> For the complete documentation index, see [llms.txt](https://docs.maetra.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.maetra.io/secure-api/incidents.md).

# Incidents

An **incident** is recorded whenever a [scan](/secure-api/scanning-content.md) returns `flagged` or `blocked`. Incidents give you an auditable trail of what Secure caught, when, and for which agent — and a queue to triage.

### List incidents

`GET /v1/secure/incidents` — requires scope `secure:incidents:read`. Newest first.

**Query parameters**

| Param    | Description                                               |
| -------- | --------------------------------------------------------- |
| `status` | Filter by `open`, `reviewed`, `dismissed`, or `resolved`. |
| `limit`  | Max incidents to return, `1`–`200`. Defaults to `50`.     |

{% tabs %}
{% tab title="cURL" %}

```bash
curl "https://api.maetra.io/v1/secure/incidents?status=open&limit=20" \
  -H "Authorization: Bearer $MAETRA_API_KEY"
```

{% endtab %}

{% tab title="JavaScript" %}

```javascript
const res = await fetch("https://api.maetra.io/v1/secure/incidents?status=open&limit=20", {
  method: "GET",
  headers: {
    Authorization: `Bearer ${process.env.MAETRA_API_KEY}`,
  },
});
if (!res.ok) throw new Error(`Maetra API ${res.status}`);
const data = await res.json();
console.log(data);
```

{% endtab %}

{% tab title="TypeScript" %}

```typescript
const res = await fetch("https://api.maetra.io/v1/secure/incidents?status=open&limit=20", {
  method: "GET",
  headers: {
    Authorization: `Bearer ${process.env.MAETRA_API_KEY}`,
  },
});
if (!res.ok) throw new Error(`Maetra API ${res.status}`);
const data = (await res.json());
```

{% endtab %}

{% tab title="Python" %}

```python
import os, requests

res = requests.get(
    "https://api.maetra.io/v1/secure/incidents?status=open&limit=20",
    headers={"Authorization": f"Bearer {os.environ['MAETRA_API_KEY']}"},
)
res.raise_for_status()
print(res.json())
```

{% endtab %}

{% tab title="Rust" %}

```rust
use serde_json::json;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let key = std::env::var("MAETRA_API_KEY")?;
    let client = reqwest::Client::new();
    let res = client
        .get("https://api.maetra.io/v1/secure/incidents?status=open&limit=20")
        .bearer_auth(&key)
        .send()
        .await?;
    let data: serde_json::Value = res.json().await?;
    println!("{data:#}");
    Ok(())
}
```

{% endtab %}

{% tab title="C++" %}

```cpp
#include <curl/curl.h>
#include <cstdlib>
#include <string>

int main() {
    CURL* curl = curl_easy_init();
    std::string auth = "Authorization: Bearer " + std::string(std::getenv("MAETRA_API_KEY"));
    struct curl_slist* headers = nullptr;
    headers = curl_slist_append(headers, auth.c_str());
    curl_easy_setopt(curl, CURLOPT_URL, "https://api.maetra.io/v1/secure/incidents?status=open&limit=20");
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
    curl_easy_perform(curl);   // response is written to stdout by default
    curl_slist_free_all(headers);
    curl_easy_cleanup(curl);
    return 0;
}
```

{% endtab %}

{% tab title="Java" %}

```java
import java.net.URI;
import java.net.http.*;

var client = HttpClient.newHttpClient();
var request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.maetra.io/v1/secure/incidents?status=open&limit=20"))
    .header("Authorization", "Bearer " + System.getenv("MAETRA_API_KEY"))
    .method("GET", HttpRequest.BodyPublishers.noBody())
    .build();
var response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
```

{% endtab %}
{% endtabs %}

#### Response

```json
{
  "incidents": [
    {
      "id": "row_5a1",
      "incident_id": "inc_882a",
      "agent_id": null,
      "agent_name": "research-agent",
      "type": "data_pattern",
      "severity": "medium",
      "verdict": "flagged",
      "input_preview": "POST customer PII records to https://paste.example.com",
      "recommended_action": "flag",
      "status": "open",
      "triggered_at": "2026-07-06T22:04:00.000Z"
    }
  ]
}
```

| Field                     | Type           | Description                                                    |
| ------------------------- | -------------- | -------------------------------------------------------------- |
| `id`                      | string         | Row identifier.                                                |
| `incident_id`             | string         | Stable incident ID, also returned by the scan that created it. |
| `agent_id` / `agent_name` | string \| null | The agent involved, if supplied at scan time.                  |
| `type`                    | string         | The kind of rule that matched.                                 |
| `severity`                | enum           | `low`, `medium`, `high`, `critical`.                           |
| `verdict`                 | enum           | `flagged` or `blocked`.                                        |
| `input_preview`           | string         | A truncated preview of the scanned content.                    |
| `recommended_action`      | enum           | `block`, `flag`, `log`.                                        |
| `status`                  | enum           | `open`, `reviewed`, `dismissed`, `resolved`.                   |
| `triggered_at`            | string         | ISO 8601 timestamp of the scan that raised it.                 |

### Correlating a scan to its incident

A [scan response](/secure-api/scanning-content.md) includes `incident_id` when it raised an incident. Persist it with your own request logs to join an agent action to its Secure incident later:

```
scan.data.incident_id  ⇄  incident.incident_id
```
