// docs / rest api

REST API

Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.

Autentifikazioa

Eskaera bakoitzak bearer token bat eraman behar du Authorization goiburuan. Tokenak Account → API tokens ataletik jaulkitzen dira; testu arrunta sortzean behin bakarrik erakusten zaizu. Token bat baliogabetzeak hurrengo deian 401 itzultzen du.

bash

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans

Token formatua: fxv_ eta ondoren 43 base64url karaktere. At rest SHA-256 hash gisa gordetzen da; testu arrunta ez da inoiz zerbitzari aldean iraunkortzen.

Tasa-mugak

Autentifikatutako eskaera guztietan bi leiho: 10 req/sec burst eta 60 req/min steady, biak bearer hasharen arabera giltzatuta. Kuota-betearazpena (hileko eskaneatze-mugak) horren gainean geruzatzen da; ikusi Kuotak eta mugak.

Paginazioa

Zerrenda endpoint-ek (/api/v1/scans, /api/v1/findings) kurtsore bidezko paginazioa erabiltzen dute, (created_at, id) gainean ordena beherakorrean giltzatuta. Pasatu ?cursor=<next_cursor> hurrengo orria eskuratzeko. Kurtsorea zuzena mantentzen da idazketa konkurrenteetan (OFFSET desbideratzerik gabe).

Errore formak

Errore oro gutxienez error gakoa duen JSON objektua da.

jsonc

{ "error": "invalid_token" }                              // 401
{ "error": "forbidden" }                                  // 403
{ "error": "not_found" }                                  // 404
{ "error": "quota_exceeded", "quota": {...} }             // 429
{ "error": "rate_limited", "retry_after_seconds": 47 }    // 429
{ "error": "invalid_input", "issues": [...] }             // 400

Endpointak

Hasi eskaneatze bat

POST/api/v1/scans

Enqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

// 200 response

{
  "id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
  "status": "queued",
  "target": "https://staging.example.com",
  "mode": "passive"
}

Zerrendatu zure eskaneatzeak

GET/api/v1/scans

Deitzen duen tokenari lotutako org-aren eskaneatzeak itzultzen ditu, berrienak lehenengo. Paginatu ?cursor= erabiliz. Muga lehenetsia 50, max 100.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/scans?limit=25"

// 200 response

{
  "scans": [
    {
      "id": "8f1c4e2a-...",
      "target_url": "https://staging.example.com",
      "target_hostname": "staging.example.com",
      "mode": "passive",
      "status": "completed",
      "started_at": "2026-05-07T14:00:00Z",
      "completed_at": "2026-05-07T14:00:23Z",
      "findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
      "triggered_by": "api",
      "created_at": "2026-05-07T14:00:00Z"
    }
  ],
  "next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}

Lortu eskaneatze bat

GET/api/v1/scans/{scanId}

Lehenespenez eskaneatze-estalkia + kategoriaka larritasun-laburpena itzultzen du. Pasatu ?include_findings=true txosten osoa lortzeko (handia eskaneatze zaratatsuetan; hobe findings endpointa iragazkiekin).

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d

Zerrendatu aurkikuntzak

GET/api/v1/findings

Deitzailearen org-eko eskaneatze guztietako aurkikuntza iragazgarriak. Iragazkiak: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Kurtsore bidez paginatua.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"

// 200 response

{
  "findings": [
    {
      "id": "...",
      "scan_id": "...",
      "check_id": "secrets.js-bundle-sweep",
      "severity": "critical",
      "title": "Supabase service role key exposed in JS bundle",
      "description": "...",
      "evidence": { ... },
      "remediation": "...",
      "cwe_id": "CWE-798",
      "created_at": "2026-05-07T14:00:23Z"
    }
  ],
  "next_cursor": null
}

OpenAPI espezifikazioa

Makinaz irakur daitekeen espezifikazioa hemen: /docs/api/openapi (text/yaml). Sartu zure codegen gogokoenean (openapi-typescript, openapi-python-client edo edozein OpenAPI 3.1 toolchain) bezero tipatuak sortzeko.