// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
Ар бир request Authorization header ишинде bearer token алып жүруи керек. Tokens Account → API tokens ичинен issued болот; plaintext creation кезинде exactly once көрсетиледи. Token revoked болсо, next call 401 кайрарады.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ соңынан 43 base64url characters. At rest SHA-256 hash ретинде stored; plaintext server-side эч качан persisted болбойт.
Rate limits
Ар бир authenticated request үчүн еки window: 10 req/sec burst жана 60 req/min steady, екеуи де bearer hash бойынша keyed. Quota enforcement (per-month scan caps) үстинен кабатталады — Quotas & limits караңыз.
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) cursor-based pagination колданады, key (created_at, id) descending order. Next page fetch ету үчүн ?cursor=<next_cursor> жөнөтүңүз. Cursor concurrent writes кезинде де дурыс калат (OFFSET skew жок).
Error shapes
Ар бир error кеминде error key бар JSON object.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Scan бастау
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Скандарыңызды тизмелөө
/api/v1/scansCalling token-га байланган org үчүн scans кайрарады, newest first. ?cursor= аркылуу paginate. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan алуу
/api/v1/scans/{scanId}Адепкиде scan envelope + per-category severity summary кайрарады. Full report алуу үчүн ?include_findings=true жөнөтүңүз (noisy scans үчүн large — filters бар findings endpoint-ти prefer етиңиз).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings тизмелөө
/api/v1/findingsCaller org ишиндеги барлык scan бойынша filterable findings list. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec /docs/api/openapi мекенжайында (text/yaml). Typed clients үчүн favourite codegen-ге (openapi-typescript, openapi-python-client же кез келген OpenAPI 3.1 toolchain) салыңыз.