Get current security trust block

GEThttps://app.speybooks.com/api/v1/public/trust

Returns the latest security audit trust block: the grade, score, module counts, and audit date produced by the SpeyBooks Security Test Harness, served read-only from its single-writer source (AX-TRUST-001). This is the same data rendered in the footer badge on speybooks.com and docs.speybooks.com, so the badge and this endpoint cannot disagree.

Authentication

Public, no authentication required. No API key or session is consulted; these endpoints are public by design.

Response Fields

  • securityGrade: audit grade, one of A+, A, B, C, F (there is no D grade)
  • score: weighted audit score, 0 to 100
  • lastAuditDate: audit date, ISO YYYY-MM-DD (UTC)
  • passed / total: modules passed and modules run
  • failures / warnings: module failures and warnings
  • sthReportDate: report timestamp, ISO UTC
  • auditSlug: slug of the published audit report on /insights/, when one exists; omitted otherwise
  • ageSeconds: age of the report at serve time, computed per request from sthReportDate
  • stale: true when ageSeconds exceeds the 48-hour freshness threshold

Freshness Semantics

Staleness is flagged, never hidden (AX-TRUST-002). A 200 response with stale: true means the audit data is valid but older than the freshness threshold; it is the API being honest about its data, not a fault. Consumers should decide their own rendering policy. SpeyBooks' own pages withhold the grade and show "verification pending" when the block is stale.

The audit runs daily, so under normal operation ageSeconds stays below 86,400 and stale is false. The 48-hour threshold allows for one missed run plus slack.

Errors

A 500 with a generic message means the trust data is missing or failed validation, which is a different signal from staleness: monitoring can distinguish "data old" (200, stale: true) from "data broken" (500). The endpoint never serves a grade that failed validation against the committed grade model.

Caching

Responses carry Cache-Control: public, s-maxage=300. Deliberately no stale-while-revalidate: serving a possibly-outdated price for an hour is acceptable, serving a possibly-outdated trust claim is not. The 5-minute cache window sits far inside the 48-hour freshness threshold, so caching cannot mask staleness.

The audit report: when auditSlug is present, the full module-by-module report is published at https://speybooks.com/insights/{auditSlug}/. The slug is omitted on audit runs that have not yet published a report; the most recent published report remains the reference.

A perfect score is not guaranteed: the example above is illustrative and shows two warnings. SpeyBooks publishes whatever the harness measures; a grade below the visibility floor is withheld from the footer badge but still served here (AX-TRUST-002), because the API reports facts and the badge applies presentation policy.

Rate limiting: no explicit limit; the 5-minute cache means rapid polling yields identical results. Poll daily at most; the underlying data changes once per day.

Response

200Latest security audit trust block. Cached 5 minutes. Staleness is flagged, never gated.
Show response fields
trustobject
Show child attributes
ageSecondsinteger
Age of the report at serve time, seconds.
auditSlugstring
Slug of the published audit article, when one exists.
failuresinteger
Module failures.
lastAuditDatestring
Audit date, ISO YYYY-MM-DD (UTC).
passedinteger
Modules passed.
scoreinteger
Weighted audit score, 0 to 100.
securityGradestring
Audit grade: A+, A, B, C, or F.
staleboolean
True when ageSeconds exceeds the 48h freshness threshold.
sthReportDatestring
Report timestamp, ISO UTC.
totalinteger
Modules run.
warningsinteger
Module warnings.

Error codes

500Trust artifact missing or invalid. Never returned for a valid-but-stale block.