// docs / rest api
REST API
Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.
Authentication
Request kọ̀ọ̀kan gbọ́dọ̀ ní bearer token nínú header Authorization. Tokens ni a ń fún jáde láti Account → API tokens; plaintext máa hàn sí ọ lẹ́ẹ̀kan ṣoṣo nígbà creation. Revoking token máa dá 401 padà lórí call tó tẹ̀lé.
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scansFormat token: fxv_ tí characters base64url 43 tẹ̀ lé. A fi pamọ́ ní rest gẹ́gẹ́ bí SHA-256 hash; plaintext kò ní persist lórí server.
Rate limits
Windows méjì lórí request authenticated kọ̀ọ̀kan: 10 req/sec burst àti 60 req/min steady, méjèèjì keyed lórí bearer hash. Quota enforcement (monthly scan caps fún oṣù) wà lórí rẹ — wo Ìpín àti ààlà.
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) ń lo cursor-based pagination tí keyed lórí (created_at, id) ní descending order. Fi ?cursor=<next_cursor> ránṣẹ́ láti fetch ojúewé tó tẹ̀lé. Cursor náà máa tọ́ labẹ concurrent writes (kò sí OFFSET skew).
Apẹrẹ error
Error kọ̀ọ̀kan jẹ́ JSON object pẹ̀lú key error ní kéré tán.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Bẹ̀rẹ̀ scan kan
/api/v1/scansEnqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".
curl -X POST https://fixvibe.app/api/v1/scans \
-H "Authorization: Bearer fxv_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 response
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Ṣe àtòjọ scans rẹ
/api/v1/scansÓ dá scans padà fún org tó so mọ token tó pe, tuntun jù lọ kọ́kọ́. Ṣe paginate pẹ̀lú ?cursor=. Default limit 50, max 100.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/scans?limit=25"// 200 response
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Gba scan kan
/api/v1/scans/{scanId}Ó dá scan envelope + severity summary fún category kọ̀ọ̀kan padà ní default. Fi ?include_findings=true ránṣẹ́ láti gba full report (ó tóbi fún scans aláriwo — fẹ́ findings endpoint pẹ̀lú filters).
curl -H "Authorization: Bearer fxv_..." \
https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dṢe àtòjọ findings
/api/v1/findingsÀtòjọ findings tí a lè filter kọjá gbogbo scan nínú org olùpe. Filters: severity=critical,high, check_id=secrets.patterns, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxv_..." \
"https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"// 200 response
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Spec tí ẹ̀rọ lè kà wà ní /docs/api/openapi (text/yaml). Fi sínú codegen ayanfẹ́ rẹ (openapi-typescript, openapi-python-client, tàbí OpenAPI 3.1 toolchain eyikeyi) fún typed clients.