The whole catalog is available as a free, CORS-enabled JSON API and as embeddable control cards. No key, no signup, no rate-limit gymnastics. Attribution (CC BY 4.0) is the only ask. Build dashboards, embed controls in your docs, or pull the crosswalk into your own tooling.
One line of HTML renders a live, always-current control card on any page. It updates when the catalog does, and links back to the full control. Transparent background, no external dependencies.
Paste into any HTML page. The card is a sandboxed iframe — it can't touch your page, and your page can't touch it.
Base URL https://meridian.htora.dev. Every response is JSON with access-control-allow-origin: *, cached 5 minutes. Versioned via the version field.
The full catalog in one call: functions, families, controls (with mappings, applicability, lifecycle, tags), frameworks, and counts. This is what the site itself loads.
curl https://meridian.htora.dev/api/all
Lightweight: functions, families, frameworks, tags, and counts. No control bodies.
Filtered control list. Combine any of these query parameters:
| Param | Example | Meaning |
|---|---|---|
tier | M-1 | Maturity tier |
context | use | build · acquire · use |
function | SC | GV·DS·SC·DT·RS·AS |
family | SC.1 | Family id |
tag | agentic | Control tag |
q | injection | Full-text search |
curl "https://meridian.htora.dev/api/controls?tier=M-1&context=use"
One control, fully expanded. Example: /api/controls/SC-11.
Reverse index: a framework's references mapped back to the controls that satisfy them. Frameworks:
curl https://meridian.htora.dev/api/crosswalk/eu_ai_act
The catalog is also published as an OSCAL catalog and a federal profile, for GRC tooling that speaks NIST OSCAL natively.
Free under CC BY 4.0. Use it, build on it, embed it — just credit MERIDIAN and link back. No warranty; verify mappings against the cited sources for your own compliance decisions.