API Reference
Programmatic access to the APVISO control plane. Manage self-hosted runners and targets, start BYOK pentests, and retrieve findings through our REST API.
Authentication
All API requests require an API key passed in the X-API-Key header. Keys are prefixed with apvk_. Generate one in Settings → API Keys.
curl -H "X-API-Key: apvk_your_key_here" \
https://apviso.com/api/v1/quotaBase URL
All endpoints are relative to:
https://apviso.com/api/v1Rate Limits
API requests are limited to 120 requests per minute per API key. Rate limit information is included in response headers:
| Header | Description |
|---|---|
x-ratelimit-limit | Maximum requests per window |
x-ratelimit-remaining | Remaining requests in current window |
x-ratelimit-reset | Unix timestamp when the window resets |
When the limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header.
Error Codes
| Status | Meaning |
|---|---|
200 | Success |
201 | Resource created |
202 | Accepted (e.g., report still generating) |
400 | Bad request - invalid parameters |
401 | Unauthorized - invalid or missing API key |
402 | Payment or license action required |
403 | Forbidden - insufficient plan or inactive license |
404 | Resource not found |
409 | Conflict (e.g., target has pentests, can't delete) |
422 | Validation error |
429 | Rate limit exceeded |
500 | Internal server error |
Endpoints
Browse endpoints by section. Each section page includes request/response examples and parameter details.
Quota
Check your self-hosted license summary
Runners
Register and monitor customer-installed self-hosted runners
Targets
Manage self-hosted pentest targets
Pentests
Start and manage penetration test pentests
Findings
View and manage vulnerability findings
Reports
Access pentest reports in markdown and PDF formats
Schedules
Set up recurring automated pentests (Team+ tier)