Endpoint
Request
| Header | Value |
|---|
X-API-Key | Your ZenVeil API key |
Content-Type | application/json |
Body
{
"url": "https://api.your-app.com"
}
| Field | Type | Required | Description |
|---|
url | string | Yes | The API base URL to scan. Must be publicly accessible. |
Private IP addresses, localhost, and loopback addresses are blocked (SSRF protection). Only publicly reachable URLs are accepted.
Response
Same structure as /v1/scan/github — see Scan GitHub for the full schema.
{
"scan_id": "b2c3d4e5f6g7",
"status": "completed",
"target_type": "api",
"target": "https://api.your-app.com",
"started_at": "2026-05-25T09:41:22Z",
"completed_at": "2026-05-25T09:41:23Z",
"finding_count": 2,
"findings": [
{
"id": "ZG-H1I2J3",
"category": "headers",
"severity": "HIGH",
"title": "Missing Content-Security-Policy",
"description": "The Content-Security-Policy header is not set...",
"evidence": "CSP header absent in HTTP response.",
"location": {
"target": "https://api.your-app.com",
"url": "https://api.your-app.com",
"method": "GET"
},
"scanner_name": "api_headers",
"remediation": "Add Content-Security-Policy header with appropriate directives.",
"confidence": 0.99,
"owasp_categories": ["A05:2021"]
}
]
}
Examples
curl -X POST https://api.zenveil.dev/v1/scan/api \
-H "X-API-Key: zvk_live_your_key" \
-H "Content-Type: application/json" \
-d '{"url": "https://api.your-app.com"}'
Error responses
| Status | Error | Cause |
|---|
400 | Could not reach target URL | URL is not publicly accessible or timed out |
400 | Bad request | URL contains a private IP address (SSRF protection) |
500 | Scan failed | Unexpected error |
