ConformVault
API et Authentification
Reference complete de l'API ConformVault, authentification par cle API, et utilisation des SDKs Go, Python et TypeScript
API et Authentification
Ce document couvre l'API REST de ConformVault, l'authentification, et les SDKs officiels (Go, Python, TypeScript) pour l'integration par des developpeurs tiers.
Vue d'ensemble
ConformVault expose deux couches d'API :
- API interne (v1) : Utilisee par le frontend web et le client desktop. Authentification JWT. Base :
/api/v1/. - Developer API : Destinee aux developpeurs tiers et aux SDKs. Authentification par cle API. Base :
/dev/v1/.
Les SDKs utilisent la Developer API.
Authentification
API interne (JWT)
L'API interne utilise des tokens JWT Bearer :
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Obtenir un token :
curl -X POST https://api.conformvault.com/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "motdepasse"}'Reponse :
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"expires_in": 900,
"token_type": "Bearer",
"user": {
"id": "uuid",
"email": "user@example.com",
"role": "client_admin",
"mfa_enabled": false
}
}Si le MFA est active, la reponse contient "mfa_required": true et il faut appeler /api/v1/auth/mfa/verify avec le code TOTP.
Rafraichir un token :
curl -X POST https://api.conformvault.com/api/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refresh_token": "eyJhbGciOiJIUzI1NiIs..."}'Developer API (cle API)
Les SDKs et integrations tierces utilisent des cles API :
Authorization: Bearer cvk_live_votre_cle_api- Prefixe
cvk_live_: production - Prefixe
cvk_test_: sandbox
Les cles API sont gerees via les endpoints /dev/v1/api-keys ou depuis le portail web (section Developpeur).
URL de base : https://api.conformvault.com/dev/v1
Endpoints API interne (v1)
Authentification
| Methode | Endpoint | Description |
|---|---|---|
| POST | /api/v1/auth/login | Connexion par courriel/mot de passe |
| POST | /api/v1/auth/mfa/verify | Verification MFA TOTP |
| POST | /api/v1/auth/sso | Connexion SSO (Zitadel OIDC) |
| POST | /api/v1/auth/register | Inscription avec creation d'organisation |
| POST | /api/v1/auth/refresh | Rafraichissement du token |
| POST | /api/v1/auth/forgot-password | Demande de reinitialisation |
| POST | /api/v1/auth/reset-password | Reinitialisation du mot de passe |
Fichiers
Base : /api/v1/clients/:client_id/files
| Methode | Endpoint | Description |
|---|---|---|
| GET | .../files | Lister les fichiers (params: folder_id, page, per_page) |
| POST | .../files | Upload (multipart/form-data, max 25 MB) |
| GET | .../files/:id | Metadonnees d'un fichier |
| GET | .../files/:id/download | Telecharger un fichier |
| DELETE | .../files/:id | Supprimer un fichier |
| POST | .../files/:id/move | Deplacer un fichier |
Exemple d'upload :
curl -X POST https://api.conformvault.com/api/v1/clients/{client_id}/files \
-H "Authorization: Bearer {token}" \
-F "file=@document.pdf" \
-F "folder_id={folder_id}"Dossiers
Base : /api/v1/clients/:client_id/folders
| Methode | Endpoint | Description |
|---|---|---|
| GET | .../folders | Lister (param: parent_id) |
| POST | .../folders | Creer ({"name": "...", "parent_id": "..."}) |
| GET | .../folders/:id | Detail d'un dossier |
| PATCH | .../folders/:id | Renommer ({"name": "..."}) |
| DELETE | .../folders/:id | Supprimer (recursif) |
| POST | .../folders/:id/move | Deplacer |
Liens de partage
Routes publiques (sans authentification) :
| Methode | Endpoint | Description |
|---|---|---|
| GET | /s/:token | Informations du lien |
| GET | /s/:token/consent-text | Texte de consentement Loi 25 |
| POST | /s/:token/accept-consent | Accepter le consentement |
| GET | /s/:token/download | Telecharger le fichier |
| POST | /s/:token/upload | Uploader un fichier (25 MB max) |
| GET | /s/:token/files | Lister les fichiers du lien |
Routes protegees :
Base : /api/v1/clients/:client_id/share-links
| Methode | Endpoint | Description |
|---|---|---|
| GET | .../share-links | Lister les liens |
| POST | .../share-links | Creer un lien |
| GET | .../share-links/:id | Detail |
| DELETE | .../share-links/:id | Supprimer |
| POST | .../share-links/:id/toggle | Activer/desactiver |
| GET | .../share-links/:id/stats | Statistiques |
Administration
| Methode | Endpoint | Description |
|---|---|---|
| GET | /api/v1/admin/storage/stats | Statistiques S3 (superadmin) |
| GET | /api/v1/admin/audit-logs | Logs d'audit |
| GET | /api/v1/admin/config | Configuration systeme |
| PUT | /api/v1/admin/config | Modifier la configuration |
Monitoring
| Methode | Endpoint | Description |
|---|---|---|
| GET | /health | Sonde de vivacite |
| GET | /ready | Sonde de disponibilite (DB + Redis) |
| GET | /metrics | Metriques Prometheus |
Developer API (SDKs)
La Developer API expose un ensemble complet de services pour les integrations tierces. Les trois SDKs (Go, Python, TypeScript) sont alignes sur cette API.
Services disponibles (36)
| Service | Methodes principales | Description |
|---|---|---|
| Files | list, get, upload, download, delete, getThumbnail, getScanReport | Gestion des fichiers |
| Folders | list, get, create, delete | Gestion des dossiers |
| ShareLinks | list, create, delete | Liens de partage |
| Signatures | create, getStatus, downloadSigned, revoke, analyzePDF, delegate | Signatures electroniques |
| Webhooks | list, register, delete, test, listDeliveries, replayDelivery | Webhooks |
| Audit | list, search, export, getStats, getAnomalies | Journaux d'audit |
| Keys | list, create, get, revoke, rotate, instantRevoke | Cles API |
| Bulk | delete, move, download | Operations par lots |
| Versions | list, get, restore, delete | Versionnage de fichiers |
| Search | search | Recherche unifiee |
| Trash | list, restore, delete, empty | Corbeille |
| ScanReports | getReport, list, getSummary | Rapports de scan antivirus |
| Attestation | generateLoi25 | Attestation de conformite Loi 25 (PDF) |
| Transactions | create, list, get, delete, addItem, updateItem, deleteItem | Dossiers transactionnels |
| Templates | create, list, generate, listDocuments | Modeles de documents |
| Batches | create, list, get, commit, cancel, uploadFile | Operations par lots |
| Metadata | addTags, getTags, listByTag, removeTags, setMetadata, getMetadata | Etiquettes et metadonnees |
| Retention | create, list, update, delete, createException, listPendingApprovals | Politiques de retention |
| LegalHolds | create, list, release, addFiles, removeFile | Gels juridiques |
| Permissions | set, get, revoke, setWithExpiry | Permissions par dossier |
| Comments | create, list, update, delete, getReplies | Commentaires sur fichiers |
| Quota | get | Quota de stockage |
| RateLimit | get | Statut du rate limiting |
| UploadSessions | create, uploadChunk, complete, cancel | Uploads chunked |
| Jobs | create, list, get, cancel | Taches en arriere-plan |
| ActivitySubscriptions | subscribe, list, unsubscribe | Abonnements d'activite |
| Policies | getIPPolicy, setIPPolicy, getMFAPolicy, setMFAPolicy, getEncryptionSalt, setEncryptionSalt | Politiques de securite |
| Bandwidth | getSummary, getDaily | Statistiques de bande passante |
| DataExport | export | Export de donnees RGPD/Loi 25 |
| SecretVault | create, list, get, delete | Coffre-fort de secrets |
| ExpectedFiles | create, list, update, delete, getProgress | Fichiers attendus |
| SpaceMessaging | sendMessage, listMessages, getReplies, markRead, deleteMessage | Messagerie d'espace |
| MSPDashboard | getDashboard, listClients, getClientUsage | Dashboard MSP |
| Imports | createConnection, listConnections, startImport, listJobs, cancelJob | Import depuis sources externes |
| TextSearch | search, getIndex, requeueSkippedOcr | Recherche plein texte avec OCR |
SDK Go
Installation :
go get github.com/secuaas/conformvault-sdk-goPrerequis : Go 1.21+
Initialisation :
import cv "github.com/secuaas/conformvault-sdk-go"
client := cv.NewClient("cvk_live_votre_cle_api")
// Options
client := cv.NewClient("cvk_live_xxx",
cv.WithBaseURL("https://api.conformvault.com/dev/v1"),
cv.WithHTTPClient(&http.Client{Timeout: 60 * time.Second}),
)Exemples d'utilisation :
ctx := context.Background()
// Lister les fichiers
files, err := client.Files.List(ctx, &cv.FileListOptions{
FolderID: cv.String("folder-id"),
Page: 1, Limit: 20,
})
// Uploader un fichier
f, _ := os.Open("document.pdf")
defer f.Close()
result, err := client.Files.Upload(ctx, f, "document.pdf", cv.String("folder-id"))
// Telecharger un fichier
reader, err := client.Files.Download(ctx, "file-id")
defer reader.Close()
// Creer un lien de partage
link, err := client.ShareLinks.Create(ctx, cv.CreateShareLinkRequest{
FileID: cv.String("file-id"), Type: "download", ExpiresIn: 86400,
})
// Creer une enveloppe de signature
envelope, err := client.Signatures.Create(ctx, cv.CreateSignatureRequest{
FileID: "file-id", Subject: "NDA",
Signers: []cv.CreateSignatureSigner{
{Email: "signataire@example.com", Name: "Jean Dupont", Role: "signer"},
},
ExpiryDays: 30,
})
// Generer une attestation Loi 25
pdfReader, err := client.Attestation.GenerateLoi25(ctx)
// Verifier un webhook
isValid := cv.VerifyWebhookSignature(payload, signatureHeader, "whsec_secret")Gestion des erreurs :
if cv.IsNotFound(err) { /* 404 */ }
if cv.IsRateLimited(err) {
rlErr := err.(*cv.RateLimitError)
// rlErr.RetryAfter
}
if apiErr, ok := err.(*cv.APIError); ok {
// apiErr.StatusCode, apiErr.Message
}Thread-safety : Le client et tous les services sont safe pour un usage concurrent.
Version actuelle : 0.6.1 (35 services, 85 tests)
SDK Python
Installation :
pip install conformvault-sdkPrerequis : Python 3.9+, depend de httpx
Initialisation :
from conformvault import ConformVault
client = ConformVault("cvk_live_votre_cle_api")
# Options
client = ConformVault("cvk_live_xxx",
base_url="https://api.conformvault.com/dev/v1",
timeout=60.0,
)Support asynchrone :
from conformvault import AsyncConformVault
async with AsyncConformVault("cvk_live_xxx") as client:
files = await client.files.list()Exemples d'utilisation :
# Lister les fichiers
files = client.files.list(folder_id="folder-id", page=1, limit=20)
# Uploader un fichier
with open("document.pdf", "rb") as fp:
result = client.files.upload(fp, "document.pdf", folder_id="folder-id")
# Telecharger
content = client.files.download("file-id")
# Lien de partage
from conformvault import CreateShareLinkRequest
link = client.share_links.create(CreateShareLinkRequest(
file_id="file-id", type="download", expires_in=86400,
))
# Signature electronique
from conformvault import CreateSignatureRequest, CreateSignatureSigner
envelope = client.signatures.create(CreateSignatureRequest(
file_id="file-id", subject="NDA",
signers=[CreateSignatureSigner(email="signataire@example.com", name="Jean Dupont")],
expiry_days=30,
))
# Attestation Loi 25
pdf_bytes = client.attestation.generate_loi25()
# Verification de webhook
from conformvault import verify_webhook_signature
is_valid = verify_webhook_signature(payload, signature_header, "whsec_secret")Gestion des erreurs :
from conformvault import APIError, AuthenticationError, RateLimitError, is_not_found
try:
file = client.files.get("id-inexistant")
except AuthenticationError:
pass # Cle API invalide (401)
except RateLimitError as e:
print(f"Reessayer apres {e.retry_after}s") # 429
except APIError as e:
if is_not_found(e):
pass # 404
print(f"Erreur {e.status_code}: {e.message}")Version actuelle : 0.7.0 (35 services sync + async, 161 tests)
SDK TypeScript
Installation :
# Beta (depuis git)
npm install git+https://forge.secuaas.ovh/secuaas/conformvault-sdk-ts.git#v0.1.0
# Future (npm registry)
# npm install @conformvault/sdkPrerequis : Node.js 18+ (fetch natif requis), TypeScript 5.x
Caracteristiques : Zero dependances runtime, ESM + CommonJS, retry automatique sur 429, types TypeScript complets.
Initialisation :
import { ConformVault } from '@conformvault/sdk';
const client = new ConformVault('cvk_live_votre_cle_api', {
baseURL: 'https://api.conformvault.com/dev/v1', // defaut
timeout: 30000, // 30s
maxRetries: 3, // retry automatique sur 429
});Exemples d'utilisation :
// Lister les fichiers
const files = await client.files.list({ folderId: 'folder-123' });
// Uploader un fichier
const blob = new Blob(['contenu'], { type: 'text/plain' });
const uploaded = await client.files.upload(blob, 'fichier.txt');
// Telecharger
const data = await client.files.download('file-id');
// Lien de partage
const link = await client.shareLinks.create({
file_id: 'file-id', type: 'download', expires_in: 86400,
});
// Signature electronique
const envelope = await client.signatures.create({
file_id: 'file-abc',
subject: 'NDA',
signers: [{ email: 'signataire@example.com', name: 'Jean Dupont' }],
});
// Verification de webhook
import { verifyWebhookSignature } from '@conformvault/sdk';
const isValid = verifyWebhookSignature(rawBody, signatureHeader, 'whsec_secret');Le format de signature du webhook est t=<timestamp>,s0=<hmac_hex>, ou le HMAC est calcule comme HMAC-SHA256(timestamp + "." + payload, secret).
Gestion des erreurs :
import { APIError, AuthenticationError, RateLimitError, isNotFound } from '@conformvault/sdk';
try {
await client.files.get('id-inexistant');
} catch (error) {
if (error instanceof AuthenticationError) { /* 401 */ }
if (error instanceof RateLimitError) { console.log(error.retryAfter); }
if (isNotFound(error)) { /* 404 */ }
if (error instanceof APIError) { console.log(error.statusCode, error.message); }
}Version actuelle : 2.4.1 (36 services, 108 tests)
Webhooks
ConformVault peut envoyer des notifications en temps reel via webhooks lorsque des evenements se produisent.
Evenements disponibles
file.uploaded,file.deleted,file.downloadedfolder.created,folder.deletedshare_link.created,share_link.accessedsignature.completed,signature.declineduser.created,user.deleted
Enregistrer un webhook
curl -X POST https://api.conformvault.com/dev/v1/webhooks \
-H "Authorization: Bearer cvk_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"url": "https://votre-app.com/webhooks/conformvault",
"events": ["file.uploaded", "signature.completed"]
}'Reponse :
{
"id": "webhook-id",
"url": "https://votre-app.com/webhooks/conformvault",
"events": ["file.uploaded", "signature.completed"],
"secret": "whsec_votre_secret"
}Conservez le secret pour verifier les signatures des payloads entrants (HMAC-SHA256).
Verification de signature
Chaque requete webhook inclut un en-tete X-ConformVault-Signature (ou X-Webhook-Signature) contenant la signature HMAC-SHA256 du payload. Les trois SDKs fournissent une fonction VerifyWebhookSignature / verify_webhook_signature / verifyWebhookSignature pour valider cette signature.
Codes d'erreur HTTP
| Code | Signification |
|---|---|
| 200 | Succes |
| 201 | Ressource creee |
| 400 | Requete invalide (parametres manquants ou incorrects) |
| 401 | Non authentifie (token invalide ou expire) |
| 403 | Interdit (permissions insuffisantes) |
| 404 | Ressource introuvable |
| 409 | Conflit (ressource deja existante) |
| 429 | Trop de requetes (rate limited) |
| 500 | Erreur serveur interne |
Rate limiting
- Les endpoints d'authentification sont limites a 20 requetes/minute
- Les mutations de facturation sont limitees a 10 requetes/minute par organisation
- En cas de depassement, la reponse inclut un en-tete
Retry-After - Les SDKs TypeScript gerent automatiquement les retries (3 tentatives par defaut)