LiteSOC API
Lightweight Security Observability for Modern Apps
LiteSOC is a lightweight security observability tool that helps you track, analyze, and respond to security events in your application. With a single API endpoint, you can capture authentication events, admin actions, data access, and security incidents.
Fast Integration
Single endpoint, no SDK required. Works with any language.
Geo-IP Detection
Automatic location tracking and impossible travel detection.
25+ Event Formats
Automatic normalization from legacy formats to our standard schema.
Authentication
All API requests require authentication using an API key. Include your API key in thex-api-keyheader with every request.
x-api-key: lsoc_your_api_key_hereWhere to find your API key
lsoc_.Quick Start
Send your first security event in under a minute:
Get your API key
Copy your key from Dashboard → Settings → API
Send an event
POST to the collect endpoint:
POST https://litesoc.io/api/v1/collectView in Dashboard
Events appear in real-time on your dashboard
IP Address Tracking
Important: Forward the End-User's IP
For accurate Geo-IP location and Impossible Travel detection, you must forward the end-user's real IP address in the user_ip field.
If you don't send user_ip, we'll only see your server's IP, which means all users will appear to be in the same location.
IP Field Reference
| Field | Source | Used For |
|---|---|---|
| user_ip | You send this | Geo-IP, Impossible Travel, Brute Force |
| server_ip | Auto-detected | Audit trail only |
How to Extract User IP
Most web frameworks provide helpers, but behind a reverse proxy (nginx, Cloudflare), you need to check headers:
// Common pattern for extracting real user IP
function getUserIP(request) {
return (
request.headers['x-forwarded-for']?.split(',')[0]?.trim() ||
request.headers['x-real-ip'] ||
request.connection?.remoteAddress ||
'127.0.0.1'
);
}Event Normalizer
LiteSOC accepts 25+ event formats and automatically normalizes them to our standard schema. This means you can migrate from existing logging systems without changing your event names.
user.login.failedauth.login_failedpermission.deniedauthz.access_deniedprivilege.escalationadmin.privilege_escalationrate_limit.exceededsecurity.rate_limit_exceededUnrecognized Events
auth.,admin., etc.) are still accepted and logged, but flagged with unrecognized_format: true in metadata.Standard Events
LiteSOC defines 20 standard security events organized into 5 categories. Events marked as criticaltrigger instant alerts on all plans.
auth.login_successUser successfully authenticated
auth.login_failedFailed authentication attempt
auth.logoutUser session ended
auth.password_resetPassword reset requested or completed
auth.mfa_enabledMulti-factor authentication activated
auth.mfa_disabledMulti-factor authentication deactivated
authz.access_denied⚡ Instant AlertUser denied access to a resource
authz.role_changed⚡ Instant AlertUser role or permissions modified
authz.permission_grantedNew permission assigned to user
admin.user_createdNew user account created
admin.user_deletedUser account removed
admin.privilege_escalation⚡ Instant AlertUser gained elevated permissions
admin.settings_changedSystem or organization settings modified
admin.api_key_createdNew API key generated
data.exportData exported from the system
data.bulk_delete⚡ Instant AlertLarge-scale data deletion
data.sensitive_access⚡ Instant AlertAccess to sensitive or private data
security.suspicious_activity⚡ Instant AlertAnomalous or suspicious behavior detected
security.rate_limit_exceededAPI rate limit hit
security.ip_blockedIP address blocked due to suspicious activity
Code Examples
Copy-paste examples for popular frameworks. All examples show how to properly extract and forward the end-user's IP address.
// lsoc.ts - TypeScript SDK wrapper
interface Actor {
id?: string;
email?: string;
}
interface TrackEventOptions {
event: string;
actor: Actor;
userIP: string;
metadata?: Record<string, unknown>;
}
const LSOC_API_KEY = process.env.LSOC_API_KEY!;
const LSOC_ENDPOINT = 'https://litesoc.io/api/v1/collect';
export async function trackEvent({
event,
actor,
userIP,
metadata = {},
}: TrackEventOptions): Promise<{ status: string; quota: { remaining: number } }> {
const response = await fetch(LSOC_ENDPOINT, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'x-api-key': LSOC_API_KEY,
},
body: JSON.stringify({
event,
actor,
user_ip: userIP,
metadata,
}),
});
if (!response.ok) {
throw new Error(`LiteSOC API error: ${response.status}`);
}
return response.json();
}
// Extract user IP from headers (works with Express, Fastify, etc.)
export function getUserIP(headers: Record<string, string | string[] | undefined>): string {
const forwarded = headers['x-forwarded-for'];
if (forwarded) {
const ip = Array.isArray(forwarded) ? forwarded[0] : forwarded.split(',')[0];
return ip.trim();
}
const realIP = headers['x-real-ip'];
if (realIP) {
return Array.isArray(realIP) ? realIP[0] : realIP;
}
return '127.0.0.1';
}
// Usage example
await trackEvent({
event: 'auth.login_success',
actor: { id: 'user_123', email: 'user@example.com' },
userIP: getUserIP(req.headers),
metadata: { method: 'oauth', provider: 'google' },
});Response Codes
| Code | Status | Description |
|---|---|---|
| 202 | Accepted | Event queued for processing |
| 400 | Bad Request | Invalid JSON or missing required fields |
| 401 | Unauthorized | Missing or invalid API key |
| 403 | Forbidden | Monthly event limit reached or account suspended |
| 429 | Too Many Requests | Rate limit exceeded, retry after cooldown |
Example Responses
{
"status": "queued",
"quota": {
"remaining": 4999,
"limit": 5000
}
}Plan Features
LiteSOC offers three tiers with progressively more powerful threat detection capabilities.
Threat Detection
LiteSOC automatically analyzes your security events to detect threats in real-time.
admin.privilege_escalation,data.bulk_delete, andsecurity.suspicious_activity.Enterprise SSOEnterprise
Configure SAML 2.0 or OIDC-based Single Sign-On for your organization. Enterprise SSO allows your team members to authenticate using your identity provider (IdP) such as Okta, Azure AD, Google Workspace, or OneLogin.
- Navigate to Dashboard → Settings → SSO
- Enter your Identity Provider Metadata URL (e.g.,
https://your-idp.com/app/metadata.xml) - Configure the SSO domain (your company email domain like
company.com) - Copy the SP Entity ID and ACS URL to your IdP configuration
- Enable SSO and test with a team member
When SSO is enabled, users with matching email domains will see a "Login with Enterprise SSO" button on the login page. The flow automatically detects the SSO domain from the email address.
user@company.com → SSO enabled → Redirect to IdP
Audit LogsPro & Enterprise
Comprehensive audit logging tracks all administrative actions and security-relevant events across your organization. Essential for compliance (SOC 2, GDPR, HIPAA) and security investigations.
Organization
settings.updatedbilling.plan_changedapi_key.regenerated
Security
sso.enabledip_whitelist.updatedretention.changed
Export audit logs as CSV for compliance reporting and external analysis. Navigate to Dashboard → Settings → Audit Logs and use the export functionality.
Exports include: timestamp, actor (user email), action type, IP address, user agent, and detailed metadata for each event.
IP WhitelistingEnterprise
Restrict API access to specific IP addresses or CIDR ranges. This provides an additional layer of security by ensuring events can only be sent from known, trusted infrastructure.
Configure IP whitelists using individual IPs or CIDR notation for entire ranges:
- Go to Dashboard → Settings → Security
- Enable IP Whitelisting
- Add your trusted IPs or CIDR ranges (one per line)
- Save changes — API requests from non-whitelisted IPs will be rejected with
403 Forbidden
⚠️ Ensure you include all IPs where your application runs, including CI/CD servers and staging environments.