secctrl.fyi
API Bypass Token
Free rate-limit bypass tokens for qualified practitioners.
Who qualifies for a free token?
Bypass tokens are issued free of charge to professionals who use the ISM in their day-to-day work and have a legitimate need for bulk or programmatic API access. Currently eligible:
- IRAP practitioners — individuals registered with the Australian Signals Directorate's Infosec Registered Assessors Program
- Australian Public Service — staff employed by Australian Commonwealth, state, or territory government agencies in a role that involves applying or assessing the ISM
- Other assorted organics — individuals deemed useful to the revolution at Iain's sole discretion. Apply and make your case.
Receiving a bypass token also grants you permission to use secctrl.fyi and its API for commercial purposes — for example, incorporating ISM control data into client deliverables or commercial tooling. This permission is personal, non-transferable, and contingent on your active IRAP registration.
Tokens may be refused or revoked at any time, for any reason, without notice.
What a bypass token does
All API endpoints are rate-limited per IP to prevent abuse. A bypass token removes those limits entirely for the duration of your session:
| Endpoint group | Default limit | With token |
|---|---|---|
| Stats & metadata | 60 req / min | Unlimited |
| Per-record detail | 30 req / min | Unlimited |
| Full-dataset lists | 10 req / min | Unlimited |
| Full revision history | 10 req / min | Unlimited |
| Version compare | 2 req / min | Unlimited |
Tokens are personal — please do not share them. Tokens do not expire unless revoked. If you share a token and it gets abused, it will be revoked.
Requesting a token
Email icd@secctrl.fyi with the subject ISM Explorer API token request and include:
- Your name and organisation
- A brief description of how you intend to use the API (e.g. "automating ISM control gap analysis for IRAP assessments")
- Your IRAP registration number, if applicable
Tokens are issued manually. Expect a response within a few business days. There is no SLA — this is a free service run by one person in his spare time.
Using your token
Pass the token as a request header on every API call:
X-Bypass-Token: your-token-here
Example with curl:
curl -H "X-Bypass-Token: your-token-here" \
"https://api.secctrl.fyi/api/controls?filter=e8"
Example with Python requests:
import requests
headers = {"X-Bypass-Token": "your-token-here"}
r = requests.get("https://api.secctrl.fyi/api/controls", headers=headers)
controls = r.json()["controls"]
You can also activate bypass mode in the browser UI by entering the Konami code
(↑↑↓↓←→←→BA) on any page — a modal will prompt for your token, which is then stored
in sessionStorage
for that browsing session. A green 🔓 badge appears at the bottom-left of the page
while the token is active; click it to clear.