// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
ପ୍ରମାଣୀକରଣ
ପ୍ରତ୍ୟେକ request Authorization header ରେ bearer token ବହନ କରିବା ଦରକାର। Token Account → API tokens ରୁ issue ହୁଏ; plaintext creation ସମୟରେ ଆପଣଙ୍କୁ ଠିକ୍ ଗୋଟିଏଥର ଦେଖାଯାଏ। Token revoke କଲେ ପରବର୍ତ୍ତୀ call 401 ଫେରାଏ।
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ ପରେ 43 base64url character। At rest SHA-256 hash ଭାବେ stored; plaintext server-side କେବେ persist ହୁଏ ନାହିଁ।
Rate limit
ପ୍ରତ୍ୟେକ authenticated request ଉପରେ ଦୁଇ window: 10 req/sec burst ଓ 60 req/min steady, ଦୁଇଟି bearer hash ଉପରେ keyed। Quota enforcement (per-month scan cap) ଉପରେ layer ହୁଏ — Quota ଓ limit ଦେଖନ୍ତୁ।
ପୃଷ୍ଠାକରଣ
List endpoint (/api/v1/scans, /api/v1/findings) descending order ରେ (created_at, id) ଉପରେ keyed cursor-based pagination ବ୍ୟବହାର କରେ। ପରବର୍ତ୍ତୀ page fetch କରିବାକୁ ?cursor=<next_cursor> pass କରନ୍ତୁ। Concurrent write ଥିଲେ ମଧ୍ୟ cursor ସଠିକ୍ ରହେ (OFFSET skew ନାହିଁ)।
Error shape
ପ୍ରତ୍ୟେକ error ଅତି କମରେ error key ସହିତ JSON object।
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoint
Scan ଆରମ୍ଭ କରନ୍ତୁ
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}ଆପଣଙ୍କ scan list କରନ୍ତୁ
/api/v1/scansCalling token ସହିତ ଜଡିତ org ପାଇଁ scan ଫେରାଏ, newest first। ?cursor= ସହିତ paginate କରନ୍ତୁ। Default limit 50, max 100।
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan ନିଅନ୍ତୁ
/api/v1/scans/{scanId}Default ଭାବେ scan envelope + per-category severity summary ଫେରାଏ। Full report ପାଇଁ ?include_findings=true pass କରନ୍ତୁ (noisy scan ପାଇଁ ବଡ଼ — filter ସହିତ findings endpoint ବ୍ୟବହାର କରିବା ଭଲ)।
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFinding list କରନ୍ତୁ
/api/v1/findingsCaller ଙ୍କ org ର ପ୍ରତ୍ୟେକ scan ଜୁଡ଼ି filterable finding list। Filter: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z। Cursor-paginated।
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec /docs/api/openapi (text/yaml) ରେ। Typed client ପାଇଁ ଆପଣଙ୍କ ପସନ୍ଦର codegen (openapi-typescript, openapi-python-client, କିମ୍ବା ଯେକୌଣସି OpenAPI 3.1 toolchain) ଭିତରେ drop କରନ୍ତୁ।