← Developers

API reference

For the full interactive spec, visit /openapi.json or, in dev, /docs (Swagger UI).

All authenticated calls accept either:
• Authorization: Bearer <session-jwt>     (web users)
• Authorization: Bearer fmi_xxx           (API keys, recommended for services + agents)
• X-API-Key: fmi_xxx                       (legacy header)

API keys are minted in the console (Settings → API keys). They are shown once and never stored in plaintext.

Limits are per-minute and depend on tenant plan or key tier:
• free        →    60 req/min
• pro         →   600 req/min
• enterprise  → 6 000 req/min
Anonymous calls to /v1/public/* are limited to 30/min per IP.

GET  /v1/public/vulns/{id}          — canonical vuln record by CVE or canonical_id
GET  /v1/public/search?q=&limit=    — hybrid keyword+semantic search
GET  /v1/public/kev/recent?limit=   — most recently added KEV entries
GET  /v1/public/stats               — corpus counts
GET  /v1/public/sources             — last-successful upstream ingest run

GET  /v1/vulns/{id}                  — full record (history, sources_seen, sightings)
POST /v1/search                       — advanced filters, rerank, embeddings
POST /v1/rag/explain                  — LLM-grounded vuln explanation w/ citations
GET  /v1/firmware/{id}                — firmware analysis result
GET  /v1/auth/me                      — your principal, plan, roles

POST /mcp           — JSON-RPC 2.0 endpoint
GET  /mcp/info       — introspection (auth required)

Tools:
  search_vulns   · get_vuln       · lookup_cve
  list_recent_kev · recent_exploits · explain_vuln

See /developers/mcp for client configuration snippets.

The full machine-readable schema is at GET /openapi.json. Import it into Postman, Bruno, or any OpenAPI-aware client. Strawberry GraphQL is also available at /graphql.