FixVibe

// docs / rest api

REST API

Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.

Authentication

Request бүр Authorization header дотор bearer token авч явах ёстой. Tokens нь Account → API tokens-оос issued болно; plaintext creation үед exactly once харагдана. Token revoke хийвэл next call 401 буцаана.

bash
curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans

Token format: fxv_-ийн араас 43 base64url characters. At rest SHA-256 hash байдлаар stored; plaintext server-side хэзээ ч persisted болохгүй.

Rate limits

Authenticated request бүрт хоёр window: 10 req/sec burst ба 60 req/min steady, хоёулаа bearer hash дээр keyed. Quota enforcement (per-month scan caps) дээрээс нь layer болно — Quotas & limits-г үзнэ үү.

Pagination

List endpoints (/api/v1/scans, /api/v1/findings) нь descending order дахь (created_at, id)-ээр keyed cursor-based pagination ашиглана. Next page fetch хийхэд ?cursor=<next_cursor> дамжуулна. Cursor concurrent writes үед ч зөв байна (OFFSET skew байхгүй).

Error shapes

Error бүр дор хаяж error key бүхий JSON object байна.

jsonc
{ "error": "invalid_token" }                              // 401
{ "error": "forbidden" }                                  // 403
{ "error": "not_found" }                                  // 404
{ "error": "quota_exceeded", "quota": {...} }             // 429
{ "error": "rate_limited", "retry_after_seconds": 47 }    // 429
{ "error": "invalid_input", "issues": [...] }             // 400

Endpoints

Scan эхлүүлэх

POST/api/v1/scans

Enqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

// 200 response

{
  "id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
  "status": "queued",
  "target": "https://staging.example.com",
  "mode": "passive"
}

Таны scans жагсаах

GET/api/v1/scans

Calling token-той холбоотой org-ийн scans-ийг newest first буцаана. ?cursor=-оор paginate хийнэ. Default limit 50, max 100.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/scans?limit=25"

// 200 response

{
  "scans": [
    {
      "id": "8f1c4e2a-...",
      "target_url": "https://staging.example.com",
      "target_hostname": "staging.example.com",
      "mode": "passive",
      "status": "completed",
      "started_at": "2026-05-07T14:00:00Z",
      "completed_at": "2026-05-07T14:00:23Z",
      "findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
      "triggered_by": "api",
      "created_at": "2026-05-07T14:00:00Z"
    }
  ],
  "next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}

Scan авах

GET/api/v1/scans/{scanId}

Default-аар scan envelope + per-category severity summary буцаана. Full report авахад ?include_findings=true дамжуулна (noisy scans-д large — filters бүхий findings endpoint-ийг prefer хийнэ).

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d

Findings жагсаах

GET/api/v1/findings

Caller org-ийн бүх scan даяар filterable findings list. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"

// 200 response

{
  "findings": [
    {
      "id": "...",
      "scan_id": "...",
      "check_id": "secrets.js-bundle-sweep",
      "severity": "critical",
      "title": "Supabase service role key exposed in JS bundle",
      "description": "...",
      "evidence": { ... },
      "remediation": "...",
      "cwe_id": "CWE-798",
      "created_at": "2026-05-07T14:00:23Z"
    }
  ],
  "next_cursor": null
}

OpenAPI spec

Machine-readable spec /docs/api/openapi дээр (text/yaml). Typed clients-д favourite codegen (openapi-typescript, openapi-python-client эсвэл OpenAPI 3.1 toolchain) руу drop хийнэ.

REST API — Docs · FixVibe