graph Analytics enables investigation of entity relationships using graph database queries. Define queries against a connected graph database (e.g., TigerGraph, Neo4j), map parameters to work item fields, and execute investigations to discover hidden connections between entities.

GET/api/v1/graph-analytics/queriesList all graph queries▾

Returns all configured graph database query definitions including their parameters, associated work item type mappings, and active status.

Graph Analytics Graph Analytics — View

POST/api/v1/graph-analytics/queries/{queryId}/executeExecute a graph query▾

Executes the specified query against the configured graph database instance. Parameters are passed as an array of name-value pairs. The response contains the graph traversal results mapped to platform entity types.

Graph Analytics Execute Query

Parameter	Type	Required	Description
queryId	string	Required	Path parameter. The identifier of the graph query to execute.
[body]	array	Required	Array of `{name, value}` parameter objects matching the query definition.

200Query executed. Returns graph traversal results with entity relationships.

402Missing required license: Graph Analytics.

403Missing Execute Query permission.

500Query execution failed on graph database. Check connection and query syntax.

Compliance & Security

ENTERPRISE

CaseForge is engineered for regulated environments. Our infrastructure, access controls, and data handling practices meet the compliance requirements of financial institutions, government agencies, and global enterprises subject to AML, fraud investigation, and case management mandates.

🛡SOC 2 Type IISecurity, Availability & ConfidentialityCertified

📋ISO 27001Information Security Management SystemCertified

🏛FedRAMPFederal Risk & Authorization Management ProgramIn Process

🔒GDPR / CCPAEU & California Privacy RegulationsCompliant

📊FinCEN BSABank Secrecy Act — SAR & CTR WorkflowsCompliant

⚖️FATF StandardsRecommendations 10, 16, 20 & 29Aligned

Regulatory Framework Alignment

Framework	Scope	CaseForge Coverage
BSA / FinCEN	SAR filing, CTR monitoring, recordkeeping	SAR Management API, automated BSA e-filing integration, 7-year record retention
EU AMLD6	AML directive — criminal prosecution predicate offenses	goAML-compatible SAR export, entity relationship mapping, EU data residency
FATF Rec. 20	Mandatory suspicious transaction reporting to FIUs	Configurable STR/SAR workflows with multi-jurisdiction FIU routing
FINRA Rule 3310	AML programme for broker-dealers	Audit-ready case documentation, supervisory review workflows, evidence chains
GDPR / CCPA	Personal data handling, right-to-erasure	PII field-level encryption, data subject request workflows, configurable retention

Data Residency

United States

us-east-1

AWS US East (N. Virginia)

European Union

eu-central-1

AWS EU (Frankfurt) — GDPR / Schrems II

United Kingdom

eu-west-2

AWS UK (London) — post-Brexit sovereignty

Asia Pacific

ap-southeast-1

AWS AP (Singapore)

Encryption & Data Integrity

All data in transit uses TLS 1.3. Data at rest is encrypted with AES-256. PII fields (names, account numbers, tax identifiers) are encrypted at the field level with tenant-managed keys via AWS KMS. Audit logs use SHA-256 hash chaining — any tampering is cryptographically detectable.

ℹ

CaseForge never stores raw passwords. Credentials are hashed with bcrypt (cost factor 12+). API keys are stored as SHA-256 hashes — they cannot be retrieved after initial issuance.

Sandbox Environment

Every CaseForge contract includes a dedicated sandbox tenant, pre-loaded with synthetic work items, policies, and user groups. The sandbox is fully isolated from production — no data crosses the boundary in either direction.

Access Details

Setting	Value	Notes
Base URL	https://{org}-sandbox.caseforge.io/api/v1	Replace `{org}` with your organization slug
Test Username	sandbox.analyst@{org}.test	Pre-created with all permissions — contact support to reset
Test API Key	cf_test_xxxxxxxxxxxxxxxxxxxx	Available in Administration → API Keys on the sandbox tenant
Rate Limit	200 req/min	Lower than production — not suitable for load testing

Pre-loaded Work Item Types

Type	Identifier	Description
Suspicious Activity Report	SAR	Full lifecycle with mandatory FinCEN fields and simulated BSA e-filing
AML Investigation	AML_INV	Multi-step investigation workflow with graph analytics integration
Fraud Case	FRAUD	Card fraud and identity theft investigation template
KYC Review	KYC_REV	Customer due diligence review with risk-scoring integration

⚠

Sandbox SARs are never transmitted to FinCEN or any external system. SAR filing in the sandbox returns a simulated reference number in the format SANDBOX-SAR-XXXXXXXX.

SAR Management

v10.2

CaseForge automates the full Suspicious Activity Report lifecycle — from drafting through mandatory supervisor review to FinCEN BSA e-filing. Workflows enforce the 30-day filing window (extendable to 60 days) and route through configurable approval chains before transmission to the relevant FIU.

SAR Status Lifecycle

draftSAR created and being completed — not yet submitted for review

pending_reviewSubmitted to supervisor — fields locked pending approval decision

approvedSupervisor approved — queued for FinCEN BSA e-Filing System transmission

filedSuccessfully transmitted to FinCEN — BSA reference number assigned

returnedReturned to analyst for corrections — editable again

withdrawnWithdrawn before filing — requires documented reason; stored in audit trail

POST /api/v1/sars File a Suspicious Activity Report ▾

Creates a new SAR from an existing work item. The work item must be of a SAR-type with all mandatory FinCEN fields populated. Supports direct association with an investigation work item for full traceability.

Request Body

Parameter	Type	Req.	Description
workItemIdentifier	string	Required	Work item ID of the SAR case, e.g. `WI-20250227-0042`
filingType	string	Required	`initial`, `correct_prior`, or `continuing_activity`
jurisdiction	string	Required	`fincen` (US), `ncis` (UK), `goaml` (EU/UNODC), or custom FIU code
priorReportIdentifier	string	Optional	BSA ID of the prior SAR — required for `correct_prior` and `continuing_activity`
submitForReview	boolean	Optional	Set `true` to immediately submit for supervisor review. Default `false` saves as `draft`.

201 Created

{
  "status": true,
  "sarIdentifier": "SAR-2025-00847",
  "workItemIdentifier": "WI-20250227-0042",
  "sarStatus": "draft",
  "jurisdiction": "fincen",
  "deadline": "2025-03-29T23:59:59Z",
  "message": "SAR created. Filing deadline in 30 days."
}

⚠

The FinCEN 30-day window starts from the detection date on the originating work item, not the SAR creation date. CaseForge tracks this automatically and calculates the accurate deadline.

GET /api/v1/sars List Suspicious Activity Reports ▾

Returns a paginated list of SARs, sorted by creation date (newest first). Filter by status, jurisdiction, or upcoming deadline to build urgency queues.

Query Parameters

Parameter	Type	Req.	Description
status	string	Optional	`draft`, `pending_review`, `approved`, `filed`, `returned`, `withdrawn`
jurisdiction	string	Optional	Filter by jurisdiction: `fincen`, `ncis`, `goaml`
deadlineBefore	string	Optional	ISO 8601 date — return SARs with filing deadline before this date
pageSize	integer	Optional	Results per page. 1–100, default 25.
page	integer	Optional	Page number, 1-indexed. Default 1.

PATCH /api/v1/sars/{sarId}/status Update SAR status ▾

Advances or reverts the SAR to a new status. Transitions are validated against the configured workflow — invalid transitions return 422 Unprocessable Entity.

Request Body

Parameter	Type	Req.	Description
newStatus	string	Required	`pending_review`, `approved`, `returned`, or `withdrawn`
reason	string	Required	Mandatory for `returned` and `withdrawn`. Written to the tamper-evident audit trail.
reviewerIdentifier	string	Optional	Assign to a specific reviewer. If omitted, routes to next available in the configured queue.

⛔

The filed status is set exclusively by the CaseForge system upon confirmed receipt from FinCEN. Attempting to set it via API returns 403 Forbidden.

Audit Trail

CaseForge maintains an immutable, tamper-evident audit log of every platform action — case creation, field edits, workflow transitions, logins, SAR filings, and policy changes. Every record includes the actor, timestamp, IP address, and before/after values for modified fields.

✓

Audit logs use SHA-256 hash chaining. Each record includes the hash of the previous record — any deletion or modification is cryptographically detectable. Records are retained for 7 years to meet BSA recordkeeping requirements.

GET /api/v1/audit/events List audit events ▾

Returns a paginated audit event log, newest first. Scope by entity, actor, action type, or date range.

Query Parameters

Parameter	Type	Req.	Description
entityType	string	Optional	`work_item`, `sar`, `policy`, `user`, `group`, `system`
entityId	string	Optional	Retrieve full history for a specific entity.
actorIdentifier	string	Optional	Filter events performed by a specific user.
action	string	Optional	`created`, `updated`, `deleted`, `status_changed`, `login`, `sar_filed`
from	string	Optional	ISO 8601 start datetime (inclusive).
to	string	Optional	ISO 8601 end datetime (inclusive).

200 OK

{
  "page": 1, "pageSize": 25, "total": 4821,
  "events": [
    {
      "eventId": "evt_9xK3LmN2vR7t",
      "timestamp": "2025-02-27T14:31:05Z",
      "actor": "analyst.jsmith",
      "actorIp": "203.0.113.45",
      "action": "status_changed",
      "entityType": "work_item",
      "entityId": "WI-20250227-0042",
      "changes": { "status": { "from": "open", "to": "pending_sar" } },
      "hash": "sha256:a3f9b2c1..."
    }
  ]
}

POST /api/v1/audit/export Export audit log ▾

Generates a signed, tamper-evident audit export for regulatory submissions, external audits, or legal discovery. Exports are queued asynchronously — an audit.export_ready webhook fires when complete.

Request Body

Parameter	Type	Req.	Description
format	string	Required	`json`, `csv`, or `pdf` (PDF includes digital signature for court admissibility)
from	string	Required	ISO 8601 start datetime.
to	string	Required	ISO 8601 end datetime. Max range: 12 months per export.
entityType	string	Optional	Scope to a specific entity type. Omit for full audit export.
includeHashChain	boolean	Optional	Include SHA-256 hash chain for tamper verification. Default `true`.

202 Accepted

{
  "exportId": "exp_4Nq7TxLm2kRv",
  "status": "queued",
  "estimatedReadyAt": "2025-02-27T15:05:00Z",
  "message": "Export queued. Webhook notification sent when ready."
}

Notifications & Webhooks

CaseForge delivers real-time event notifications to your configured HTTPS endpoints. All payloads are signed with HMAC-SHA256 — verify the X-CF-Signature header on every incoming request. Failed deliveries retry up to 10 times with exponential backoff over 48 hours.

POST /api/v1/webhooks Register a webhook endpoint ▾

Registers a new HTTPS endpoint to receive CaseForge events. A ping event is delivered immediately to verify reachability. Endpoints must respond with HTTP 200 within 10 seconds.

Request Body

Parameter	Type	Req.	Description
url	string	Required	HTTPS endpoint URL. HTTP is not accepted.
events	array	Required	Event types to subscribe to. Use `["*"]` for all events.
description	string	Optional	Human-readable label for this registration.
active	boolean	Optional	Enable/disable immediately. Default `true`.

GET /api/v1/webhooks List registered webhooks ▾

Returns all webhook registrations on the tenant, including active status, last delivery outcome, and subscribed event list.

Webhook Event Types

Subscribe to the specific events relevant to your integration. All events deliver the full resource payload in the data field alongside event metadata and a verifiable HMAC signature.

case.createdNew work item created on the tenant

case.updatedWork item field values modified

case.status_changedWorkflow state transitioned — includes before/after status

case.assignedOwnership assigned or re-assigned to a new analyst

case.escalatedEscalated to higher priority or supervisory review queue

case.deadline_approachingFiling or resolution deadline within 72 hours

sar.createdNew SAR record created from a work item

sar.submitted_for_reviewSAR submitted for supervisor review

sar.filedSAR transmitted to FinCEN — BSA reference number now available

sar.returnedSAR returned to analyst for corrections — includes reviewer notes

policy.triggeredPolicy rule matched and executed an automated action

policy.simulation_completePolicy simulation finished — results available for review

audit.export_readyRequested audit log export is ready for download

user.loginUser authenticated — includes IP address for anomaly detection

user.login_failedFailed authentication attempt — includes IP for brute-force monitoring

ℹ

Verify webhooks by checking X-CF-Signature: t={timestamp},v1={hmac_sha256_hex}. Reject payloads with timestamps older than 5 minutes to prevent replay attacks.

Changelog

v10.2

Added

SAR Management API

Full Suspicious Activity Report lifecycle: draft → review → FinCEN BSA e-filing. Multi-jurisdiction support (FinCEN, NCIS, goAML). Enforces 30-day deadlines with automated detection-date tracking.

v10.2

Added

Tamper-Evident Audit Trail API

SHA-256 hash-chained audit log accessible via API. Export in JSON, CSV, or digitally signed PDF for regulatory submissions and legal discovery. 7-year retention aligned with BSA requirements.

v10.2

Added

Notifications & Webhook Infrastructure

HMAC-signed real-time event delivery for 15 event types: case lifecycle, SAR filing, policy triggers, audit exports, and user authentication. 10-attempt exponential backoff with 48-hour retry window.

v10.2

Added

Compliance & Security + Sandbox documentation

SOC 2 Type II, ISO 27001, FedRAMP (in process), FinCEN BSA, EU AMLD6, FATF, GDPR/CCPA coverage with 4-region data residency. Sandbox guide with pre-loaded SAR, AML, fraud, and KYC work item types.

v10.1 SP5

Added

Group-to-Group membership management

New endpoints for adding and removing groups from other groups. Batch operations support up to 200 groups per request.

v10.1 SP3

Added

Custom Fields API with virtual field support

Add up to 20 custom fields per request, including virtual fields for external entities. Supports string, number, date, and boolean types.

v10.0 SP3

Added

Graph Analytics API (Beta)

Full CRUD for graph database query metadata, work item type mappings, and query execution against connected graph instances.

v10.0 SP3

Changed

Configuration Management API

New endpoints for managing deployment connections, application packages, and audit trails across environments.

v10.0

Added

User-Group membership management

Batch add/remove users to groups with partial success support (206 status).

v6.6 SP13

Beta

Policy simulation endpoints

Start simulations, track status, and retrieve results for policy types supporting simulation mode.

v6.6 SP7

Added

Policy Manager REST API

Full CRUD for policy rules: create, update, delete, export, import, version history, and audit trails.