// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
प्रमाणीकरण
हर request में Authorization header में bearer token होना चाहिए। Tokens Account → API tokens से issue होते हैं; plaintext creation पर आपको ठीक एक बार दिखता है। Token revoke करने पर next call में 401 लौटता है।
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ के बाद 43 base64url characters। At rest SHA-256 hash के रूप में stored; plaintext server-side कभी persist नहीं होता।
दर सीमाएं
हर authenticated request पर दो windows: 10 req/sec burst और 60 req/min steady, दोनों bearer hash पर keyed। Quota enforcement (per-month scan caps) इसके ऊपर layer होता है — कोटा और सीमाएं देखें।
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) descending order में (created_at, id) पर keyed cursor-based pagination इस्तेमाल करते हैं। अगला page fetch करने के लिए ?cursor=<next_cursor> pass करें। Concurrent writes के बीच cursor सही रहता है (कोई OFFSET skew नहीं)।
Error shapes
हर error कम से कम error key वाला JSON object होता है।
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Scan शुरू करें
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}अपने scans list करें
/api/v1/scansCalling token से जुड़े org के scans लौटाता है, newest first। ?cursor= से paginate करें। Default limit 50, max 100।
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan प्राप्त करें
/api/v1/scans/{scanId}Default रूप से scan envelope + per-category severity summary लौटाता है। Full report पाने के लिए ?include_findings=true pass करें (noisy scans में बड़ा हो सकता है — filters के साथ findings endpoint prefer करें)।
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings list करें
/api/v1/findingsCaller के org के हर scan में filterable findings list। Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z। Cursor-paginated।
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec /docs/api/openapi (text/yaml) पर है। Typed clients के लिए इसे अपने पसंदीदा codegen (openapi-typescript, openapi-python-client, या कोई भी OpenAPI 3.1 toolchain) में drop करें।