Introduction
A complete REST API server for Seclore Digital Rights Management - protect, unprotect, classify, and manage permissions on files programmatically.
Authentication
All protected endpoints require a Bearer JWT token in the
Authorization header. Obtain tokens via POST /seclore/drm/1.0/auth/login. Public endpoints (login, refresh, invalidate, health, version) are marked with security: [] and do not require a token.API groups
Authentication
Login, refresh, and invalidate JWT tokens for API access control.
File Operations
Upload, download, list, and delete files from the Seclore file storage.
Protection
Protect and unprotect files using hot folders, policies, or independent user rights.
Classification
Apply, update, and remove classification labels from files via Policy Server.
Common headers
| Header | Required | Description |
|---|---|---|
| Authorization | true | Bearer <access_token> - required on all protected routes |
| X-SECLORE-CORRELATION-ID | false | Request ID passed through for tracing and server-side logging |
| Content-Type | true | application/json for JSON bodies; multipart/form-data for file uploads |
Error response schema
{
"errorCode": string,
"errorMessage": string
}
POST
Login
Fetch access and refresh tokens when both are expired. Use tenantId and tenantSecret credentials.
POST/seclore/drm/1.0/auth/login
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| tenantId | string | true | Tenant identifier |
| tenantSecret | string | true | Tenant secret key |
Code example
curl -X POST https://your-server/seclore/drm/1.0/auth/login \
-H "Content-Type: application/json" \
-d '{
"tenantId": "<string>",
"tenantSecret": "<string>"
}'
Responses
200Returns
accessToken and refreshToken401Unauthorized — invalid credentials
500Internal server error
Response schema (200)
{
"accessToken": string,
"refreshToken": string
}
POST
Refresh token
Generate a new access and refresh token pair when the access token has expired but the refresh token is still valid.
POST/seclore/drm/1.0/auth/refresh
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| refreshToken | string | true | A valid, non-expired refresh token |
Code example
curl -X POST https://your-server/seclore/drm/1.0/auth/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "<string>" }'
Responses
200New
accessToken and refreshToken401Refresh token invalid or expired
500Internal server error
Response schema (200)
{
"accessToken": string,
"refreshToken": string
}
POST
Invalidate
Invalidates both the access and refresh token. The user must log in again to obtain new tokens.
POST/seclore/drm/1.0/auth/invalidate
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| accessToken | string | true | Current access token to invalidate |
| refreshToken | string | true | Current refresh token to invalidate |
Code example
curl -X POST https://your-server/seclore/drm/1.0/auth/invalidate \
-H "Content-Type: application/json" \
-d '{
"accessToken": "<string>",
"refreshToken": "<string>"
}'
Responses
200Both tokens invalidated successfully
401Unauthorized
500Internal server error
POST
Upload file
Upload a file to temporary storage before protection or unprotection. Returns a fileStorageId used in subsequent API calls.
POST/seclore/drm/filestorage/1.0/upload
Requires
Authorization: Bearer <access_token>Request body — multipart/form-data
| Field | Type | Required | Description |
|---|---|---|---|
| file | binary | true | The file to upload |
Code example
curl -X POST https://your-server/seclore/drm/filestorage/1.0/upload \
-H "Authorization: Bearer <access_token>" \
-F "file=@/path/to/document.pdf"
Responses
200
FileMetadataDTO including fileStorageId for use in other endpoints413Payload too large
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"fileName": string,
"downloadUrl": string,
"fileType": string,
"fileSize": number,
"secloreFileId": string | null,
"protected": boolean
}
GET
List files
Returns all files currently stored in the file storage for the logged-in tenant.
GET/seclore/drm/filestorage/1.0/files
Requires
Authorization: Bearer <access_token>Code example
curl -X GET https://your-server/seclore/drm/filestorage/1.0/files \
-H "Authorization: Bearer <access_token>"
Responses
200Array of
FileMetadataDTO objects401Unauthorized
500Internal server error
Response schema (200)
[
{
"fileStorageId": string,
"fileName": string,
"downloadUrl": string,
"fileType": string,
"fileSize": number,
"secloreFileId": string | null,
"protected": boolean
}
]
GET
Get file info
Returns metadata for a specific file by its storage ID.
GET/seclore/drm/filestorage/1.0/file/{fileStorageId}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID of the file to retrieve |
Code example
curl -X GET https://your-server/seclore/drm/filestorage/1.0/file/{fileStorageId} \
-H "Authorization: Bearer <access_token>"
Responses
200
FileMetadataDTO for the requested file401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"fileName": string,
"downloadUrl": string,
"fileType": string,
"fileSize": number,
"secloreFileId": string | null,
"protected": boolean
}
GET
Download file
Downloads a file from storage. Files with a DL_ prefix in their storage ID are automatically deleted after download.
GET/seclore/drm/filestorage/1.0/download/{fileStorageId}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID. Prefix with DL_ to auto-delete after download |
Code example
curl -X GET https://your-server/seclore/drm/filestorage/1.0/download/DL_{fileStorageId} \
-H "Authorization: Bearer <access_token>" \
--output protected-document.pdf
Responses
200Binary file stream —
application/octet-stream401Unauthorized
500Internal server error
DELETE
Delete file
Deletes a specific file from the file storage of the currently logged-in tenant.
DELETE/seclore/drm/filestorage/1.0/{fileStorageId}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID of the file to delete |
Code example
curl -X DELETE https://your-server/seclore/drm/filestorage/1.0/{fileStorageId} \
-H "Authorization: Bearer <access_token>"
Responses
200File deleted successfully
401Unauthorized
500Internal server error
DELETE
Delete all files
Deletes all files from the file storage of the currently logged-in tenant. Use with caution — this action cannot be undone.
DELETE/seclore/drm/filestorage/1.0
Requires
Authorization: Bearer <access_token>Code example
curl -X DELETE https://your-server/seclore/drm/filestorage/1.0 \
-H "Authorization: Bearer <access_token>"
Responses
200All files deleted
401Unauthorized
500Internal server error
POST
Independent rights protection
Protects a file by granting rights directly to individual users or groups. Full control over access rights, offline access, redistribution, and IP range restrictions.
POST/seclore/drm/1.0/protect/independent
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to protect |
| protectionDetails | object | true | Owner email, access rights, classification, credential IDs |
| protectionDetails.ownerEmailId | string | true | Email address of the file owner |
| protectionDetails.accessRightMappings | array | false | List of user/group access right configurations |
| protectionDetails.classificationId | string | false | Classification label ID to apply |
| protectionDetails.credentialIds | array<string> | false | Credential IDs to associate |
Access rights enum
readliteviewerprint
editfull_controlcopy_data
screen_capturemacro
Code example
curl -X POST https://your-server/seclore/drm/1.0/protect/independent \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"protectionDetails": {
"ownerEmailId": "<string>",
"accessRightMappings": [{
"entities": [{ "emailId": "<string>", "type": "<string>" }],
"primaryAccessRight": ["<string>"],
"offline": <boolean>,
"redistribute": <boolean>
}]
}
}'
Responses
200Returns
fileStorageId and secloreFileId400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"secloreFileId": string
}
POST
Hot folder protection
Protects a file using a predefined hot folder policy configured in the Policy Server.
POST/seclore/drm/1.0/protect/hf
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to protect |
| hotfolderId | string | true | ID of the hot folder policy to apply |
Code example
curl -X POST https://your-server/seclore/drm/1.0/protect/hf \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"hotfolderId": "<string>"
}'
Responses
200Returns
fileStorageId and secloreFileId400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"secloreFileId": string
}
POST
Protect via Seclore file ID
Replicates permissions from an already-protected Seclore file onto a new file.
POST/seclore/drm/1.0/protect/fileid
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | New file to protect |
| existingProtectedFileId | string | true | Seclore file ID to copy permissions from |
Code example
curl -X POST https://your-server/seclore/drm/1.0/protect/fileid \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"existingProtectedFileId": "<string>"
}'
Responses
200Returns
fileStorageId and secloreFileId400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"secloreFileId": string
}
POST
Protect via external reference
Protect a file using a third-party file identifier. Useful for integrations where hot folder and file context come from an external system like SharePoint.
POST/seclore/drm/1.0/protect/externalref
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to protect |
| hotfolderExternalReference | object | true | External reference for the hot folder |
| hotfolderExternalReference.externalReferenceId | string | true | The external reference ID |
| hotfolderExternalReference.externalReferenceName | string | false | Human-readable name for the reference |
| hotfolderExternalReference.externalAppId | string | false | Identifier of the external application |
| fileExternalReference | object | false | Optional file-level external reference |
Code example
curl -X POST https://your-server/seclore/drm/1.0/protect/externalref \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"hotfolderExternalReference": {
"externalReferenceId": "<string>",
"externalReferenceName": "<string>",
"externalAppId": "<string>"
}
}'
Responses
200Returns
fileStorageId and secloreFileId400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"secloreFileId": string
}
POST
Unprotect
Removes Seclore DRM protection from a previously protected file.
POST/seclore/drm/1.0/unprotect
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID of the protected file to unprotect |
Code example
curl -X POST https://your-server/seclore/drm/1.0/unprotect \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{ "fileStorageId": "<string>" }'
Responses
200Returns
fileStorageId of the unprotected file400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string
}
POST
Update file permission
Add, update, or remove access right mappings on an already-protected Seclore file.
POST/seclore/drm/1.0/updatefilepermission
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| secloreFileId | string | true | Seclore file ID of the protected file |
| addAccessRightMappings | array | false | New user/group rights to add |
| removeAccessRightMappings | array | false | Existing rights to remove (identified by accessRightId) |
| updateAccessRightMappings | array | false | Existing rights to update (identified by accessRightId) |
| addCredentialIds | array<string> | false | Credential IDs to add |
| removeCredentialIds | array<string> | false | Credential IDs to remove |
Code example
curl -X POST https://your-server/seclore/drm/1.0/updatefilepermission \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"secloreFileId": "<string>",
"addAccessRightMappings": [{
"entity": [{ "emailId": "<string>", "type": "<string>" }],
"primaryAccessRight": ["<string>"],
"offline": <boolean>,
"redistribute": <boolean>
}],
"removeCredentialIds": ["<string>"]
}'
Responses
200Permissions updated successfully
400Bad request
401Unauthorized
500Internal server error
GET
Get policy
Retrieves credential and permission details for a given policy ID or user email address.
GET/seclore/drm/1.0/policy/{identifier}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| identifier | string | true | Policy ID or user email address |
Code example
curl -X GET "https://your-server/seclore/drm/1.0/policy/{identifier}" \
-H "Authorization: Bearer <access_token>"
Responses
200
CredentialsResponse with credentials array400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"credentials": [
{
"credentialId": string,
"credentialName": string
}
]
}
GET
Get file permissions
Returns current access rights of all users on a protected file, including classification, hot folder details, and applied policies.
GET/seclore/drm/1.0/filepermission/{fileStorageId}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID of the file |
Code example
curl -X GET https://your-server/seclore/drm/1.0/filepermission/{fileStorageId} \
-H "Authorization: Bearer <access_token>"
Responses
200
FilePermissionResponse — access rights, classification, hot folder, policies400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"secloreFileId": string,
"classification": object | null,
"hotFolder": object | null,
"accessRightMappings": array,
"policies": array
}
POST
Send custom request
Send a custom XML request to the Policy Server configured for the logged-in tenant using a specified request type.
POST/seclore/drm/1.0/sendrequest
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| requestType | string | true | The type of request to send to Policy Server |
| requestBody | string | false | XML body content for the request |
Code example
curl -X POST https://your-server/seclore/drm/1.0/sendrequest \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"requestType": "<string>",
"requestBody": "<string>"
}'
Responses
200
{ "response": "..." } — raw Policy Server XML response400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"response": string
}
POST
Classify file
Apply a classification label to a file using a label ID configured in the Policy Server.
POST/seclore/drm/1.0/classification/classify
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to classify |
| labelId | string | true | Classification label ID from Policy Server |
| forceLabelRefresh | boolean | false | Force refresh of the label cache before applying |
Code example
curl -X POST https://your-server/seclore/drm/1.0/classification/classify \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"labelId": "<string>"
}'
Responses
200File classified — returns
FileClassificationResponse with current label info400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"labelId": string,
"labelName": string
}
POST
Reclassify file
Update the classification label of an already-classified file. Response includes both the new and previous label.
POST/seclore/drm/1.0/classification/reclassify
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to reclassify |
| labelId | string | true | New classification label ID |
| forceLabelRefresh | boolean | false | Force refresh of label cache |
Code example
curl -X POST https://your-server/seclore/drm/1.0/classification/reclassify \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"fileStorageId": "<string>",
"labelId": "<string>"
}'
Responses
200
FileClassificationResponse with currentLabel and oldLabel400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"currentLabel": { "labelId": string, "labelName": string },
"oldLabel": { "labelId": string, "labelName": string }
}
POST
Declassify file
Remove the classification label from a classified file.
POST/seclore/drm/1.0/classification/declassify
Requires
Authorization: Bearer <access_token>Request body
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | File to declassify |
| forceLabelRefresh | boolean | false | Force refresh of label cache |
Code example
curl -X POST https://your-server/seclore/drm/1.0/classification/declassify \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{ "fileStorageId": "<string>" }'
Responses
200File declassified — returns
FileClassificationResponse400Bad request
401Unauthorized
500Internal server error
Response schema (200)
{
"fileStorageId": string,
"labelId": null,
"labelName": null
}
GET
Get all classification labels
Returns all classification labels configured in the Policy Server, including nested sublabels, sensitivity levels, colors, and visual markings.
GET/seclore/drm/1.0/classification/labels
Requires
Authorization: Bearer <access_token>Request body (optional)
| Field | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Context file storage ID |
| forceLabelRefresh | boolean | false | Force refresh of the label cache |
Code example
curl -X GET https://your-server/seclore/drm/1.0/classification/labels \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{ "fileStorageId": "<string>" }'
Responses
200Array of labels with sublabels, sensitivity, colors, and visual markings
400Bad request
401Unauthorized
500Internal server error
GET
Get file classification
Returns the current classification label information for a specific file.
GET/seclore/drm/1.0/classification/{fileStorageId}
Requires
Authorization: Bearer <access_token>Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| fileStorageId | string | true | Storage ID of the file |
Code example
curl -X GET https://your-server/seclore/drm/1.0/classification/{fileStorageId} \
-H "Authorization: Bearer <access_token>"
Responses
200
{ "classified": true, "classificationInfo": { ... } }400Bad request
401Unauthorized
500Internal server error
GET
Health check
Returns the overall health status of the Seclore DRM API service along with the status of individual components.
GET/seclore/drm/health
Code example
curl -X GET https://your-server/seclore/drm/health
Responses
200Service is UP —
{ "status": "UP", "components": { ... } }503Service is DOWN
500Internal server error
GET
Version
Returns the current version of the deployed Seclore DRM API Server as a plain text/html string.
GET/seclore/drm/version
Code example
curl -X GET https://your-server/seclore/drm/version
Responses
200Version string returned as
text/html