REST API¶
The platform exposes a REST API for integration with your systems — automation, SIEM, ticketing, custom dashboards.
Base URL¶
https://bcp.bytecode.team/api/v1/
Authentication¶
All requests require a Bearer token in the header:
http
Authorization: Bearer YOUR_API_TOKEN
How to get a token: see User Profile → API tokens.
Format¶
- Request/response — JSON.
- Dates — ISO 8601 UTC (
2026-06-29T10:23:45Z). - Pagination — cursor-based via
next_cursorparameter. - Errors — standard HTTP codes + JSON body with
error.codeanderror.message.
Main endpoints¶
Findings¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/findings |
List findings with filters |
GET |
/findings/{id} |
Finding details |
PATCH |
/findings/{id} |
Update (status, tags, assignee) |
POST |
/findings/{id}/comment |
Add comment |
Filter parameters: severity, source, status, from, to, data_source.
Detection Sources¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/detection-sources |
List connected services |
POST |
/detection-sources/{type}/scan |
Trigger ad-hoc scan |
Scan Schedules¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/scan-schedules |
List schedules |
POST |
/scan-schedules |
Create |
PATCH |
/scan-schedules/{id} |
Update |
DELETE |
/scan-schedules/{id} |
Delete |
Reports¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/reports |
List reports |
POST |
/reports |
Generate ad-hoc |
GET |
/reports/{id}/export?format={pdf\|docx\|csv} |
Export |
GET |
/scheduled-reports |
Scheduled reports |
POST |
/scheduled-reports |
Create |
DataSources¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/data-sources |
List |
POST |
/data-sources |
Add |
DELETE |
/data-sources/{id} |
Delete |
Organization¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/organization |
Current organization info |
GET |
/organization/members |
List team members |
POST |
/organization/invitations |
Invite |
Rate limits¶
- Default: 100 requests/min per token.
- Burst: up to 200/min short-term.
- Enterprise: higher limits by agreement.
On exceed — HTTP 429 with Retry-After header.
Examples¶
Get recent critical findings¶
bash
curl -H "Authorization: Bearer $TOKEN" \
"https://bcp.bytecode.team/api/v1/findings?severity=critical&status=new"
Close a finding as false positive¶
bash
curl -X PATCH \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"status": "false_positive", "comment": "Test key, not active"}' \
"https://bcp.bytecode.team/api/v1/findings/find_xyz789"
Trigger an HIBP scan¶
bash
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
"https://bcp.bytecode.team/api/v1/detection-sources/hibp/scan"
SDKs¶
Officially supported SDKs:
- Python:
pip install bcp-portal(github.com/bytecode-team/bcp-python) - JavaScript/TypeScript:
npm install @bytecode/bcp-portal - Go:
go get github.com/bytecode-team/bcp-go
OpenAPI spec¶
Full spec available at:
- Swagger UI: https://bcp.bytecode.team/api/v1/docs
- OpenAPI JSON: https://bcp.bytecode.team/api/v1/openapi.json
Support¶
api-support@bytecode.team — for technical questions.