// docs / rest api
REST API
Bearer-authenticated JSON API for passive scan automation, scan status, and findings. Cursor-paginated, rate-limited, and shipped with a machine-readable OpenAPI spec for client codegen. Active scans stay in the dashboard UI for ownership attestation.
ምርግጋጽ መንነት
ነፍሲ ወከፍ request ኣብ Authorization header bearer token ክሕዝ ኣለዎ። Tokens ካብ Account → API tokens ይወጹ፤ plaintext ኣብ ፍጥረት ሓንሳብ ጥራይ ትርእዮ። Token revoke ምግባር ኣብ ቀጻሊ call 401 ይመልስ።
curl -H "Authorization: Bearer fxw_..." \
https://fixweb.app/api/v1/scansቅርጺ token: fxw_ ተኸቲሉ 43 base64url characters። ኣብ rest ከም SHA-256 hash ይዕቀብ፤ plaintext ኣብ server-side ፈጺሙ ኣይዕቀብን።
Rate limits
ኣብ ነፍሲ ወከፍ authenticated request ክልተ windows: 10 req/sec burst ን 60 req/min steady፣ ክልቲኦም ብ bearer hash keyed እዮም። Quota enforcement (per-month scan caps) ኣብ ልዕሊኡ ይድረብ፤ Quota ን ወሰናት ርአ።
Pagination
List endpoints (/api/v1/scans, /api/v1/findings) cursor-based pagination ይጥቀሙ፣ ብ (created_at, id) ኣብ descending order keyed እዮም። ቀጻሊ ገጽ ንምርካብ ?cursor=<next_cursor> ኣሕልፍ። Cursor ኣብ concurrent writes ልክዕ ይተርፍ (OFFSET skew የለን)።
ቅርጺ error
ነፍሲ ወከፍ error ብውሑዱ error key ዘለዎ JSON object እዩ።
{ "error": "invalid_token" } // 401
{ "error": "forbidden" } // 403
{ "error": "not_found" } // 404
{ "error": "quota_exceeded", "quota": {...} } // 429
{ "error": "rate_limited", "retry_after_seconds": 47 } // 429
{ "error": "invalid_input", "issues": [...] } // 400Endpoints
Scan ጀምር
/api/v1/scansEnqueues a passive scan. Returns immediately with a queued scan id; poll GET /api/v1/scans/[scanId] until status === "completed". Owner-depth mode is not exposed — see Scan types for the attestation-flow rationale.
curl -X POST https://fixweb.app/api/v1/scans \
-H "Authorization: Bearer fxw_..." \
-H "content-type: application/json" \
-d '{"target":"https://staging.example.com"}'// 200 መልሲ
{
"id": "8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4d",
"status": "queued",
"target": "https://staging.example.com",
"mode": "passive"
}Scansካ ዘርዝር
/api/v1/scansን org ምስቲ calling token ዝተኣሳሰሩ scans ይመልስ፣ ዝሓደሰ መጀመርታ። ብ ?cursor= paginate ግበር። Default limit 50፣ max 100።
curl -H "Authorization: Bearer fxw_..." \
"https://fixweb.app/api/v1/scans?limit=25"// 200 መልሲ
{
"scans": [
{
"id": "8f1c4e2a-...",
"target_url": "https://staging.example.com",
"target_hostname": "staging.example.com",
"mode": "passive",
"status": "completed",
"started_at": "2026-05-07T14:00:00Z",
"completed_at": "2026-05-07T14:00:23Z",
"findings_count": { "critical": 1, "high": 3, "medium": 7, "low": 2, "info": 4 },
"triggered_by": "api",
"created_at": "2026-05-07T14:00:00Z"
}
],
"next_cursor": "2026-05-07T14:00:00Z:8f1c4e2a-..."
}Scan ርኸብ
/api/v1/scans/{scanId}ብ default scan envelope + per-category severity summary ይመልስ። ምሉእ report ንምርካብ ?include_findings=true ኣሕልፍ (ን noisy scans ዓቢ እዩ፤ findings endpoint ምስ filters ምረጽ)።
curl -H "Authorization: Bearer fxw_..." \
https://fixweb.app/api/v1/scans/8f1c4e2a-8c3a-4b6f-9c0d-9b1e8f3c2a4dFindings ዘርዝር
/api/v1/findingsFilterable findings list across every scan in the caller's org. Filters: severity=critical,high, check_id=performance.delivery, since=2026-04-01T00:00:00Z. Cursor-paginated.
curl -H "Authorization: Bearer fxw_..." \
"https://fixweb.app/api/v1/findings?severity=critical,high&limit=50"// 200 መልሲ
{
"findings": [
{
"id": "...",
"scan_id": "...",
"check_id": "secrets.js-bundle-sweep",
"severity": "critical",
"title": "Supabase service role key exposed in JS bundle",
"description": "...",
"evidence": { ... },
"remediation": "...",
"cwe_id": "CWE-798",
"created_at": "2026-05-07T14:00:23Z"
}
],
"next_cursor": null
}OpenAPI spec
Machine-readable spec ኣብ /docs/api/openapi (text/yaml)። ን typed clients ናብ ዝፈትዎ codegen (openapi-typescript, openapi-python-client, ወይ ዝኾነ OpenAPI 3.1 toolchain) ኣእትዎ።