// docs / rest api

REST API

Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.

Autentikasi

Setiap request mesti membawa token bearer dalam header Authorization. Token dikeluarkan daripada Account → API tokens; plaintext ditunjukkan kepada anda tepat sekali semasa penciptaan. Membatalkan token mengembalikan 401 pada panggilan seterusnya.

bash

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans

Format token: fxv_ diikuti 43 aksara base64url. Disimpan at rest sebagai hash SHA-256; plaintext tidak pernah disimpan secara kekal di sisi server.

Had kadar

Dua window pada setiap request berautentikasi: burst 10 req/saat dan steady 60 req/min, kedua-duanya dikunci pada hash bearer. Penguatkuasaan kuota (had imbasan per bulan) dilapiskan di atas — lihat Kuota & had.

Penomboran

Endpoint senarai (/api/v1/scans, /api/v1/findings) menggunakan penomboran berasaskan kursor yang dikunci pada (created_at, id) dalam susunan menurun. Hantar ?cursor=<next_cursor> untuk mengambil halaman seterusnya. Kursor kekal betul di bawah penulisan serentak (tiada skew OFFSET).

Bentuk ralat

Setiap ralat ialah objek JSON dengan sekurang-kurangnya key error.

jsonc

{ "error": "invalid_token" }                              // 401
{ "error": "forbidden" }                                  // 403
{ "error": "not_found" }                                  // 404
{ "error": "quota_exceeded", "quota": {...} }             // 429
{ "error": "rate_limited", "retry_after_seconds": 47 }    // 429
{ "error": "invalid_input", "issues": [...] }             // 400

Endpoint

Mulakan imbasan

POST/api/v1/scans

Enqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

// respons 200

{
  "id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
  "status": "queued",
  "target": "https://staging.example.com",
  "mode": "passive"
}

Senaraikan imbasan anda

GET/api/v1/scans

Mengembalikan imbasan untuk org yang terikat kepada token pemanggil, terbaharu dahulu. Nomborkan dengan ?cursor=. Had default 50, maks 100.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/scans?limit=25"

// respons 200

{
  "scans": [
    {
      "id": "8f1c4e2a-...",
      "target_url": "https://staging.example.com",
      "target_hostname": "staging.example.com",
      "mode": "passive",
      "status": "completed",
      "started_at": "2026-05-07T14:00:00Z",
      "completed_at": "2026-05-07T14:00:23Z",
      "findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
      "triggered_by": "api",
      "created_at": "2026-05-07T14:00:00Z"
    }
  ],
  "next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}

Dapatkan imbasan

GET/api/v1/scans/{scanId}

Mengembalikan envelope imbasan + ringkasan severity mengikut kategori secara default. Hantar ?include_findings=true untuk mendapatkan laporan penuh (besar untuk imbasan yang bising — lebih baik gunakan endpoint findings dengan filter).

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d

Senaraikan dapatan

GET/api/v1/findings

Senarai dapatan boleh ditapis merentas setiap imbasan dalam org pemanggil. Filter: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Dinomborkan dengan kursor.

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"

// respons 200

{
  "findings": [
    {
      "id": "...",
      "scan_id": "...",
      "check_id": "secrets.js-bundle-sweep",
      "severity": "critical",
      "title": "Supabase service role key exposed in JS bundle",
      "description": "...",
      "evidence": { ... },
      "remediation": "...",
      "cwe_id": "CWE-798",
      "created_at": "2026-05-07T14:00:23Z"
    }
  ],
  "next_cursor": null
}

Spesifikasi OpenAPI

Spesifikasi boleh dibaca mesin di /docs/api/openapi (text/yaml). Masukkan ke codegen kegemaran anda (openapi-typescript, openapi-python-client, atau mana-mana toolchain OpenAPI 3.1) untuk klien bertaip.