// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
Request ទាំងអស់ត្រូវមាន bearer token ក្នុង header Authorization។ Tokens ត្រូវបាន issued ពី Account → API tokens; plaintext បង្ហាញឱ្យអ្នកម្តងតែប៉ុណ្ណោះនៅពេលបង្កើត។ Revoking token នឹងត្រឡប់ 401 នៅ call បន្ទាប់។
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ បន្តដោយ base64url characters 43 តួ។ Stored at rest ជា SHA-256 hash; plaintext មិនដែល persisted server-side ទេ។
Rate limits
Window ពីរលើ authenticated request ទាំងអស់: burst 10 req/sec និង steady 60 req/min, ទាំងពីរ keyed លើ bearer hash។ Quota enforcement (per-month scan caps) layered ខាងលើ — មើល Quotas & limits។
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) ប្រើ cursor-based pagination keyed លើ (created_at, id) ក្នុង descending order។ ផ្ញើ ?cursor=<next_cursor> ដើម្បី fetch page បន្ទាប់។ Cursor នៅត្រឹមត្រូវក្រោម concurrent writes (គ្មាន OFFSET skew)។
ទ្រង់ទ្រាយ error
Error ទាំងអស់ជា JSON object ដែលយ៉ាងហោចណាស់មាន key error។
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
ចាប់ផ្តើម scan
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}រាយ scan របស់អ្នក
/api/v1/scansត្រឡប់ scans សម្រាប់ org ដែលភ្ជាប់នឹង calling token, newest first។ Paginate ជាមួយ ?cursor=។ Default limit 50, max 100។
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}យក scan
/api/v1/scans/{scanId}ត្រឡប់ scan envelope + severity summary តាម category ជា default។ ផ្ញើ ?include_findings=true ដើម្បីយក full report (ធំសម្រាប់ noisy scans — គួរប្រើ findings endpoint ជាមួយ filters)។
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dរាយ findings
/api/v1/findingsFilterable findings list ឆ្លងកាត់ scan ទាំងអស់ក្នុង org របស់ caller។ Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z។ Cursor-paginated។
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec នៅ /docs/api/openapi (text/yaml)។ ដាក់ទៅ codegen ដែលអ្នកចូលចិត្ត (openapi-typescript, openapi-python-client, ឬ OpenAPI 3.1 toolchain ណាមួយ) សម្រាប់ typed clients។