// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
Har request Authorization header ichida bearer token olib yurishi kerak. Tokens Account → API tokens dan issued bo‘ladi; plaintext creation’da exactly once ko‘rsatiladi. Token revoked bo‘lsa, next call 401 qaytaradi.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansToken format: fxv_ dan keyin 43 base64url characters. At rest SHA-256 hash sifatida stored; plaintext server-side hech qachon persisted bo‘lmaydi.
Rate limits
Har authenticated request’da ikki window: 10 req/sec burst va 60 req/min steady, ikkalasi ham bearer hash bo‘yicha keyed. Quota enforcement (per-month scan caps) ustidan layer bo‘ladi — Quotas & limits ga qarang.
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) descending order’da (created_at, id) keyed cursor-based pagination ishlatadi. Next page fetch qilish uchun ?cursor=<next_cursor> yuboring. Cursor concurrent writes ostida ham to‘g‘ri qoladi (OFFSET skew yo‘q).
Error shapes
Har error kamida error key’i bor JSON object.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Skan boshlash
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Skanlaringizni ko‘rish
/api/v1/scansCalling token bog‘langan org uchun scans qaytaradi, newest first. ?cursor= bilan paginate. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Skan olish
/api/v1/scans/{scanId}Default’da scan envelope + per-category severity summary qaytaradi. Full report uchun ?include_findings=true yuboring (noisy scans uchun large — filters bilan findings endpoint’ni prefer qiling).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings ro‘yxati
/api/v1/findingsCaller org ichidagi barcha scan bo‘yicha filterable findings list. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec /docs/api/openapi da (text/yaml). Typed clients uchun favourite codegen’ga (openapi-typescript, openapi-python-client yoki istalgan OpenAPI 3.1 toolchain) tashlang.