Endpoint Index
Overview
Server startup, authentication, and general endpoints. The following routes are public (no auth):| Method | Endpoint | Description |
|---|---|---|
| GET | / | Static UI |
| GET | /health | Health check |
| GET | /server-info | Server info (uptime, queue depth, totals) |
| GET | /swagger/* | Swagger UI |
| GET | /metrics | Prometheus metrics (response gated by --enable-metrics) |
| POST | /api/auth/login | File-based login → bearer token |
| GET | /api/info | App info / build metadata |
| GET | /api/user/info | Current user |
HTTP Records
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/http-records | List HTTP records (paginated, filterable) |
| GET | /api/http-records/:uuid | Get HTTP record detail |
| DELETE | /api/http-records/:uuid | Delete HTTP record |
Findings
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/findings | List findings (paginated, filterable) |
| GET | /api/findings/:id | Get finding detail |
| PATCH | /api/findings/:id/status | Update finding status (open/triaged/closed) |
| DELETE | /api/findings/:id | Delete finding |
Ingestion
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/ingest-http | Ingest HTTP data (URL, curl, OpenAPI, Burp, Postman, HAR, Nuclei) |
| POST | /api/import | Bulk import scans/records/findings (incl. gs://... and uploaded archives) |
Scan
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/scan-url | Scan a single URL |
| POST | /api/scan-request | Scan a raw HTTP request |
| POST | /api/scans/run | Trigger a target scan |
| POST | /api/scan-records | Scan specific HTTP records by UUID |
| POST | /api/scan-all-records | Scan filtered records |
| GET | /api/scan/status | Current scan status (latest/global) |
| GET | /api/scans | List scan history |
| GET | /api/scans/:uuid | Get scan detail |
| GET | /api/scans/:uuid/logs | Scan logs (SSE supported) |
| DELETE | /api/scans/:uuid | Delete scan |
| POST | /api/scans/:uuid/stop | Stop a running scan |
| POST | /api/scans/:uuid/pause | Pause a scan |
| POST | /api/scans/:uuid/resume | Resume a scan |
| POST | /api/scans/:uuid/update | Adjust scan parameters mid-run |
Stats
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/stats | Aggregated scan statistics |
Scope
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/scope | View scope config |
| POST | /api/scope | Update scope config |
Config
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/config | View configuration |
| POST | /api/config | Update configuration |
Modules
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/modules | List scanner modules |
Storage
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/storage/upload-source | Upload source code archive to cloud storage |
| GET | /api/storage/source/:key | Download a previously uploaded source file |
| GET | /api/storage/results/:scan-uuid | Download a scan result bundle (.tar.gz) |
| POST | /api/storage/presign | Generate a presigned upload/download URL |
Diagnostics
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/diagnostics | System readiness check (DB, agent provider, tools, dirs) |
OAST Interactions
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/oast-interactions | List OAST interactions |
| GET | /api/oast-interactions/:id | Get OAST interaction detail |
| DELETE | /api/oast-interactions/:id | Delete OAST interaction |
Extensions
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/extensions | List extensions |
| GET | /api/extensions/:name | Get extension (with raw content) |
| PUT | /api/extensions/:name | Edit extension |
| GET | /api/extensions/docs | List JS API functions |
Projects
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/projects | List projects + aggregate stats |
| POST | /api/projects | Create project |
| GET | /api/projects/:uuid | Get project |
| PUT | /api/projects/:uuid | Update project |
| DELETE | /api/projects/:uuid | Delete project (reassigns data to default) |
Database
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/db/tables | List tables |
| GET | /api/db/tables/:table/columns | Table column metadata |
| GET | /api/db/tables/:table/records | Generic record listing |
| GET | /api/db/tables/:table/records/:id | Get record |
| POST | /api/db/tables/:table/records | Insert record (admin) |
| PUT | /api/db/tables/:table/records/:id | Update record (admin) |
| DELETE | /api/db/tables/:table/records/:id | Delete record (admin) |
Agent
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/agent/run/query | Single-shot agent prompt execution |
| POST | /api/agent/run/autopilot | Autonomous AI-driven scanning session |
| POST | /api/agent/run/swarm | AI-guided multi-phase vulnerability swarm |
| POST | /api/agent/run/audit | Source-audit driver dispatcher (driver: auto|both|audit|piolium) |
| GET | /api/agent/status/list | List agent runs |
| GET | /api/agent/status/:id | Agent run status |
| GET | /api/agent/sessions | Paginated session history |
| GET | /api/agent/sessions/:id | Full session detail |
| GET | /api/agent/sessions/:id/logs | Read or tail runtime.log (SSE supported) |
| GET | /api/agent/sessions/:id/artifacts | List session artifact files |
| GET | /api/agent/sessions/:id/artifacts/{name} | Read a specific artifact |
| POST | /api/agent/chat/completions | OpenAI-compatible chat completions |