API Reference

The CodePhreak REST API allows programmatic access to scan results, authentication, and dashboard data.

Base URL

https://codephreak.ai/api

Authentication

All API requests require authentication via Bearer token or API key:

# Bearer token (from login)
Authorization: Bearer <your-jwt-token>

# API key
X-API-Key: <your-api-key>

Endpoints

GET/api/health

Check API health status. No authentication required.

Response

{ "status": "healthy", "timestamp": "2024-01-15T10:00:00Z" }
POST/api/auth/login

Authenticate and receive a JWT token.

Request Body

{
  "email": "user@example.com",
  "password": "your-password"
}

Response

{
  "token": "<jwt-token>",
  "user": {
    "email": "user@example.com",
    "tier": "professional"
  }
}
GET/api/auth/me

Get current authenticated user information.

Response

{
  "user": {
    "email": "user@example.com",
    "tier": "professional",
    "created_at": "2024-01-01T00:00:00Z"
  }
}
GET/api/scans

List all scans for the authenticated user.

Query Parameters

  • type - Filter by scan type (cspm, dast, runtime)
  • status - Filter by status (completed, running, failed)
  • limit - Number of results (default: 20)

Response

{
  "scans": [
    {
      "id": "scan-123",
      "scan_type": "cspm",
      "status": "completed",
      "created_at": "2024-01-15T10:00:00Z",
      "results": { ... }
    }
  ]
}
POST/api/scans

Submit scan results from CLI.

Request Body

{
  "scan_type": "cspm",
  "provider": "aws",
  "status": "completed",
  "results": {
    "summary": { "total": 245, "passed": 198, "failed": 42 },
    "findings": [ ... ]
  }
}

Response

{
  "id": "scan-456",
  "status": "completed",
  "created_at": "2024-01-15T10:30:00Z"
}
GET/api/scans/:id

Get detailed scan results by ID.

Response

{
  "id": "scan-123",
  "scan_type": "cspm",
  "provider": "aws",
  "status": "completed",
  "created_at": "2024-01-15T10:00:00Z",
  "completed_at": "2024-01-15T10:05:00Z",
  "results": {
    "summary": { "total": 245, "passed": 198, "failed": 42 },
    "by_severity": { "critical": 3, "high": 12, "medium": 18 },
    "by_service": { "S3": 5, "IAM": 8, "EC2": 10 },
    "findings": [ ... ]
  }
}
POST/api/auth/api-keys

Generate a new API key for programmatic access.

Request Body

{
  "name": "CI/CD Pipeline",
  "expires_in_days": 365
}

Response

{
  "api_key": "<generated-api-key>",
  "name": "CI/CD Pipeline",
  "expires_at": "2025-01-15T00:00:00Z"
}

Error Responses

All errors follow a consistent format:

{
  "error": "Unauthorized",
  "message": "Invalid or expired token",
  "status": 401
}
StatusDescription
400Bad Request - Invalid parameters
401Unauthorized - Invalid or missing token
403Forbidden - Insufficient permissions
404Not Found - Resource doesn't exist
429Too Many Requests - Rate limit exceeded
500Internal Server Error

Rate Limits

  • Free tier: 100 requests/hour
  • Professional: 1,000 requests/hour
  • Enterprise: Unlimited

Rate limit headers are included in all responses: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset