PodArmor docs
API

API reference

Programmatic access to the portal — images, SBOMs, webhooks, feature requests.

The portal exposes a small REST surface for tenant integrations. All endpoints are tenant-scoped via the X-Tenant header (matches the subdomain you log in on) + an Authorization: Bearer <token> from the login flow.

Auth

POST /api/auth/login
Content-Type: application/json
X-Tenant: <your-subdomain>

{ "email": "you@example.com", "password": "..." }

Response includes accessToken (Bearer) + refreshToken. Pass accessToken on subsequent requests:

GET /api/docker-images
Authorization: Bearer <token>
X-Tenant: <your-subdomain>

Common endpoints

MethodPathPurpose
GET/api/docker-imagesList images this tenant has access to
GET/api/docker-images/:idImage detail (versions, hardening tags, etc)
GET/api/docker-images/:id/versions/:vid/scan-historyTime series of scan results
GET/api/docker-images/:id/versions/:vid/sbom/spdxSPDX 2.3 SBOM download
GET/api/docker-images/:id/versions/:vid/sbom/cyclonedxCycloneDX 1.5 SBOM download
GET/api/cve-watchesList CVE-watch subscriptions
POST/api/cve-watchesAdd a CVE id to the watch list
DELETE/api/cve-watches/:idRemove a watch
POST/api/feature-requestsFile a feature request / package request / bug
GET/api/feature-requestsList your tenant's requests
GET/api/webhooksList webhook subscriptions
POST/api/webhooksCreate / upsert a webhook subscription
PUT/api/webhooks/:idUpdate a subscription
DELETE/api/webhooks/:idDelete a subscription
GET/api/statusPublic — overall health probe

Most write endpoints require the admin role on the tenant (the requireAdmin middleware). Viewer-role users (read-only) get a 403 on writes; user-role get the standard tenant member perms.

Errors

Errors come back with a stable shape:

{
  "error": "VALIDATION_ERROR",
  "message": "Human-readable explanation",
  "details": [ ... ]   // optional, present for Zod-validation failures
}

The error key is a stable machine-friendly enum. The message is for humans and can change between releases without breaking integrations.

Rate limiting

Login endpoints are rate-limited to 5 attempts per IP per 15 minutes (OWASP A07:2021). All other endpoints are not rate-limited today; expect that to change before public-API GA.

What's NOT in this doc yet

  • Full OpenAPI schema — coming. Until then, the endpoint table above is the source of truth; if you find a discrepancy, file a feature request via the portal.
  • Webhook receiver examples in Go / Python / Ruby — see Webhooks for the verification logic.

On this page