REST API · v1
API Documentation
Programmatic access to Vezraa scans. Trigger scans from your CI/CD, build custom dashboards, or integrate with your security workflow.
Quick start
curl
curl -X POST https://vezraa.com/api/v1/scan \
-H "Content-Type: application/json" \
-H "X-API-Key: va_live_..." \
-d '{
"url": "https://my-app.vercel.app",
"wait": true
}'Authentication
All API requests require an API key passed via the X-API-Key header. Generate one in your dashboard.
X-API-Key: va_live_xxxxxxxxxxxxxxxxxxxxxxxxRate limits
Starter100 requests/min30 scans/month
Pro100 requests/minUnlimited scans
Max500 requests/minUnlimited scans
Endpoints
POST
/api/v1/scanRun a full production-readiness scan on a URL.
Body
{
"url": "https://my-app.vercel.app", // required
"wait": true // optional - block until complete (max 60s)
}Response (when wait=true)
{
"scanId": "abc123...",
"status": "complete",
"score": 76,
"categories": {
"security": 60,
"seo": 88,
"performance": 95,
"observability": 74,
"ai": 100,
"payments": 100,
"email": 54,
"legal": 100,
"accessibility": 92,
"infrastructure": 100
},
"findings": [ /* ... */ ]
}Response (when wait=false or timeout)
{
"scanId": "abc123...",
"status": "running"
}
// Then poll GET /api/report/:scanId until status === "complete"GET
/api/report/:scanIdFetch a scan report by ID.
Response includes
- ·
overall_score— 0-100 - ·
scores— per-category scores - ·
findings— array of { title, severity, category, description, evidence, fix_prompt, proof_request, proof_response } - ·
counts— severity counts - ·
detected_stack— auto-detected framework, db, payments, etc.
POST
/api/tools/header-checkCheck security headers without a full scan. Free tool — no auth required.
POST
/api/tools/dns-checkCheck SPF, DKIM, DMARC, MX records. Free tool — no auth required.
POST
/api/tools/rls-checkTest Supabase RLS configuration. Free tool — no auth required.
Native integrations
MCP Server
Claude Code, Cursor, Windsurf
Add as MCP server. Your AI agent calls the scanner directly.
CLI · Coming soon
npm i -g @vezraa/cli
Run scans in your CI/CD. Block deploys on critical findings.
Error codes
401Missing or invalid X-API-Key header
400Invalid request body — see error message
429Rate limit exceeded — check Retry-After header
500Internal error — please retry, or contact udayakirantumma@gmail.com