API Reference

Complete REST API documentation. All endpoints return JSON. Dashboard APIs use session cookies; CI/CD APIs use API keys.

Authentication

Dashboard APIs (/api/*)

Authenticated automatically via Supabase session cookie in the browser.

CI/CD API (/api/v1/*)

Pass your API key via header:

HTTP
x-api-key: ap_live_abc123...

Or, equivalently, using a Bearer token:

HTTP
Authorization: Bearer ap_live_abc123...

CI/CD Scan

POST /api/v1/scan

Trigger an accessibility scan from CI/CD.

POST /api/v1/scan request parameters
ParameterTypeRequiredDescription
urlstringYesSite URL (must match registered site)
thresholdnumberNoMinimum score to pass (0-100)
waitbooleanNoBlock until complete (max 5 min)
max_pagesnumberNoOverride page limit

GET /api/v1/scan?id={scanId}

Poll scan status and results.

API Keys

API Keys endpoints
MethodEndpointDescription
GET/api/api-keysList keys (hashes hidden)
POST/api/api-keysCreate key (full key shown once)
DELETE/api/api-keys?id={id}Revoke key

Sites

Sites endpoints
MethodEndpointDescription
GET/api/sitesList all sites
POST/api/sitesAdd a site
GET/api/sites/{id}Get site details
PATCH/api/sites/{id}Update site
DELETE/api/sites/{id}Remove site
POST/api/sites/{id}/verifyVerify ownership

Scans

Scans endpoints
MethodEndpointDescription
GET/api/scansList scan jobs
POST/api/scansTrigger manual scan
GET/api/scans/{id}Scan details
GET/api/scans/{id}/pagesPer-page results

Violations

Violations endpoints
MethodEndpointDescription
GET/api/violationsList violations (filterable)
GET/api/violations/{id}Violation details (includes screenshots, workflow state)
PATCH/api/violations/{id}Update status (open, in progress, resolved, suppressed, accepted exception), set assignee, or attach a suppression / exception reason
POST/api/violations/{id}/fixGenerate AI fix suggestion
GET/api/violations/{id}/commentsList comments on a violation
POST/api/violations/{id}/commentsAdd a comment
GET/api/violations/{id}/eventsGet workflow event history
GET/api/export/ai-instructionsDownload AI fix instructions (Markdown)

Reports

Reports endpoints
MethodEndpointDescription
GET/api/vpatsList VPATs
POST/api/vpatsGenerate VPAT
GET/api/vpats/{id}VPAT details
GET/api/vpats/{id}/pdfDownload VPAT as PDF
POST/api/statementsPublish accessibility statement
POST/api/certificatesGenerate conformance certificate

Sharing

Sharing endpoints
MethodEndpointDescription
POST/api/shared-reportsCreate a shareable report link (30-day expiry)
GET/api/shared-reportsList active shared links for a site
DELETE/api/shared-reports?id={id}Revoke a shared link

Organizations

Organizations endpoints
MethodEndpointDescription
GET/api/organizationsList your organizations
POST/api/organizationsCreate an organization
POST/api/organizations/switchSwitch active organization
POST/api/organizations/leaveLeave an organization
POST/api/organizations/transferTransfer ownership
POST/api/organizations/deleteDelete organization (owner, email-verified)

Team & Settings

Team and settings endpoints
MethodEndpointDescription
GET/api/teamList members
POST/api/teamInvite member
DELETE/api/team?id={id}Remove member
GET/api/audit-logView audit log (admin/owner)
GET/api/settingsGet org settings
PATCH/api/settingsUpdate org settings

Webhooks

Each organization has a single outbound webhook URL and signing secret. Configure both with PATCH /api/settings (fields webhook_url and webhook_secret); fetch the current configuration with GET /api/settings. Set the URL to an empty string or the secret to empty to disable delivery. See Webhooks for payload shape, supported events, and signature verification.

User

User endpoints
MethodEndpointDescription
POST/api/user/avatarUpload profile avatar
DELETE/api/user/avatarRemove profile avatar
GET/api/user/notification-prefsGet notification preferences
PATCH/api/user/notification-prefsUpdate notification preferences