RulesGraph API documentation
A typed graph of cybersecurity compliance frameworks, exposed as a REST API and an MCP server. Free tier is 600 requests per minute. Free read access for everything in the graph.
Quickstart
Three steps from zero to a working query:
- Get an API key. Sign up with an email and confirm via the magic link. Takes about 60 seconds.
- Set
RG_KEYin your environment. - Make a request:
# List every control in NIST SP 800-53 Rev 5
curl -H "X-API-Key: $RG_KEY" \
"https://api.rulesgraph.com/v1/controls?framework=nist-sp-800-53-r5&limit=10"Authentication
Every authenticated request needs an X-API-Key: <key> header. An Authorization: Bearer <key> header is also accepted, which is the convention the MCP server uses. Keys are issued via the signup flow and can be regenerated or revoked from the account page.
Rate limits
Free tier: 600 requests per minute, sliding window. Headers on every response tell you where you stand:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 593
X-RateLimit-Reset: 2026-05-23T11:48:00ZHigher tiers are available for GRC platforms and high-volume integrations. Email contact@rulesgraph.com.
Response shape
List endpoints return { "data": [...], "count": N }. Single-resource endpoints return the resource directly. Every object carries provenance fields so any query result is independently verifiable:
{
"id": "nist-800-53-r5-ac-1",
"framework": "nist-sp-800-53-r5",
"control_id": "AC-1",
"title": "Policy and Procedures",
"family": "Access Control",
"layer": 1,
"status": "live",
"provenance": {
"source_url": "https://csrc.nist.gov/pubs/sp/800/53/r5/final",
"fetched_at": "2026-04-12T03:14:22Z",
"content_hash": "sha256:8f1b2...",
"plan_cid": "bafyrei...g4"
}
}Controls
Individual compliance controls, normalised across frameworks. Every control is a node in the graph with typed edges to its dependents, cross-mappings, and predecessor versions.
| Parameter | Description | |
|---|---|---|
framework | optional | Filter by framework ID (e.g. nist-sp-800-53-r5, iso-27001-2022, soc2-tsc-2017). |
family | optional | Filter by control family (e.g. Access Control, Cryptography). |
layer | optional | Filter by layer (1 through 7). |
status | optional | One of live, planned, candidate, reference. |
limit | optional | Page size, default 50, max 500. |
Returns the full control object including text, family, layer, status, and provenance.
{
"data": [
{
"target": "nist-800-53-r5-ac-3",
"target_framework": "nist-sp-800-53-r5",
"strength": "strong",
"direction": "bidirectional",
"source": "aicpa-2022-tsc-mapping"
},
{
"target": "iso-27001-2022-a-5-15",
"target_framework": "iso-27001-2022",
"strength": "partial"
}
],
"count": 2
}Frameworks
The top-level umbrella objects. ISO 27001, NIST CSF, SOC 2, PCI DSS, and so on. Each framework groups its controls and points to its publishing source.
{
"id": "iso-27001-2022",
"name": "ISO/IEC 27001:2022",
"publisher": "ISO/IEC",
"layer": 1,
"published": "2022-10-25",
"control_count": 93,
"supersedes": "iso-27001-2013",
"provenance": { "source_url": "https://www.iso.org/standard/82875.html" }
}Cross-mappings
Typed edges between controls in different frameworks. The mapping table is computed by the pipeline and continuously validated against authoritative crosswalks (AICPA, NIST OLIR, Secure Controls Framework, OSCAL libraries).
| Parameter | Description | |
|---|---|---|
from_framework | optional | Source framework filter. |
to_framework | optional | Target framework filter. |
strength | optional | One of strong, partial, weak. |
Sources
The publishing bodies whose feeds the pipeline crawls. Standards bodies (Tier A), regulators (Tier B), control catalogs (Tier C).
Revisions
Every snapshot the pipeline has captured. Use this to diff a framework over time or build a webhook that fires on changes you care about.
Stats
Returns the same numbers shown on the homepage: total controls, frameworks, edges, sources. Useful for status dashboards.
Viewer
The browser-based viewer at rulesgraph.com/viewer is a thin client over this API. Each tab maps to a question a compliance operator actually asks.
/v1/methodologies/:id/dependencies./v1/revisions/recent.Deep links
Every tab is hash-routable. Share or bookmark any of these to land directly:
https://rulesgraph.com/viewer#overview
https://rulesgraph.com/viewer#coverage
https://rulesgraph.com/viewer#control:nist-sp800-53-r5
https://rulesgraph.com/viewer#compliance
https://rulesgraph.com/viewer#frameworks
https://rulesgraph.com/viewer#activityThe viewer hits the same /v1/* endpoints documented above using your saved API key (paste it via the top-right key bar). Demo key is rate-limited; sign up for your own at /signup.
MCP server
RulesGraph runs a Model Context Protocol server at mcp.rulesgraph.com. Plug it into Claude Desktop, Cursor, Windsurf, or any MCP-compatible agent.
Connecting from Claude Desktop
{
"mcpServers": {
"rulesgraph": {
"url": "https://mcp.rulesgraph.com",
"auth": { "bearer": "$RG_MCP_KEY" }
}
}
}Available tools
search_controls: semantic search across every control in the graph.get_control: fetch a specific control by ID, including full text and provenance.list_mappings: walk cross-mappings between two frameworks.list_frameworks: enumerate frameworks, optionally filtered by layer or publisher.plan: build a compliance plan (set of controls) from a natural-language brief.replay: re-execute a saved plan against the current graph state.
Error codes
| Status | Code | Meaning |
|---|---|---|
| 400 | bad_request | Request malformed or missing required parameters. |
| 401 | unauthorized | Missing or invalid API key. |
| 403 | forbidden | Key valid but not authorised for this resource. |
| 404 | not_found | Resource doesn't exist or has been deprecated. |
| 429 | rate_limited | Sliding-window quota exceeded. Retry after the time in Retry-After. |
| 500 | internal_error | Server-side issue. If persistent, please report. |
Changelog
Breaking changes are versioned via the URL prefix (/v1/, /v2/, …). Non-breaking additions are announced here and via the JSON changelog.
- v1.0.0: Initial public release. Six endpoints, MCP beta.