// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Autentikimi
Çdo request duhet të mbajë bearer token në header Authorization. Tokens lëshohen nga Account → API tokens; plaintext shfaqet saktësisht një herë në creation. Revoking token kthen 401 në call-in tjetër.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ i ndjekur nga 43 base64url characters. Stored at rest si SHA-256 hash; plaintext nuk persist kurrë server-side.
Rate limits
Dy windows në çdo authenticated request: 10 req/sec burst dhe 60 req/min steady, të dy keyed on bearer hash. Quota enforcement (per-month scan caps) shtohet sipër — shihni Kuota dhe kufij.
Paginimi
List endpoints (/api/v1/scans, /api/v1/findings) përdorin cursor-based pagination keyed on (created_at, id) në descending order. Kaloni ?cursor=<next_cursor> për të marrë next page. Cursor mbetet correct under concurrent writes (pa OFFSET skew).
Formatet e gabimeve
Çdo error është JSON object me të paktën një key error.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Nis një scan
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Listoni skanimet tuaja
/api/v1/scansKthen scans për org të lidhur me calling token, newest first. Paginate me ?cursor=. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Merr një scan
/api/v1/scans/{scanId}Kthen scan envelope + per-category severity summary by default. Kaloni ?include_findings=true për full report (large for noisy scans — prefer findings endpoint me filters).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dListoni findings
/api/v1/findingsFilterable findings list në çdo scan të caller's org. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec te /docs/api/openapi (text/yaml). Drop into your favourite codegen (openapi-typescript, openapi-python-client ose çdo OpenAPI 3.1 toolchain) për typed clients.