// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
ທຸກ request ຕ້ອງມີ bearer token ໃນ header Authorization. Tokens ອອກຈາກ Account → API tokens; plaintext ສະແດງໃຫ້ທ່ານເຫັນຄັ້ງດຽວຕອນສ້າງ. ການ revoke token ຈະ return 401 ໃນ call ຖັດໄປ.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansຮູບແບບ token: fxv_ ຕາມດ້ວຍ base64url characters 43 ຕົວ. ເກັບ at rest ເປັນ SHA-256 hash; plaintext ບໍ່ເຄີຍ persist ຝັ່ງ server.
Rate limits
2 windows ໃນທຸກ authenticated request: 10 req/sec burst ແລະ 60 req/min steady, ທັງສອງ keyed ດ້ວຍ bearer hash. Quota enforcement (caps ສະແກນຕໍ່ເດືອນ) ຊ້ອນຢູ່ຂ້າງເທິງ — ເບິ່ງ ໂຄຕ້າ ແລະ ຂີດຈຳກັດ.
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) ໃຊ້ cursor-based pagination ທີ່ keyed ດ້ວຍ (created_at, id) ໃນ descending order. ສົ່ງ ?cursor=<next_cursor> ເພື່ອ fetch page ຖັດໄປ. cursor ຍັງຖືກຕ້ອງພາຍໃຕ້ concurrent writes (ບໍ່ມີ OFFSET skew).
ຮູບແບບ Error
Error ທຸກອັນເປັນ JSON object ທີ່ມີ key error ຢ່າງນ້ອຍ.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
ເລີ່ມສະແກນ
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}ລາຍຊື່ scans ຂອງທ່ານ
/api/v1/scansReturn scans ສຳລັບ org ທີ່ຜູກກັບ calling token, ໃໝ່ສຸດກ່ອນ. Paginate ດ້ວຍ ?cursor=. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}ເອົາ scan
/api/v1/scans/{scanId}Return scan envelope + per-category severity summary ໂດຍ default. ສົ່ງ ?include_findings=true ເພື່ອໄດ້ full report (ໃຫຍ່ສຳລັບ noisy scans — ແນະນຳ findings endpoint ພ້ອມ filters).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dລາຍຊື່ findings
/api/v1/findingsລາຍຊື່ findings ທີ່ filter ໄດ້ຂ້າມທຸກ scan ໃນ org ຂອງ caller. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec ທີ່ /docs/api/openapi (text/yaml). ໃສ່ໃນ codegen ທີ່ທ່ານມັກ (openapi-typescript, openapi-python-client, ຫຼື OpenAPI 3.1 toolchain ໃດໆ) ເພື່ອໄດ້ typed clients.