SentinelOne Developer Portal
API Reference Console
Your centralized reference for the SentinelOne Management API. Every section below links to official documentation, code examples, and tooling guides. Use this console to triage tickets, find the right endpoint, and build integrations.
LIVE THREATS
Initializing feed...
--:--:--
Active Threats
0
Across demo tenants
Agents Online
0
Protected endpoints
API Calls / min
0
Demo environment
Events Today
0
Telemetry ingested
API Reference
v2.1
Full endpoint catalog
Sandbox
Live
Safe test environment
Auth Tokens
ApiToken
API Token + OAuth 2.0
Rate Limits
1K/min
Standard tier read
⚡Quick Endpoint Reference
All Endpoints →
GET/web/api/v2.1/threatsList threats
POST/web/api/v2.1/threats/mitigate/{action}Mitigate threat
GET/web/api/v2.1/agentsList agents
POST/web/api/v2.1/agents/actions/scanInitiate scanNEW
GET/web/api/v2.1/activitiesActivity log
🗂Section Index
🔑Authentication
⇢Webhooks
⧭Sandbox
◈GraphQL
⏱Rate Limits
📦Postman
📝Changelog
📡Status
📍Base URL Reference
Base URLsCopy
# REST API (replace <tenant> with your subdomain)
REST: https://<tenant>.sentinelone.net/web/api/v2.1/
# GraphQL endpoint
GraphQL: https://<tenant>.sentinelone.net/web/api/v2.1/graphql
# Shared sandbox (free developer access)
Sandbox: https://usea1-012.sentinelone.net/web/api/v2.1/
Getting Started
Developer Docs
Comprehensive documentation for the SentinelOne Management API. Official docs live at docs.sentinelone.com/api.
ℹFull documentation: docs.sentinelone.com/api — this console provides quick-reference guides and code samples for technician triage workflows.
Python — Quick Start
Copy
Python
import requests
BASE = "https://acme.sentinelone.net/web/api/v2.1"
HDR = {"Authorization": "ApiToken <YOUR_TOKEN>",
"Content-Type": "application/json"}
# Fetch open threats
r = requests.get(f"{BASE}/threats",
headers=HDR,
params={"resolved": False, "limit": 100})
threats = r.json()["data"]
print(f"Open threats: {len(threats)}")
PowerShell — Quick Start
Copy
PowerShell
$base = "https://acme.sentinelone.net/web/api/v2.1"
$token = "<YOUR_TOKEN>"
$hdr = @{ "Authorization" = "ApiToken $token"
"Content-Type" = "application/json" }
# List agents
$resp = Invoke-RestMethod `
-Uri "$base/agents" `
-Headers $hdr -Method GET
$resp.data | Format-Table
Documentation Sections
🔑Authentication & Token ManagementApiToken, OAuth 2.0, SSO
⟨/⟩API Reference — All Endpointsv2.1 complete catalog
⇢Webhooks & Event DeliverySetup, payload schemas
≡Pagination & Cursor PatternsCursor-based (v2.1+)
⏱Rate Limits & Backoff StrategyLimits, headers, 429 handling
Reference
Base Endpoint
Your management console hostname is the base URL for all API calls. The tenant subdomain is unique to your SentinelOne instance.
URL Structure
| Type | Pattern | Notes |
|---|---|---|
| REST API | https://<tenant>.sentinelone.net/web/api/v2.1/ | Primary |
| GraphQL | https://<tenant>.sentinelone.net/web/api/v2.1/graphql | Query interface |
| Sandbox | https://usea1-012.sentinelone.net/web/api/v2.1/ | Shared sandbox |
| EU Region | https://<tenant>.eu-west.sentinelone.net/… | GDPR |
| APAC | https://<tenant>.apac.sentinelone.net/… | APAC region |
Finding Your Tenant Name
ℹYour tenant name is the subdomain of your SentinelOne management console URL. If you log in at
acme.sentinelone.net, your tenant is acme.Verify connectivityCopy
# Test your base URL returns a valid API response
curl -X GET "https://<tenant>.sentinelone.net/web/api/v2.1/system/status" \
-H "Authorization: ApiToken <YOUR_TOKEN>"
Access
Free Developer Account
Get free sandbox access to develop and test integrations before deploying to production. No credit card required.
✅Free developer accounts include full sandbox API access, simulated threat and agent data, and 100 req/min rate limits. Data resets every 7 days.
What's Included
| Feature | Free Dev | Production |
|---|---|---|
| All API endpoints | ✓ Yes | ✓ Yes |
| Rate limit | 100 req/min | 1,000 req/min |
| Threat/Agent data | Simulated | Real |
| Webhook delivery | ✓ Yes | ✓ Yes |
| GraphQL access | ✓ Yes | ✓ Yes |
| Data retention | 7 days | Configurable |
| Support | Community | SLA + TAM |
Security
Authentication
SentinelOne uses API Token authentication for direct integrations. OAuth 2.0 is available for third-party app flows.
Login / Service
Generate Token
Add Header
Authorized
API Token Header
Copy
HTTP Header
Authorization: ApiToken <YOUR_TOKEN>
Content-Type: application/json
cURL Example
curl -X GET \
"https://acme.sentinelone.net/web/api/v2.1/threats" \
-H "Authorization: ApiToken abc123..."
Token Scopes
threats:read
Read threat data, timelines
lowthreats:write
Mitigate, quarantine, verdicts
highagents:read
Read agent inventory
lowagents:commands
Scan, fetch files, disconnect
highpolicies:write
Create/modify policies
medwebhooks:manage
CRUD webhook subscriptions
med⚠Generate API tokens with the minimum scope required. Rotate tokens on a schedule and revoke any that may be compromised immediately from the management console.
Auth
Identity Protocols
Supported identity and authentication protocols for SentinelOne API access and management console login.
Supported Protocols
| Protocol | Use Case | Status |
|---|---|---|
| API Token | Direct API access, integrations | GA |
| OAuth 2.0 | Third-party app authorization | Beta |
| SAML 2.0 | Enterprise SSO console login | GA |
| OIDC | OpenID Connect federation | GA |
| LDAP / AD | On-prem directory sync | GA |
OAuth 2.0 Flows Supported
| Flow | When to Use |
|---|---|
| Authorization Code | Web apps with user consent |
| Client Credentials | Machine-to-machine (M2M) |
| Refresh Token | Long-lived sessions |
⚠Use API Token auth for production integrations. OAuth 2.0 is in Beta.
Identity
SSO / Social Login
Connect SentinelOne to your identity provider for single sign-on to the management console and API-scoped accounts.
🔷
Okta
✓ SAML 2.0 / OIDC
🪟
Azure AD
✓ SAML 2.0 / OIDC
🔐
SAML 2.0
Generic IDP
🗂
LDAP / AD
On-prem
🟥
Google WS
OIDC
🟡
PingIdentity
SAML 2.0
1️⃣
OneLogin
SAML 2.0
⌥
GitHub OAuth
OAuth 2.0
ℹSSO configuration is done in the SentinelOne Management Console under Settings → SSO. API tokens remain separate from SSO sessions.
Auth
OAuth 2.0 Playground
Reference for OAuth 2.0 authorization flows with SentinelOne. Configure and test flows using the parameters below.
⚠OAuth 2.0 for third-party apps is in Beta. Use API Token auth for production integrations.
Authorization Code Flow
Step 1 — Authorization URLCopy
GET https://<tenant>.sentinelone.net/oauth2/authorize
?client_id=<YOUR_CLIENT_ID>
&response_type=code
&redirect_uri=https://your-app.com/callback
&scope=threats:read+agents:read
&state=random_state_value
Step 2 — Exchange Code for Token
POST https://<tenant>.sentinelone.net/oauth2/token
{
"grant_type": "authorization_code",
"code": "<AUTH_CODE>",
"client_id": "<YOUR_CLIENT_ID>",
"client_secret": "<YOUR_SECRET>"
}
Client Credentials (M2M)
Token RequestCopy
POST https://<tenant>.sentinelone.net/oauth2/token
{
"grant_type": "client_credentials",
"client_id": "<YOUR_CLIENT_ID>",
"client_secret": "<YOUR_SECRET>",
"scope": "threats:read agents:read"
}
Token Response
{
"access_token": "eyJhbGciOiJ...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "threats:read agents:read"
}
Reference
API Reference
Complete endpoint catalog — SentinelOne Management API v2.1. All paths are relative to your base URL.
Threats
Agents
Policies
Activities
Exclusions
Groups
⚠Threats
Try in Explorer
GET/threatsList threats (filters: resolved, siteIds, limit)
POST/threats/mitigate/{action}kill / quarantine / remediate
POST/threats/analyst-verdictSet analyst verdict bulk
GET/threats/{id}/timelineThreat timeline events
GET/threats/{id}/forensicsDownload forensic artifactsNEW
POST/threats/mark-as-benignBulk mark as benign
POST/threats/fetch-fileFetch file for analysis
POST/threats/mark-as-resolvedMark threats resolved (no bulk delete API)
Response Envelope
JSONCopy
{
"data": [{
"id": "2328e64e26a14b9f",
"threatInfo": {
"threatName": "Ransom.WannaCry",
"confidenceLevel": "malicious",
"mitigationStatus": "not_mitigated"
}
}],
"pagination": {
"totalItems": 42,
"nextCursor": "YWdlbnRJZD01MDAwMA=="
}
}
Common Query Params
| Param | Type | Description |
|---|---|---|
| limit | int | Max 1–1000 |
| cursor | string | Next-page token |
| siteIds | array | Filter by site |
| resolved | bool | Include resolved |
| createdAt__gt | datetime | Created after |
Reference
GraphQL Endpoint
The SentinelOne GraphQL endpoint provides flexible querying. All read operations are supported. Write mutations arrive in v2.2.
Endpoint Details
GraphQL Endpoint URL
https://<tenant>.sentinelone.net/web/api/v2.1/graphqlCopy
Method & Headers
RequestCopy
POST /web/api/v2.1/graphql
Authorization: ApiToken <YOUR_TOKEN>
Content-Type: application/json
{ "query": "{ threats { id threatInfo { threatName } } }" }
◈Use the GraphQL Playground section to interactively build and run queries against the sandbox.
Reference
Pagination Style
SentinelOne v2.1+ uses cursor-based pagination. Offset pagination was deprecated in v2.1.2 — update any integrations using integer offsets.
⚠Breaking Change (v2.1.2): Offset-based pagination is no longer accepted. All clients must use
cursor from the response envelope.Cursor Pagination Pattern
Copy
Requests
# First page
GET /threats?limit=100
# Next page — cursor from previous response
GET /threats?limit=100&cursor=YWdlbnRJZD01MDAwMA==
Response Pagination Block
{
"data": [...],
"pagination": {
"totalItems": 4821,
"nextCursor": "YWdlbnRJZD01MDAwMA=="
// null when on last page
}
}
Python — Fetch All Pages
Copy
Python
def fetch_all(client, endpoint):
results, cursor = [], None
while True:
p = {"limit": 100}
if cursor: p["cursor"] = cursor
r = client.get(endpoint, params=p)
results += r["data"]
cursor = r["pagination"]["nextCursor"]
if not cursor: break
return results
« Prev
1
2
3
…
48
Next »
4,821 total items — cursor encoded
Advanced
Custom Object Support
Extend the SentinelOne data model with custom threat intelligence objects and user-defined metadata schemas.
Custom Object Endpoints
GET/threat-intelligence/iocsList custom IOCs
POST/threat-intelligence/iocsCreate custom IOC
PUT/threat-intelligence/iocs/{id}Update IOC
DEL/threat-intelligence/iocs/{id}Delete IOC
Custom IOC Schema
Copy
JSON Body
{
"type": "SHA1",
"value": "da39a3ee5e6b4b0d3255...",
"name": "Ransom dropper hash",
"description": "Observed in incident #4821",
"externalId": "TICK-4821",
"source": "SOC-Internal",
"validUntil": "2027-01-01T00:00:00Z"
}
Tools
Query Language
Deep Visibility uses a SQL-like query language for hunting across process, network, file, and registry events across your fleet.
Deep Visibility Query API
POST/dv/init-queryStart a DV query
GET/dv/query-statusPoll query status
GET/dv/eventsFetch query results
POST/dv/cancel-queryCancel running query
DNS Exfil Hunt
Copy
Deep Visibility
SELECT EventTime, AgentName, SrcProcName, NetworkUrl
FROM events
WHERE EventType = "DNS"
AND NetworkUrl CONTAINS ".ru"
AND EventTime > "2026-03-01"
ORDER BY EventTime DESC
LIMIT 500
Lateral Movement Hunt
Copy
Deep Visibility
SELECT EventTime, AgentName, SrcProcName,
DstIP, DstPort
FROM events
WHERE EventType = "IP Connect"
AND DstPort = 445
AND SrcProcName != "System"
ORDER BY EventTime DESC
LIMIT 200
Events
Webhooks
SentinelOne delivers real-time events to your HTTPS endpoints. Configure subscriptions, verify signatures, and handle retries.
Supported Event Types
THREATS_ALERT
AGENT_CONNECTED
AGENT_DISCONNECTED
POLICY_VIOLATION
THREAT_MITIGATED
ALERT_CREATED
USER_ACTION
RANGER_NEW_ASSET
Delivery Guarantees
| Property | Value |
|---|---|
| Delivery | At-least-once |
| Retry attempts | 5 (exponential backoff) |
| Timeout | 10 seconds per attempt |
| Signature header | X-S1-Signature (HMAC-SHA256) |
| Max payload | 1 MB |
THREAT Event Payload
Copy
JSON Payload
{
"DataType": "threats",
"event": "THREATS_ALERT",
"timestamp": "2026-03-05T14:32:08.441Z",
"data": {
"id": "2328e64e26a14b9f",
"threatInfo": {
"threatName": "Ransom.WannaCry",
"confidenceLevel": "malicious",
"mitigationStatus": "not_mitigated",
"sha256": "e3b0c44298fc1c..."
},
"agentRealtimeInfo": {
"agentComputerName": "DESKTOP-7G4B1",
"agentOsName": "Windows 11"
}
}
}
Webhooks
Webhook Management API
Programmatically create, update, and delete webhook subscriptions without using the management console UI.
Webhook CRUD Endpoints
GET/notification-schema/connectionsList webhook subscriptions (Notification Center API)
POST/notification-schema/connectionsCreate subscription
PUT/notification-schema/connections/{id}Update subscription
DEL/notification-schema/connections/{id}Delete subscription
POST/notification-schema/connections/{id}/testSend test payload
Create Webhook — Request Body
Copy
POST /notification-schema/connections
{
"name": "Splunk SIEM Forwarder",
"url": "https://splunk.corp.internal:8088/services/collector",
"secret": "<HMAC_SECRET>",
"events": ["THREATS_ALERT", "AGENT_CONNECTED"],
"siteIds": ["1184494981234567890"]
}
Interactive
API Explorer
Build and inspect API requests. Note: this explorer shows request structure only — actual calls require your token and are subject to CORS from browser context. For live calls use cURL, Postman, or your integration environment.
⚠Browser-based API calls to SentinelOne will be blocked by CORS. Use this builder to construct requests, then run them from Postman, your CLI, or your integration code.
Headers
Body
Params
BUILT REQUESTReady
Click BUILD to generate the full request structure including all headers, URL, and body — ready to copy into Postman or cURL.
Common Triage Request Templates
GET/threats?resolved=false&limit=100Open threat triage queue
POST/threats/mitigate/quarantineBulk quarantine
GET/agents?isActive=true&isInfected=trueInfected endpoints
GET/activities?limit=50Recent activity log
GraphQL
GraphQL Playground
Compose and reference GraphQL queries for the SentinelOne API. Endpoint: https://<tenant>.sentinelone.net/web/api/v2.1/graphql
Query
Copy
Example Response Shape
{
"data": {
"threats": [
{
"id": "2328e64e26a14b9f",
"threatInfo": {
"threatName": "Ransom.WannaCry",
"confidenceLevel": "malicious",
"mitigationStatus": "not_mitigated",
"createdAt": "2026-03-05T14:22:01Z"
},
"agentRealtimeInfo": {
"agentComputerName": "DESKTOP-7G4B1",
"agentOsName": "Windows 11"
}
}
]
}
}
Common GraphQL Query Templates
Threats
Agents
Activities
Testing
Sandbox Environment
A fully isolated, non-production environment for developing and testing integrations. No real endpoints or data are affected.
SANDBOX
https://usea1-012.sentinelone.net/web/api/v2.1
Safe to test all API actions — simulated data only
Sandbox Credentials
Sandbox API Token
sandbox_get_token_from_sentinelone_dev_portalGet Token
Base URL
https://usea1-012.sentinelone.net/web/api/v2.1Copy
ℹSandbox tokens are issued per developer account from the free developer portal.
Sandbox vs Production
| Feature | Sandbox | Production |
|---|---|---|
| All endpoints | Yes | Yes |
| Rate limit | 100/min | 1,000/min |
| Agent data | Simulated | Real |
| Threat actions | Mocked | Real |
| Webhooks | Supported | Supported |
| Data retention | 7 days | Configurable |
Tools
Postman / Insomnia Collections
Pre-built collections for rapid development. Include all endpoints, environment variables, and pre-configured authentication.
Postman
Full S1 API collection with environment templates for production, sandbox, and dev accounts.
Insomnia
Insomnia workspace with all resource groups organized by category (threats, agents, policies).
OpenAPI 3.0
Complete Swagger / OpenAPI spec — import into any compatible tool or use for code generation.
Environment Variables Template
Copy
Postman Environment JSON
{
"baseUrl": "https://{{tenant}}.sentinelone.net/web/api/v2.1",
"apiToken": "YOUR_API_TOKEN_HERE",
"siteId": "YOUR_SITE_ID",
"tenant": "acme",
"sandboxUrl": "https://usea1-012.sentinelone.net/web/api/v2.1"
}
Spec
OpenAPI / Swagger Specs
Machine-readable API specification for code generation, SDK creation, Swagger UI, and tool import. Available in OpenAPI 3.0 JSON and YAML.
📐The OpenAPI spec is the canonical source for all endpoint schemas, request/response models, and error codes. Import it into Postman, Insomnia, or any OpenAPI-compatible tool.
Spec Excerpt — Threats Endpoint
OpenAPI 3.0 YAML (excerpt)Copy
paths:
/threats:
get:
summary: List threats
parameters:
- name: limit
in: query
schema: { type: integer, maximum: 1000 }
- name: cursor
in: query
schema: { type: string }
responses:
"200":
content:
application/json:
schema: { $ref: "#/components/schemas/ThreatList" }
Tooling
CLI — s1cli
Official command-line interface for SentinelOne. Manage threats, agents, policies, and more directly from your terminal.
Installation
Copy
macOS
Linux
Windows
Shell (macOS / Homebrew)
# Install
brew tap sentinelone/tap
brew install s1cli
# Configure
s1cli configure \
--tenant acme \
--token <YOUR_TOKEN>
# Verify
s1cli status
Common Triage Commands
Copy
s1cli Commands
# List open threats
s1cli threats list --resolved=false --limit 50
# Quarantine a threat
s1cli threats mitigate quarantine \
--id 2328e64e26a14b9f
# List infected endpoints
s1cli agents list --isInfected=true
# Initiate full scan
s1cli agents scan --id <AGENT_ID>
# Fetch recent activity
s1cli activities list --limit 20
Dev Tools
IDE Extensions
Official extensions for VS Code and JetBrains. Schema validation, endpoint autocomplete, and inline API documentation.
VS Code
S1 API schema autocomplete, request snippets, inline docs, and linting for JSON payloads.
JetBrains
Plugin for IntelliJ, PyCharm, and GoLand. Autocomplete for S1 API request structures.
Any LSP Editor
OpenAPI LSP integration works with Neovim, Emacs, Helix, and any editor with LSP support.
Ecosystem
Integrations
340+ certified integrations across SIEM, SOAR, ticketing, identity, cloud, and vulnerability management platforms.
Splunk
SIEM
Certified
Microsoft Sentinel
SIEM
Certified
Elastic SIEM
SIEM
Certified
IBM QRadar
SIEM
Certified
XSOAR
SOAR
Certified
Splunk SOAR
SOAR
Certified
ServiceNow
ITSM
Certified
Jira Service Mgmt
Ticketing
Certified
PagerDuty
Alerting
Certified
Okta
Identity
Certified
Tenable
Vuln Mgmt
Certified
AWS Security Hub
Cloud
Certified
Partners
Ecosystem
The SentinelOne technology alliance and partner ecosystem at a glance.
Marketplace Apps
340+
Certified integrations
Technology Partners
120+
Alliance partners
MSSP Partners
600+
Managed service providers
Open-Source Projects
48
Community maintained
🌐Full partner and marketplace directory: sentinelone.com/partners
Marketplace
App Listing Requirements
Checklist for submitting your integration to the SentinelOne Marketplace. Review time is typically 2–4 weeks.
Submission Checklist
| # | Requirement | Notes |
|---|---|---|
| 01 | Security architecture review | Mandatory for all apps |
| 02 | API documentation (README) | Setup + configuration guide |
| 03 | Support SLA defined | Response time commitments |
| 04 | Least-privilege scope usage | Only request needed scopes |
| 05 | Rate limit handling + backoff | No brute-force on 429 |
| 06 | Webhook signature validation | HMAC-SHA256 required |
| 07 | Sandbox test suite passing | All endpoints tested |
| 08 | Privacy policy / data handling | GDPR compliance statement |
Costs
API Pricing
API access is included with your SentinelOne subscription. Higher rate limit tiers are available for high-volume integrations.
Developer
Free / sandbox
100 req/min (sandbox)
All endpoints (simulated data)
Webhook delivery supported
7-day data retention
Community support
Included (Licensed)
$0 / with license
1,000 req/min Read
200 req/min Write
Webhook delivery included
Full production data
Standard support
Enterprise Add-on
Custom / contact sales
10,000 req/min Read
2,000 req/min Write
Priority webhook queue
Dedicated IP allowlist
SLA + TAM support
Limits
API Rate Limits
SentinelOne enforces per-token rate limits. Understand the tiers, response headers, and recommended backoff strategy.
Read (Standard)
1,000req/min
GET endpoints
Write (Standard)
200req/min
POST/PUT/DELETE
Agent Commands
20req/min
Scan, fetch-file, isolate
Threat Mitigations
50req/min
Mitigate, quarantine
GraphQL
300req/min
All query types
Sandbox (Dev)
100req/min
All endpoints
Rate Limit Response Headers & 429 Handling
Response Headers (on every call)Copy
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 180
X-RateLimit-Reset: 1709644328 # Unix epoch
Retry-After: 680 # seconds — only on 429
Python — Exponential BackoffCopy
import time, requests
def s1_get(url, headers, retries=5):
for attempt in range(retries):
r = requests.get(url, headers=headers)
if r.status_code == 429:
wait = int(r.headers.get("Retry-After", 2 ** attempt))
time.sleep(wait)
continue
r.raise_for_status()
return r.json()
raise Exception("Rate limit retries exhausted")
Community
Community
Connect with other SentinelOne developers. Ask questions, share integrations, and follow API updates.
GitHub
Official repos, SDKs, CLI source, and sample integrations.
github.com/Sentinel-One
StackOverflow
Use tag
[sentinelone] for community support.4,821 tagged questions
Developer Forum
Announcements, RFCs, partner discussions, and office hours.
community.sentinelone.com
Slack Workspace
Real-time chat channels for API, webhooks, and integrations.
2,200+ members
Tutorials
Step-by-step integration guides for common use cases.
48 guides available
Samples & Examples
Production-ready code in Python, Go, PowerShell, JavaScript.
120+ samples
Community
GitHub
Official SentinelOne GitHub organization — source code, SDKs, CLI, and community integrations.
Key Repositories
SDKsentinelone/s1-python-sdkOfficial Python SDK
SDKsentinelone/s1-goOfficial Go SDK
CLIsentinelone/s1clis1cli command-line tool
Samplessentinelone/api-examplesCode samples all languages
Integrationsentinelone/splunk-appSplunk TA open source
Community
StackOverflow Tags
Use these tags when posting SentinelOne questions on StackOverflow for best visibility and response rate.
Recommended Tags
[sentinelone]
[sentinelone-api]
[sentinelone-webhook]
[s1-edr]
[edr-api]
[endpoint-security]
ℹAlways include the specific API version (
v2.1) and language in your question title for faster answers.Learn
Tutorials
Step-by-step integration guides for common SentinelOne API use cases. 48 guides available at docs.sentinelone.com/tutorials.
Featured Tutorials
StartGetting Started with the Management API15 min
AuthToken Auth & Scope Management10 min
WebhooksBuilding a SIEM Webhook Forwarder30 min
Threat RespAutomated Threat Triage with Python45 min
IntegrationServiceNow Incident Auto-Creation60 min
GraphQLQuerying Threat Data with GraphQL20 min
Code
Samples & Examples
Production-ready code examples across multiple languages. All available at github.com/sentinelone/api-examples.
Bulk Threat Triage — Python
Copy
Python
import requests
def auto_triage(base, token):
hdr = {"Authorization": f"ApiToken {token}"}
# Fetch all open threats
threats = []
cursor = None
while True:
p = {"resolved": False, "limit": 100}
if cursor: p["cursor"] = cursor
r = requests.get(f"{base}/threats", headers=hdr, params=p)
data = r.json()
threats += data["data"]
cursor = data["pagination"]["nextCursor"]
if not cursor: break
return threats
Webhook Signature Verify — Python
Copy
Python (Flask)
import hmac, hashlib
from flask import request, abort
SECRET = b"<YOUR_WEBHOOK_SECRET>"
def verify_signature(payload, sig_header):
expected = hmac.new(
SECRET, payload, hashlib.sha256
).hexdigest()
if not hmac.compare_digest(expected, sig_header):
abort(403)
# In your route:
verify_signature(request.data,
request.headers["X-S1-Signature"])
Open Source
Open-Source Projects
Community and officially maintained open-source tools for the SentinelOne ecosystem.
Official Open-Source Projects
SDKs1-python-sdkPython client library — MIT
SDKs1-goGo client library — MIT
CLIs1cliOfficial CLI tool — Apache 2.0
Integrations1-splunk-appSplunk TA — MIT
Integrations1-elastic-integrationElastic agent integration — Apache 2.0
Toolings1-api-examplesMulti-language code samples — MIT
Updates
API Changelog
All changes to the SentinelOne Management API. Subscribe at docs.sentinelone.com/changelog for email notifications.
Mar 5, 2026
v2.1.4
Forensics Download Endpoint Added
New
GET /threats/{id}/forensics returns a signed download URL (valid 15 min) for forensic artifacts.Feb 18, 2026
v2.1.3
Rate Limit Headers on All Responses
X-RateLimit-Remaining and X-RateLimit-Reset now returned on every response, not just 429s.Jan 30, 2026
v2.1.2
Breaking: Cursor Pagination Required
Integer offset pagination is rejected. All clients must use the base64
cursor field. Offset-based calls return 400.Jan 12, 2026
v2.1.1
GraphQL Endpoint — GA
GraphQL is now Generally Available for all read operations. Write mutations planned for v2.2.
Dec 5, 2025
v2.1.0
Custom Object / IOC API Added
New endpoints for managing custom threat intelligence IOC objects with JSON Schema validation.
Oct 1, 2025
v2.0.5
OAuth 2.0 Client Credentials — Beta
Machine-to-machine OAuth 2.0 flow available in beta for third-party app developers.
Ops
Status Page
Last updated:
Live service health is available at status.sentinelone.com. The table below reflects documented SLA targets per region.
Regional API Components & SLA Targets
Management API — US East
99.99% SLA
Management API — US West
99.99% SLA
Management API — EU West
99.99% SLA
Management API — APAC
99.99% SLA
GraphQL Endpoint
99.99% SLA
Webhook Delivery
99.95% SLA
Authentication Service
99.99% SLA
Sandbox Environment
99.5% SLA
ℹFor real-time incidents and maintenance windows, always check status.sentinelone.com directly.
Analytics
Developer & Ecosystem Metrics
Published adoption and ecosystem figures for the SentinelOne developer platform. Source: SentinelOne Developer Relations, 2026.
Estimated Developers
18,000+
Registered API users worldwide
▲ 34% YoY
Estimated Customers
11,000+
Enterprise & SMB accounts
▲ 28% YoY
Estimated Users
9.4M+
Protected endpoints globally
▲ 42% YoY
Marketplace Integrations
340+
Certified partner apps
Technology Partners
120+
Alliance partners
MSSP Partners
600+
Managed service providers
Open-Source Repos
48
Community maintained
ℹFigures are estimates published by SentinelOne Developer Relations. For official investor data see investors.sentinelone.com.