REST API

The machine scan API lets a program do what the dashboard does: create a scan, wait for it to finish, and read the findings. It is a thin surface over the same engine — same scan types, same finding model.

• Base URL — https://api.anthrion.xyz
• Auth — a machine API key in the x-anthrion-api-key header
• Routes — create / get / download report, all under /machine/scans

Create a scan#

POST /machine/scans with a scan type and a target. The target shape depends on the scan type (see Scan types); a repository scan takes a repo-url target:

curl -X POST https://api.anthrion.xyz/machine/scans \
  -H "x-anthrion-api-key: $ANTHRION_API_KEY" \
  -H "content-type: application/json" \
  -d '{
    "scanType": "white-box",
    "target": { "kind": "repo-url", "url": "https://github.com/owner/repo" }
  }'

The response carries the new scan id and its initial status:

{ "scanId": "cmp...", "status": "QUEUED" }

Poll for the result#

GET /machine/scans/:id returns the scan's current state. Poll it until status is DONE or FAILED:

curl https://api.anthrion.xyz/machine/scans/SCAN_ID \
  -H "x-anthrion-api-key: $ANTHRION_API_KEY"

A finished scan returns its findings in the normalized model:

{
  "status": "DONE",
  "findings": [
    {
      "severity": "HIGH",
      "category": "taint-sql-injection",
      "title": "SQL injection: untrusted input reaches a SQL query",
      "description": "Untrusted data flows to a SQL sink with no sanitizer on the path.",
      "recommendation": "Use parameterized queries / prepared statements."
    }
  ]
}

Download the report#

GET /machine/scans/:id/report streams the PDF report for a finished scan.

curl -L https://api.anthrion.xyz/machine/scans/SCAN_ID/report \
  -H "x-anthrion-api-key: $ANTHRION_API_KEY" -o report.pdf

Responses to handle#

| Status | Meaning | |---|---| | 201 | Scan created | | 401 | Missing, unknown or revoked API key | | 402 | Payment required (a priced scan) — see Payments. Free during launch. | | 429 | Rate limited — slow your polling and retry |