API reference
Programmatic access to the portal — images, SBOMs, webhooks, feature requests.
The portal exposes a small REST surface for tenant integrations. All endpoints are tenant-scoped via the X-Tenant header (matches the subdomain you log in on) + an Authorization: Bearer <token> from the login flow.
Auth
POST /api/auth/login
Content-Type: application/json
X-Tenant: <your-subdomain>
{ "email": "you@example.com", "password": "..." }Response includes accessToken (Bearer) + refreshToken. Pass accessToken on subsequent requests:
GET /api/docker-images
Authorization: Bearer <token>
X-Tenant: <your-subdomain>Common endpoints
| Method | Path | Purpose |
|---|---|---|
GET | /api/docker-images | List images this tenant has access to |
GET | /api/docker-images/:id | Image detail (versions, hardening tags, etc) |
GET | /api/docker-images/:id/versions/:vid/scan-history | Time series of scan results |
GET | /api/docker-images/:id/versions/:vid/sbom/spdx | SPDX 2.3 SBOM download |
GET | /api/docker-images/:id/versions/:vid/sbom/cyclonedx | CycloneDX 1.5 SBOM download |
GET | /api/cve-watches | List CVE-watch subscriptions |
POST | /api/cve-watches | Add a CVE id to the watch list |
DELETE | /api/cve-watches/:id | Remove a watch |
POST | /api/feature-requests | File a feature request / package request / bug |
GET | /api/feature-requests | List your tenant's requests |
GET | /api/webhooks | List webhook subscriptions |
POST | /api/webhooks | Create / upsert a webhook subscription |
PUT | /api/webhooks/:id | Update a subscription |
DELETE | /api/webhooks/:id | Delete a subscription |
GET | /api/status | Public — overall health probe |
Most write endpoints require the admin role on the tenant (the requireAdmin middleware). Viewer-role users (read-only) get a 403 on writes; user-role get the standard tenant member perms.
Errors
Errors come back with a stable shape:
{
"error": "VALIDATION_ERROR",
"message": "Human-readable explanation",
"details": [ ... ] // optional, present for Zod-validation failures
}The error key is a stable machine-friendly enum. The message is for humans and can change between releases without breaking integrations.
Rate limiting
Login endpoints are rate-limited to 5 attempts per IP per 15 minutes (OWASP A07:2021). All other endpoints are not rate-limited today; expect that to change before public-API GA.
What's NOT in this doc yet
- Full OpenAPI schema — coming. Until then, the endpoint table above is the source of truth; if you find a discrepancy, file a feature request via the portal.
- Webhook receiver examples in Go / Python / Ruby — see Webhooks for the verification logic.