VulniosVulnios
API and Webhooks

API and Webhooks

Programmatic access to Vulnios via scoped API keys and secure webhook delivery. Enterprise plan required.

1API Onboarding (Enterprise)

API access is an Enterprise plan entitlement. It is enforced server-side. No API key can be created on a lower-tier plan regardless of UI state.

API access requires api_access in the org's plan features array. The callable function checks entitlements at key-creation time. Upgrade your plan to Enterprise before requesting API access.

  1. 1Upgrade org to Enterprise plan.
  2. 2Navigate to Settings → API Keys → Create Key.
  3. 3Select scopes and set key name / expiry.
  4. 4Copy the plaintext key — it is shown only once.
  5. 5Use as Authorization: Bearer <key> header.

2API Keys and Scopes

  • Keys are stored hashed — plaintext is never written to Firestore.
  • Each key is scoped: scopes array restricts which endpoints are accessible.
  • Keys carry an orgId — all API calls are tenant-isolated to that org.
  • Keys can be rotated or revoked; old key is immediately invalidated.

Available scopes

scans:readList and read scan results
scans:writeCreate new scans (+ quota consumed)
findings:readList and read findings
webhooks:manageRegister and manage webhook endpoints

3REST API v1

Base URL: https://api.vulnios.com/v1

GET/scansList V2 scans for org
GET/scans/{scanId}Get scan details + step statuses
GET/scans/{scanId}/stepsList engine steps and progress
GET/scans/{scanId}/findingsList findings for a specific scan
POST/scansCreate V2 scan (quota deducted)
GET/findingsList all findings for org
GET/findings/{findingId}Get finding detail + AI enrichment

Authentication: Authorization: Bearer <api-key>

All endpoints return V2 scan data from the scansV2 collection. Scan statuses: pending → running → succeeded / failed.

4Webhooks

Register endpoints to receive push notifications on scan and finding events.

Available events

  • scan.succeeded
  • scan.failed
  • scan.completed_with_errors
  • finding.new (critical+)
  • finding.severity_changed
  • Each delivery is signed with HMAC-SHA256. Verify the X-Vulnios-Signature header.
  • Failed deliveries are retried up to 5 times with exponential back-off.
  • Delivery log available in Settings → Webhooks → Delivery history.
  • Replay protection: deliveries include a unique delivery ID — use it to deduplicate.

What's Next?

Admin Guide

Platform admin operations

Security

API key and webhook security model

Billing and Plans

Enterprise plan entitlements

Scanning and Results

What the API returns