// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
Әр request Authorization header ішінде bearer token алып жүруі керек. Tokens Account → API tokens ішінен issued болады; plaintext creation кезінде exactly once көрсетіледі. Token revoked болса, next call 401 қайтарады.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ соңынан 43 base64url characters. At rest SHA-256 hash ретінде stored; plaintext server-side ешқашан persisted болмайды.
Rate limits
Әр authenticated request үшін екі window: 10 req/sec burst және 60 req/min steady, екеуі де bearer hash бойынша keyed. Quota enforcement (per-month scan caps) үстінен қабатталады — Quotas & limits қараңыз.
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) cursor-based pagination қолданады, key (created_at, id) descending order. Next page fetch ету үшін ?cursor=<next_cursor> жіберіңіз. Cursor concurrent writes кезінде де дұрыс қалады (OFFSET skew жоқ).
Error shapes
Әр error кемінде error key бар JSON object.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Scan бастау
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Скандарыңызды тізімдеу
/api/v1/scansCalling token-ға байланған org үшін scans қайтарады, newest first. ?cursor= арқылы paginate. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan алу
/api/v1/scans/{scanId}Әдепкіде scan envelope + per-category severity summary қайтарады. Full report алу үшін ?include_findings=true жіберіңіз (noisy scans үшін large — filters бар findings endpoint-ті prefer етіңіз).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings тізімдеу
/api/v1/findingsCaller org ішіндегі барлық scan бойынша filterable findings list. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec /docs/api/openapi мекенжайында (text/yaml). Typed clients үшін favourite codegen-ге (openapi-typescript, openapi-python-client немесе кез келген OpenAPI 3.1 toolchain) салыңыз.