What you can automate
- Pentests — Start pentests, rerun/cancel pentests, and download PDF reports
- Vulnerabilities — List and update vulnerabilities for remediation workflows
- Schedules — Create and trigger recurring schedules for continuous testing
- Webhooks — Subscribe to pentest and vulnerability lifecycle events
Base URL
All API requests are made to:Authentication
Every request must include a bearer token in theAuthorization header:
Scopes
Each token is assigned scopes that control what it can access. Apply least-privilege scopes per integration and rotate tokens regularly.| Scope | Description |
|---|---|
scans:read | List pentests, read pentest detail, and download reports |
scans:write | Create pentests, rerun pentests, and cancel running pentests |
vulnerabilities:read | List vulnerabilities and read individual findings |
vulnerabilities:write | Update vulnerability status and notes |
schedules:read | List schedules and inspect schedule runs |
schedules:write | Create, update, delete, and trigger schedules |
assets:read | Read domains and repositories target inventory |
webhooks:read | List webhook endpoints and delivery history |
webhooks:write | Create, update, delete, and rotate webhook secrets |
tokens:write | Create and revoke API tokens |