// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
هر request باید په Authorization header کې bearer token ولري. Tokens له Account → API tokens څخه issued کېږي؛ plaintext د creation پر مهال یوازې یو ځل درته ښودل کېږي. Token revoke کول په next call کې 401 returns.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ ورپسې 43 base64url characters. At rest د SHA-256 hash په توګه stored؛ plaintext هېڅکله server-side persisted نه وي.
Rate limits
په هر authenticated request کې دوه windows: 10 req/sec burst او 60 req/min steady، دواړه پر bearer hash keyed. Quota enforcement (per-month scan caps) پر سر layer کېږي — وګورئ Quotas & limits.
Pagination
List endpoints (/api/v1/scans، /api/v1/findings) cursor-based pagination کاروي چې په descending order کې پر (created_at, id) keyed ده. د next page fetch لپاره ?cursor=<next_cursor> pass کړئ. Cursor د concurrent writes لاندې correct پاتې کېږي (OFFSET skew نشته).
Error shapes
هر error یو JSON object دی چې لږ تر لږه error key لري.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Scan پیل کړئ
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}خپل scans list کړئ
/api/v1/scansد calling token پورې تړلي org لپاره scans returns کوي، newest first. له ?cursor= سره paginate کړئ. Default limit 50، max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan واخلئ
/api/v1/scans/{scanId}Default د scan envelope + per-category severity summary returns کوي. د full report لپاره ?include_findings=true pass کړئ (د noisy scans لپاره لوی — له filters سره findings endpoint prefer کړئ).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings list کړئ
/api/v1/findingsد caller په org کې د هر scan across filterable findings list. Filters: severity=critical,high، check_id=secrets.patterns، since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec په /docs/api/openapi کې (text/yaml). د typed clients لپاره خپل favourite codegen ته یې drop کړئ (openapi-typescript، openapi-python-client، یا هر OpenAPI 3.1 toolchain).