// docs / rest api

REST API

Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.

Authentication

हरेक request ले Authorization header मा bearer token बोक्नुपर्छ। Tokens Account → API tokens बाट issued हुन्छन्; plaintext creation मा तपाईंलाई ठीक एक पटक देखाइन्छ। Token revoke गर्दा next call मा 401 फर्किन्छ।

bash

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans

Token format: fxv_ पछि 43 base64url characters। At rest SHA-256 hash रूपमा stored; plaintext server-side persist कहिल्यै हुँदैन।

Rate limits

हरेक authenticated request मा दुई windows: 10 req/sec burst र 60 req/min steady, दुवै bearer hash मा keyed। Quota enforcement (per-month scan caps) माथि layer हुन्छ — Quotas र limits हेर्नुहोस्।

Pagination

List endpoints (/api/v1/scans, /api/v1/findings) ले descending order मा (created_at, id) मा keyed cursor-based pagination प्रयोग गर्छन्। Next page fetch गर्न ?cursor=<next_cursor> pass गर्नुहोस्। Cursor concurrent writes अन्तर्गत पनि correct रहन्छ (OFFSET skew छैन)।

Error shapes

हरेक error कम्तीमा error key भएको JSON object हो।

jsonc

{ "error": "invalid_token" }                              // 401
{ "error": "forbidden" }                                  // 403
{ "error": "not_found" }                                  // 404
{ "error": "quota_exceeded", "quota": {...} }             // 429
{ "error": "rate_limited", "retry_after_seconds": 47 }    // 429
{ "error": "invalid_input", "issues": [...] }             // 400

Endpoints

Scan सुरु गर्नुहोस्

POST/api/v1/scans

Enqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

// 200 response

{
  "id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
  "status": "queued",
  "target": "https://staging.example.com",
  "mode": "passive"
}

तपाईंका scans list गर्नुहोस्

GET/api/v1/scans

Calling token सँग tied org का scans, newest first returns। ?cursor= सँग paginate गर्नुहोस्। Default limit 50, max 100।

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/scans?limit=25"

// 200 response

{
  "scans": [
    {
      "id": "8f1c4e2a-...",
      "target_url": "https://staging.example.com",
      "target_hostname": "staging.example.com",
      "mode": "passive",
      "status": "completed",
      "started_at": "2026-05-07T14:00:00Z",
      "completed_at": "2026-05-07T14:00:23Z",
      "findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
      "triggered_by": "api",
      "created_at": "2026-05-07T14:00:00Z"
    }
  ],
  "next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}

Scan प्राप्त गर्नुहोस्

GET/api/v1/scans/{scanId}

Default रूपमा scan envelope + per-category severity summary returns। Full report पाउन ?include_findings=true pass गर्नुहोस् (noisy scans का लागि ठूलो — filters सहित findings endpoint prefer गर्नुहोस्)।

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d

Findings list गर्नुहोस्

GET/api/v1/findings

Caller को org का हरेक scan across filterable findings list। Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z। Cursor-paginated।

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"

// 200 response

{
  "findings": [
    {
      "id": "...",
      "scan_id": "...",
      "check_id": "secrets.js-bundle-sweep",
      "severity": "critical",
      "title": "Supabase service role key exposed in JS bundle",
      "description": "...",
      "evidence": { ... },
      "remediation": "...",
      "cwe_id": "CWE-798",
      "created_at": "2026-05-07T14:00:23Z"
    }
  ],
  "next_cursor": null
}

OpenAPI spec

Machine-readable spec /docs/api/openapi मा (text/yaml)। Typed clients का लागि तपाईंको मनपर्ने codegen (openapi-typescript, openapi-python-client, वा कुनै OpenAPI 3.1 toolchain) मा drop गर्नुहोस्।