// docs / rest api
REST API
Bearer-authenticated JSON API for passive scan automation, scan status, and findings. Cursor-paginated, rate-limited, and shipped with a machine-readable OpenAPI spec for client codegen. Active scans stay in the dashboard UI for ownership attestation.
Fanamarinana
Ny request rehetra dia tsy maintsy mitondra Bearer token ao amin’ny header Authorization. Avy amin’ny Kaonty → API tokens no avoaka ny tokens; aseho aminao indray mandeha monja ny plaintext rehefa foronina. Raha foanana token iray dia miverina 401 ny antso manaraka.
curl -H "Authorization: Bearer fxw_..." \
https://fixweb.app/api/v1/scansEndriky ny token: fxw_ arahin’ny litera base64url 43. Tehirizina amin’ny fitsaharana ho hash SHA-256; tsy tehirizina amin’ny server mihitsy ny plaintext.
Fetran’ny tahan’ny request
Varavarankely roa amin’ny request voamarina rehetra: burst 10 req/sec sy steady 60 req/min, samy mifamatotra amin’ny Bearer hash. Manampy eo amboniny ny fampiharana quota (fetran’ny scan isam-bolana); jereo Quota sy fetra.
Paginasiôna
Ny endpoints lisitra (/api/v1/scans, /api/v1/findings) dia mampiasa cursor-based pagination mifototra amin’ny (created_at, id) amin’ny filaharana midina. Alefaso ?cursor=<next_cursor> haka ny pejy manaraka. Mijanona marina ny cursor na misy writes concurrent aza (tsy misy OFFSET skew).
Endriky ny error
Ny error rehetra dia JSON object manana farafahakeliny key error.
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Toerana antso
Manomboka scan
/api/v1/scansEnqueues a passive scan. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed". Owner-depth mode is not exposed — see Scan types for the attestation-flow rationale.
curl -X POST https://fixweb.app/api/v1/scans \
-H "Authorization: Bearer fxw_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// valiny 200
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Tanisao ny scans-nao
/api/v1/scansMamerina scans ho an’ny org mifamatotra amin’ilay token miantso, ny vaovao indrindra aloha. Ataovy pagination amin’ny ?cursor=. Fetra default 50, ambony indrindra 100.
curl -H "Authorization: Bearer fxw_..." \
"https://fixweb.app/api/v1/scans?limit=25"// valiny 200
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Makà scan
/api/v1/scans/{scanId}Mamerina scan envelope + famintinana severity isaky ny category amin’ny default. Alefaso ?include_findings=true hahazoana tatitra feno (lehibe amin’ny scan be tabataba; aleo endpoint findings misy filters).
curl -H "Authorization: Bearer fxw_..." \
https://fixweb.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dTanisao findings
/api/v1/findingsFilterable findings list across every scan in the caller's org. Filters: severity=critical,high, check_id=performance.delivery, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxw_..." \
"https://fixweb.app/api/v1/findings?severity=critical,high&limit=50"// valiny 200
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}Spec OpenAPI
Spec azo vakin’ny milina ao amin’ny /docs/api/openapi (text/yaml). Ampidiro ao amin’ny codegen tianao (openapi-typescript, openapi-python-client, na OpenAPI 3.1 toolchain rehetra) hahazoana clients typed.