Vuln0x

Introduction

The Vuln0x API is a RESTful API that allows you to programmatically manage security scans, findings, projects, and more. All endpoints use JSON for request and response bodies (except binary report downloads).

Base URL

https://api-v1.vuln0x.com

API Version

/api/v1/

Content Type

application/json

Response Format

JSON (binary for PDF reports)

Authentication

Two authentication methods are supported. Both grant access to the full API surface — there are no feature restrictions based on auth type.

API Key

Recommended

Persistent keys with ss_ prefix. Never expire. Best for CI/CD and server-to-server integrations.

X-API-Key: ss_your_api_key

Bearer Token

Session Auth

Short-lived tokens from Supabase auth. Expire after 1 hour. Best for development and interactive sessions.

Authorization: Bearer eyJhbGci...

Example: Authenticate with API Key

curl -X GET https://api-v1.vuln0x.com/api/v1/auth/me \
  -H "X-API-Key: ss_your_api_key" \
  -H "Content-Type: application/json"

Rate Limiting

API requests are rate-limited per account. Limits vary by tier. Rate limit information is returned in response headers.

Tier	Requests/min	Burst
Free	30	10
Starter	120	30
Professional	300	60
Business	600	120

Response headers:

X-RateLimit-Limit— Maximum requests per window

X-RateLimit-Remaining— Requests remaining in window

X-RateLimit-Reset— Unix timestamp when window resets

Error Codes

Errors return a JSON body with a detail field containing a human-readable message.

Error Response Format

{
  "detail": "Human-readable error message"
}

Code	Meaning
200	OK — Request succeeded
201	Created — Resource created successfully
204	No Content — Successful delete operation
400	Bad Request — Invalid parameters or request body
401	Unauthorized — Missing or invalid authentication
403	Forbidden — Insufficient permissions or tier
404	Not Found — Resource does not exist
409	Conflict — Resource already exists
422	Validation Error — Request body failed validation
429	Too Many Requests — Rate limit exceeded
500	Internal Server Error — Something went wrong on our end

Pagination

List endpoints use page-based pagination. Pass page and page_size as query parameters.

Request Parameters

page — Page number (default 1)

page_size — Items per page (default 20, max 100)

Response Fields

items — Array of results

total — Total number of items

page / page_size — Current page info

Example: Paginated Request

curl "https://api-v1.vuln0x.com/api/v1/scans/?page=2&page_size=10" \
  -H "X-API-Key: ss_your_api_key"

Authentication

Manage your account, profile, sessions, two-factor authentication, and API keys.

Scans

Create, manage, and retrieve security scans. Includes reports, tags, notes, sharing, comparison, and trend analysis.

Findings

Manage security findings across all scans. Update statuses, create suppression rules, snooze findings, and get AI-powered remediation advice.

GET

/api/v1/findings/suppression-rules— List suppression rules

Projects

Organize targets into projects. Manage targets, trigger project-wide scans, and get aggregated statistics.

GET

/api/v1/projects/— List projects

Schedules

Schedule recurring scans. Set frequency, timezone, and get notified when scans complete.

GET

/api/v1/schedules/— List schedules

Webhooks

Receive real-time notifications when scans complete or findings change. HMAC-SHA256 signed payloads.

GET

/api/v1/webhooks/— List webhooks

Domains

Verify domain ownership before scanning. Required for scanning domains you own.

GET

/api/v1/domains/— List verified domains

Scan Profiles

Create reusable scan configurations with pre-selected scanners.

GET

/api/v1/scan-profiles/— List scan profiles

Notifications

Manage in-app notifications and external integrations (Slack, Discord, Email, Jira, GitHub).

POST

/api/v1/notifications/read-all— Mark all notifications as read

DELETE

/api/v1/notifications/— Clear all notifications

GET

/api/v1/notifications/preferences— Get notification preferences

Credits

Check credit balance, view transaction history, and get usage analytics.

Billing

Manage subscriptions, payment methods, and invoices via Stripe integration.

POST

/api/v1/billing/subscription/resume— Resume a cancelled subscription

Dashboard

Get aggregated dashboard statistics and API health status.

Public

Public endpoints that do not require authentication.

API Reference

Introduction

Authentication

API Key

Bearer Token

Rate Limiting

Error Codes

Pagination

Authentication

GET/api/v1/auth/me— Get current userGet current user

PATCH/api/v1/auth/profile— Update profileUpdate profile

POST/api/v1/auth/change-password— Change passwordChange password

POST/api/v1/auth/api-key/rotate— Rotate API keyRotate API key

POST/api/v1/auth/2fa/setup— Setup two-factor authenticationSetup two-factor authentication

POST/api/v1/auth/2fa/verify— Verify 2FA codeVerify 2FA code

POST/api/v1/auth/2fa/disable— Disable two-factor authenticationDisable two-factor authentication

GET/api/v1/auth/2fa/status— Get 2FA statusGet 2FA status

GET/api/v1/auth/sessions— List active sessionsList active sessions

DELETE/api/v1/auth/sessions— Revoke all sessionsRevoke all sessions

DELETE/api/v1/auth/sessions/{sessionId}— Revoke a specific sessionRevoke a specific session

GET/api/v1/auth/preferences— Get user preferencesGet user preferences

PUT/api/v1/auth/preferences— Update user preferencesUpdate user preferences

GET/api/v1/auth/activity— Get activity logGet activity log

POST/api/v1/auth/delete-account— Delete accountDelete account

Scans

POST/api/v1/scans/— Create a new scanCreate a new scan

GET/api/v1/scans/— List scansList scans

GET/api/v1/scans/{scanId}— Get scan detailsGet scan details

DELETE/api/v1/scans/{scanId}— Delete a scanDelete a scan

GET/api/v1/scans/{scanId}/status— Get scan statusGet scan status

POST/api/v1/scans/{scanId}/rescan— Rescan a targetRescan a target

DELETE/api/v1/scans/{scanId}/cancel— Cancel a running scanCancel a running scan

POST/api/v1/scans/bulk— Create bulk scansCreate bulk scans

POST/api/v1/scans/quick— Quick scanQuick scan

GET/api/v1/scans/{scanId}/report/json— Download JSON reportDownload JSON report

GET/api/v1/scans/{scanId}/report/sarif— Download SARIF reportDownload SARIF report

GET/api/v1/scans/{scanId}/report/csv— Download CSV reportDownload CSV report

GET/api/v1/scans/{scanId}/report/pdf— Download PDF reportDownload PDF report

GET/api/v1/scans/{scanId}/report/html— Download HTML reportDownload HTML report

GET/api/v1/scans/{scanId}/report/markdown— Download Markdown reportDownload Markdown report

POST/api/v1/scans/{scanId}/tags— Add tags to a scanAdd tags to a scan

GET/api/v1/scans/{scanId}/tags— Get scan tagsGet scan tags

DELETE/api/v1/scans/{scanId}/tags/{tag}— Remove a tagRemove a tag

POST/api/v1/scans/{scanId}/notes— Add a note to a scanAdd a note to a scan

GET/api/v1/scans/{scanId}/notes— Get scan notesGet scan notes

DELETE/api/v1/scans/{scanId}/notes/{noteId}— Delete a noteDelete a note

POST/api/v1/scans/{scanId}/share— Create a share linkCreate a share link

DELETE/api/v1/scans/{scanId}/share/{shareId}— Revoke a share linkRevoke a share link

GET/api/v1/scans/domain/{domain}/history— Get domain scan historyGet domain scan history

GET/api/v1/scans/shared/{shareToken}— View a shared scanView a shared scan

GET/api/v1/scans/{scanId}/trend— Get scan trendGet scan trend

GET/api/v1/scans/compare— Compare two scansCompare two scans

POST/api/v1/scans/{scanId}/findings/{findingId}/verify— Verify a findingVerify a finding

Findings

GET/api/v1/findings/— List all findingsList all findings

GET/api/v1/findings/{findingId}— Get finding detailsGet finding details

PATCH/api/v1/findings/{findingId}/status— Update finding statusUpdate finding status

PATCH/api/v1/findings/batch/status— Batch update finding statusesBatch update finding statuses

GET/api/v1/findings/{findingId}/history— Get finding status historyGet finding status history

POST/api/v1/findings/suppression-rules— Create a suppression ruleCreate a suppression rule

DELETE/api/v1/findings/suppression-rules/{ruleId}— Delete a suppression ruleDelete a suppression rule

POST/api/v1/findings/{findingId}/snooze— Snooze a findingSnooze a finding

DELETE/api/v1/findings/{findingId}/snooze— Unsnooze a findingUnsnooze a finding

POST/api/v1/findings/{findingId}/export/jira— Export finding to JiraExport finding to Jira

POST/api/v1/findings/{findingId}/export/github— Export finding to GitHubExport finding to GitHub

GET/api/v1/findings/{findingId}/remediation— Get AI remediation adviceGet AI remediation advice

Projects

POST/api/v1/projects/— Create a projectCreate a project

GET/api/v1/projects/{projectId}— Get project detailsGet project details

PATCH/api/v1/projects/{projectId}— Update a projectUpdate a project

DELETE/api/v1/projects/{projectId}— Delete a projectDelete a project

POST/api/v1/projects/{projectId}/targets— Add targets to a projectAdd targets to a project

DELETE/api/v1/projects/{projectId}/targets/{targetId}— Remove a targetRemove a target

POST/api/v1/projects/{projectId}/targets/import— Import targets from URL listImport targets from URL list

POST/api/v1/projects/{projectId}/scan— Scan all project targetsScan all project targets

GET/api/v1/projects/{projectId}/history— Get project scan historyGet project scan history

GET/api/v1/projects/{projectId}/stats— Get project statisticsGet project statistics

GET/api/v1/projects/{projectId}/report— Download project reportDownload project report

GET/api/v1/projects/{projectId}/badge— Get security badgeGet security badge

Schedules