Skip to content

REST API

The platform exposes a REST API for integration with your systems — automation, SIEM, ticketing, custom dashboards.

Base URL

https://bcp.bytecode.team/api/v1/

Authentication

All requests require a Bearer token in the header:

http Authorization: Bearer YOUR_API_TOKEN

How to get a token: see User Profile → API tokens.

Format

  • Request/response — JSON.
  • Dates — ISO 8601 UTC (2026-06-29T10:23:45Z).
  • Pagination — cursor-based via next_cursor parameter.
  • Errors — standard HTTP codes + JSON body with error.code and error.message.

Main endpoints

Findings

Method Endpoint Description
GET /findings List findings with filters
GET /findings/{id} Finding details
PATCH /findings/{id} Update (status, tags, assignee)
POST /findings/{id}/comment Add comment

Filter parameters: severity, source, status, from, to, data_source.

Detection Sources

Method Endpoint Description
GET /detection-sources List connected services
POST /detection-sources/{type}/scan Trigger ad-hoc scan

Scan Schedules

Method Endpoint Description
GET /scan-schedules List schedules
POST /scan-schedules Create
PATCH /scan-schedules/{id} Update
DELETE /scan-schedules/{id} Delete

Reports

Method Endpoint Description
GET /reports List reports
POST /reports Generate ad-hoc
GET /reports/{id}/export?format={pdf\|docx\|csv} Export
GET /scheduled-reports Scheduled reports
POST /scheduled-reports Create

DataSources

Method Endpoint Description
GET /data-sources List
POST /data-sources Add
DELETE /data-sources/{id} Delete

Organization

Method Endpoint Description
GET /organization Current organization info
GET /organization/members List team members
POST /organization/invitations Invite

Rate limits

  • Default: 100 requests/min per token.
  • Burst: up to 200/min short-term.
  • Enterprise: higher limits by agreement.

On exceed — HTTP 429 with Retry-After header.

Examples

Get recent critical findings

bash curl -H "Authorization: Bearer $TOKEN" \ "https://bcp.bytecode.team/api/v1/findings?severity=critical&status=new"

Close a finding as false positive

bash curl -X PATCH \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"status": "false_positive", "comment": "Test key, not active"}' \ "https://bcp.bytecode.team/api/v1/findings/find_xyz789"

Trigger an HIBP scan

bash curl -X POST \ -H "Authorization: Bearer $TOKEN" \ "https://bcp.bytecode.team/api/v1/detection-sources/hibp/scan"

SDKs

Officially supported SDKs:

OpenAPI spec

Full spec available at:

Support

api-support@bytecode.team — for technical questions.