API Reference
Complete REST API documentation for RaSEC. All endpoints require authentication and return JSON responses.
Estimated reading time: 20 minutes
Table of Contents
Overview
The RaSEC API provides programmatic access to all security testing tools and features. The API follows RESTful principles and uses JSON for request and response payloads.
API Version: All endpoints are currently unversioned. Future breaking changes will be introduced with versioned endpoints (e.g., /api/v2/).
Authentication
All API endpoints require authentication using Bearer tokens in the Authorization header.
API Tokens
API tokens provide programmatic access to RaSEC. Create tokens from Settings → API Tokens in the dashboard.
Authorization: <AUTH_HEADER>Replace <AUTH_HEADER> with your Authorization header (Bearer scheme required).
Session Authentication
For browser-based requests, you can use session cookies from an authenticated session. This is automatically handled when making requests from the web application.
Security: Never expose API tokens in client-side code or public repositories. Tokens are only shown once when created. Store them securely.
Base URL
All API endpoints are relative to the base URL:
https://rasec.app/apiFor local development: http://localhost:3000/api
Rate Limiting
API requests are rate-limited per organization to ensure fair usage and system stability. Rate limit information is included in response headers:
X-RateLimit-LimitMaximum requests per windowX-RateLimit-RemainingRemaining requests in current windowX-RateLimit-ResetUnix timestamp when limit resetsWhen rate limited, API returns 429 Too Many Requests status code.
Error Handling
The API uses standard HTTP status codes and returns error details in JSON format:
400 Bad Request
Invalid request parameters or validation errors
{
"error": "Validation failed",
"details": {
"fieldErrors": {
"url": ["Invalid URL"]
}
}
}401 Unauthorized
Missing or invalid authentication token
{
"error": "Unauthorized",
"message": "Invalid or missing API token"
}403 Forbidden
Authenticated but lacks required permissions
429 Too Many Requests
Rate limit exceeded
500 Internal Server Error
Server error occurred
Tool APIs
Tool APIs allow you to execute security testing tools programmatically. All tool endpoints require tools:run permission.
DAST Scanner
POST /api/tools/dastDynamic Application Security Testing. Analyzes web applications for vulnerabilities.
See DAST documentation for details.
SAST Analyzer
POST /api/tools/sastStatic Application Security Testing. Analyzes source code for security vulnerabilities.
See SAST documentation for details.
Security Headers
POST /api/tools/headersAnalyzes HTTP security headers (CSP, HSTS, X-Frame-Options, etc.).
Other Tools
Additional specialized tools available via API:
POST /api/tools/dom-xss- DOM XSS PathfinderPOST /api/tools/jwt- JWT AnalyzerPOST /api/tools/file-upload- File Upload AuditorPOST /api/tools/subdomain-finder- Subdomain FinderPOST /api/tools/url-finder- URL FinderPOST /api/tools/js-recon- JS ReconnaissancePOST /api/tools/payload-forge- Payload ForgePOST /api/tools/ssti-forge- SSTI ForgePOST /api/tools/oob-helper- OOB Interaction HelperPOST /api/tools/privesc- PrivEsc Pathfinder
Ingestion API
The Ingestion API allows you to upload security tool outputs (SARIF, Nuclei, ZAP, Burp) for automated parsing, deduplication, and integration into your security findings.
Upload Artifact
POST /api/ingestion/uploadUpload a security artifact file for processing. Supports multipart/form-data.
Supported Formats:
- SARIF (
.sarif,.json) - Nuclei (
.json) - OWASP ZAP (
.json,.xml) - Burp Suite (
.json)
File Size Limit: 50MB
curl -X POST https://rasec.app/api/ingestion/upload \
-H "<AUTH_HEADER>" \
-F "file=@report.sarif"Replace <AUTH_HEADER> with your Authorization header (Bearer scheme required).
Response:
{
"jobId": "uuid",
"status": "pending",
"format": "sarif",
"message": "Artifact uploaded successfully. Processing started."
}Get Job Status
GET /api/ingestion/jobs/{jobId}Get the status and results of an ingestion job.
Status Values:
pending- Job is queued for processingprocessing- Job is currently being processedcompleted- Job completed successfullyfailed- Job failed with an error
Webhooks
Webhooks allow you to receive real-time notifications when events occur in RaSEC. Configure webhooks from Settings → Webhooks in the dashboard.
Webhook Events
finding.created- New vulnerability foundingestion.completed- Ingestion job completedingestion.failed- Ingestion job failedtool.run.completed- Tool execution completed
Webhook Security
Webhook payloads are signed with HMAC-SHA256 using a secret you configure. Verify signatures to ensure requests are from RaSEC.
X-RaSEC-Signature: sha256=signature_here
X-RaSEC-Timestamp: 1234567890Retry Logic
Failed webhook deliveries are automatically retried with exponential backoff. Delivery history is available in the webhook management interface.
API Token Management
Create Token
POST /api/settings/api-tokensCreate a new API token. Tokens are only shown once when created.
List Tokens
GET /api/settings/api-tokensList all API tokens for your organization. Token values are never returned.
Revoke Token
DELETE /api/settings/api-tokens/{tokenId}Revoke an API token. Revoked tokens cannot be used for authentication.
Next Steps
Learn more about integrating RaSEC into your workflow: