Skip to content
REST API · v1

API Documentation

Programmatic access to Vezraa scans. Trigger scans from your CI/CD, build custom dashboards, or integrate with your security workflow.

Quick start

curl
curl -X POST https://vezraa.com/api/v1/scan \
  -H "Content-Type: application/json" \
  -H "X-API-Key: va_live_..." \
  -d '{
    "url": "https://my-app.vercel.app",
    "wait": true
  }'

Authentication

All API requests require an API key passed via the X-API-Key header. Generate one in your dashboard.

X-API-Key: va_live_xxxxxxxxxxxxxxxxxxxxxxxx

Rate limits

Starter100 requests/min30 scans/month
Pro100 requests/minUnlimited scans
Max500 requests/minUnlimited scans

Endpoints

POST/api/v1/scan

Run a full production-readiness scan on a URL.

Body

{
  "url": "https://my-app.vercel.app",  // required
  "wait": true                         // optional - block until complete (max 60s)
}

Response (when wait=true)

{
  "scanId": "abc123...",
  "status": "complete",
  "score": 76,
  "categories": {
    "security": 60,
    "seo": 88,
    "performance": 95,
    "observability": 74,
    "ai": 100,
    "payments": 100,
    "email": 54,
    "legal": 100,
    "accessibility": 92,
    "infrastructure": 100
  },
  "findings": [ /* ... */ ]
}

Response (when wait=false or timeout)

{
  "scanId": "abc123...",
  "status": "running"
}

// Then poll GET /api/report/:scanId until status === "complete"
GET/api/report/:scanId

Fetch a scan report by ID.

Response includes

  • · overall_score — 0-100
  • · scores — per-category scores
  • · findings — array of { title, severity, category, description, evidence, fix_prompt, proof_request, proof_response }
  • · counts — severity counts
  • · detected_stack — auto-detected framework, db, payments, etc.
POST/api/tools/header-check

Check security headers without a full scan. Free tool — no auth required.

POST/api/tools/dns-check

Check SPF, DKIM, DMARC, MX records. Free tool — no auth required.

POST/api/tools/rls-check

Test Supabase RLS configuration. Free tool — no auth required.

Native integrations

MCP Server

Claude Code, Cursor, Windsurf

Add as MCP server. Your AI agent calls the scanner directly.

CLI · Coming soon

npm i -g @vezraa/cli

Run scans in your CI/CD. Block deploys on critical findings.

Error codes

401Missing or invalid X-API-Key header
400Invalid request body — see error message
429Rate limit exceeded — check Retry-After header
500Internal error — please retry, or contact udayakirantumma@gmail.com

Need an API key?

API access included with all paid plans.

Get API key →
API Documentation — Vezraa | Vezraa