// docs / rest api

REST API

Bearer-authenticated JSON API for scan automation, scan status, and findings. Passive scans are available through REST; active scans are available for paid plans only after the domain is verified and explicitly authorized in the dashboard.

认证

每个请求都必须在 Authorization header 中携带 bearer token。Token 从 Account → API tokens 签发；创建时明文只会向你显示一次。撤销 token 后，下一次调用会返回 401。

bash

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans

Token 格式：fxv_ 后跟 43 个 base64url 字符。静态存储时使用 SHA-256 hash；明文永远不会在服务器端持久化。

速率限制

每个已认证请求有两个窗口：10 req/sec burst 和 60 req/min steady，二者都按 bearer hash 计数。配额执行（每月扫描上限）叠加在其上；参见配额和限制。

分页

列表端点（/api/v1/scans、/api/v1/findings）使用基于游标的分页，按 (created_at, id) 降序排序。传入 ?cursor=<next_cursor> 获取下一页。即使存在并发写入，游标也能保持正确（没有 OFFSET 偏移）。

错误结构

每个错误都是 JSON 对象，至少包含一个 error key。

jsonc

{ "error": "invalid_token" }                              // 401
{ "error": "forbidden" }                                  // 403
{ "error": "not_found" }                                  // 404
{ "error": "quota_exceeded", "quota": {...} }             // 429
{ "error": "rate_limited", "retry_after_seconds": 47 }    // 429
{ "error": "invalid_input", "issues": [...] }             // 400

端点

启动扫描

POST/api/v1/scans

Enqueues a passive scan by default. For verified domains with active authorization, paid plans can request active mode. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed".

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

// 200 response

{
  "id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
  "status": "queued",
  "target": "https://staging.example.com",
  "mode": "passive"
}

列出你的扫描

GET/api/v1/scans

返回与调用 token 绑定的组织下的扫描，最新的在前。使用 ?cursor= 分页。默认 limit 为 50，最大 100。

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/scans?limit=25"

// 200 response

{
  "scans": [
    {
      "id": "8f1c4e2a-...",
      "target_url": "https://staging.example.com",
      "target_hostname": "staging.example.com",
      "mode": "passive",
      "status": "completed",
      "started_at": "2026-05-07T14:00:00Z",
      "completed_at": "2026-05-07T14:00:23Z",
      "findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
      "triggered_by": "api",
      "created_at": "2026-05-07T14:00:00Z"
    }
  ],
  "next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}

获取扫描

GET/api/v1/scans/{scanId}

默认返回 scan envelope + 按类别汇总的严重性统计。传入 ?include_findings=true 可获取完整报告（发现项多的扫描会很大；更建议使用带过滤器的 findings 端点）。

curl -H "Authorization: Bearer fxv_..." \
  https://fixvibe.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d

列出发现项

GET/api/v1/findings

列出调用方组织中所有扫描的可过滤发现项。过滤器：severity=critical,high、check_id=secrets.patterns、since=2026-04-01T00:00:00Z。使用游标分页。

curl -H "Authorization: Bearer fxv_..." \
  "https://fixvibe.app/api/v1/findings?severity=critical,high&limit=50"

// 200 response

{
  "findings": [
    {
      "id": "...",
      "scan_id": "...",
      "check_id": "secrets.js-bundle-sweep",
      "severity": "critical",
      "title": "Supabase service role key exposed in JS bundle",
      "description": "...",
      "evidence": { ... },
      "remediation": "...",
      "cwe_id": "CWE-798",
      "created_at": "2026-05-07T14:00:23Z"
    }
  ],
  "next_cursor": null
}

OpenAPI 规范

机器可读规范位于 /docs/api/openapi（text/yaml）。把它丢进你喜欢的 codegen（openapi-typescript、openapi-python-client，或任意 OpenAPI 3.1 toolchain）即可生成类型化客户端。