API Reference

Endpoints

The core REST endpoints, grouped by resource. Every endpoint requires an ApiKey header.

Base URL: https://api.wasviking.com/v1/. All endpoints require the Authorization: ApiKey wv_live_… header. All bodies are JSON.

Scans

Method	Path	Scope	Purpose
`POST`	`/scans`	`scans:run`	Trigger a new scan.
`GET`	`/scans/{id}`	`scans:read`	Scan status and metadata.
`GET`	`/scans/{id}/findings`	`findings:read`	Findings produced by a scan.
`GET`	`/scans/{id}/report.pdf`	`scans:read`	PDF report.
`POST`	`/scans/{id}/cancel`	`scans:run`	Cancel a running scan.

Trigger a scan

curl -sS https://api.wasviking.com/v1/scans \
  -H "Authorization: ApiKey ${KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "target": "https://app.example.com",
    "template": "prod-web-strict"
  }'

{
  "id": "scan_8fae22c4",
  "status": "queued",
  "template": "prod-web-strict",
  "created_at": "2026-05-21T14:08:11Z"
}

Findings

Method	Path	Scope	Purpose
`GET`	`/findings`	`findings:read`	List findings, filterable.
`GET`	`/findings/{id}`	`findings:read`	Finding detail with evidence.
`PATCH`	`/findings/{id}`	`findings:update`	Status transition, comment, assignee.
`POST`	`/findings/bulk`	`findings:update`	Bulk update.

List findings

curl -sS "https://api.wasviking.com/v1/findings?status=open&min_risk=70" \
  -H "Authorization: ApiKey ${KEY}"

Supported query parameters:

Parameter	Notes
`status`	`open`, `accepted`, `mitigated`, `false_positive`, `fixed`.
`category`	`sqli`, `xss`, `cve`, `token_exposure`, etc.
`severity`	`critical`, `high`, `medium`, `low`.
`min_risk`, `max_risk`	0-100.
`asset_id`	Limit to one asset.
`since`	ISO 8601 timestamp.
`cursor`	Pagination cursor.
`limit`	Default 50, max 200.

Targets

Method	Path	Scope
`GET`	`/targets`	`inventory:read`
`POST`	`/targets`	`targets:manage`
`GET`	`/targets/{id}`	`inventory:read`
`PATCH`	`/targets/{id}`	`targets:manage`
`POST`	`/targets/{id}/archive`	`targets:manage`

Inventory

Method	Path	Scope
`GET`	`/inventory/assets`	`inventory:read`
`GET`	`/inventory/assets/{id}`	`inventory:read`
`GET`	`/inventory/components/search`	`sca:read`
`GET`	`/inventory/sbom`	`sca:read`

SBOM (Sentinel submit + read)

Method	Path	Scope
`POST`	`/sentinel/sbom/submit`	`sca:submit`
`GET`	`/sca/bundles`	`sca:read`
`POST`	`/sca/bundles`	`evidence.share`
`POST`	`/sca/bundles/{id}/revoke`	`evidence.share`

Secrets

Method	Path	Scope
`POST`	`/sentinel/secrets/submit`	`secrets:submit`
`GET`	`/inventory/secrets`	`findings:read`

Posture Shares

Method	Path	Scope
`POST`	`/posture/shares`	`evidence.share`
`GET`	`/posture/shares`	`posture:read`
`POST`	`/posture/shares/{id}/revoke`	`evidence.share`

Audit log

Method	Path	Scope
`GET`	`/audit-log`	`audit_logs:read`

Supports since, actor, action, cursor, limit.

Webhooks

Method	Path	Scope
`GET`	`/webhooks`	`webhooks:manage`
`POST`	`/webhooks`	`webhooks:manage`
`DELETE`	`/webhooks/{id}`	`webhooks:manage`
`POST`	`/webhooks/{id}/test`	`webhooks:manage`

See Webhook events for the event catalog.

Pagination

Cursor-based. The response carries next_cursor and prev_cursor when more pages exist. Cursors are opaque; do not parse them.

{
  "items": [...],
  "next_cursor": "Y3Vyc29yX2FiYzEyMw==",
  "prev_cursor": null
}

Idempotency

POST endpoints accept Idempotency-Key header for safe retries. Same key replays the same response within 24 hours.