Targets API - apviso [APVISO](/)Product Resources Developers Company [Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise) [Login](/login)[Start free pentest](/register?intent=free-local-pentest) [Login](/login)[Start free](/register?intent=free-local-pentest) [Home](/)[Knowledge Base](/docs)[API Reference](/docs/api)TargetsTargets ======= Manage self-hosted pentest targets POST`/v1/targets` ### Create a target Register a new domain, IP address, internal host, or local URL as a self-hosted pentest target. #### Request Body NameTypeDescription`domain`required `string`Canonical domain name or host label for the target.`displayUrl` `string`Human-facing URL shown in APVISO. Defaults to `domain`.`scanUrl` `string`Runtime URL the runner should scan. Use this for private, localhost, or split-horizon addresses reachable only from the runner.`visibility` `string`publicstaging\_previewprivate\_internallocalhostpartner\_client Target visibility class used for license checks and runner networking. #### Example Request bashCopy ``` curl -X POST "https://apviso.com/api/v1/targets" \ -H "X-API-Key: apvk_your_key_here" \ -H "Content-Type: application/json" \ -d '{ "domain": "staging.example.com", "displayUrl": "https://staging.example.com", "scanUrl": "http://host.docker.internal:4000", "visibility": "localhost" }' ``` #### Response Returns the newly created target with its unique ID. Pentest starts are gated by license state, target visibility, and runner readiness. jsonCopy ``` { "target": { "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b", "domain": "staging.example.com", "displayUrl": "https://staging.example.com", "scanUrl": "http://host.docker.internal:4000", "visibility": "localhost", "executionMode": "self_hosted_runner", "authConfigMode": "runner_local", "createdAt": "2026-05-03T09:15:32Z" } } ``` GET`/v1/targets` ### List targets Retrieve a paginated list of all targets registered to your account. Results are ordered by creation date (newest first). #### Query Parameters NameTypeDescription`page` `number`Default: `1` Page number for pagination`limit` `number`Default: `20` Number of results per page (max 100) #### Example Request bashCopy ``` curl -X GET "https://apviso.com/api/v1/targets" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns a paginated list of targets with last pentest timestamp and runner-local authentication mode. jsonCopy ``` { "targets": [ { "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b", "domain": "example.com", "displayUrl": "https://example.com", "scanUrl": "https://example.com", "visibility": "public", "authConfigMode": "runner_local", "createdAt": "2026-05-03T09:15:32Z" }, { "id": "019414b2-a3d1-7e8b-c4f6-1d2e3f4a5b6c", "domain": "staging.example.com", "displayUrl": "https://staging.example.com", "scanUrl": "http://host.docker.internal:4000", "visibility": "localhost", "authConfigMode": "runner_local", "createdAt": "2026-05-02T10:48:21Z" } ], "total": 2, "page": 1, "limit": 20, "totalPages": 1 } ``` GET`/v1/targets/:id` ### Get target details Retrieve detailed information about a specific target, including runner-local authentication mode and pentest history summary. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Example Request bashCopy ``` curl -X GET "https://apviso.com/api/v1/targets/:id" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns the full target object including pentest count, open findings count, and auth mode. Target app credentials are runner-local and are never sent to APVISO. jsonCopy ``` { "target": { "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b", "domain": "example.com", "displayUrl": "https://example.com", "scanUrl": "https://example.com", "visibility": "public", "executionMode": "self_hosted_runner", "authConfigMode": "runner_local", "createdAt": "2026-05-03T09:15:32Z" } } ``` DELETE`/v1/targets/:id` ### Delete a target Permanently delete a target and its associated runner routing settings. This operation will fail with a 409 Conflict if any pentests exist for this target. Delete all associated pentests first, or use this only for targets that were never scanned. This endpoint returns 409 Conflict if the target has any associated pentests. You must delete all pentests for the target before deleting it. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Example Request bashCopy ``` curl -X DELETE "https://apviso.com/api/v1/targets/:id" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns a confirmation message on success. Returns 409 Conflict if pentests exist for this target. jsonCopy ``` { "message": "Target deleted" } ``` POST`/v1/targets/:id/verify` ### Deprecated target verification Deprecated compatibility endpoint. Self-hosted targets do not require DNS, file, or meta-tag ownership verification. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Request Body NameTypeDescription`method` `string`dns\_txtfilemeta\_tag Ignored compatibility field #### Example Request bashCopy ``` curl -X POST "https://apviso.com/api/v1/targets/:id/verify" \ -H "X-API-Key: apvk_your_key_here" \ -H "Content-Type: application/json" \ -d '{ "method": "dns_txt" }' ``` #### Response Returns a verified=true compatibility response with a deprecated flag. jsonCopy ``` { "target": { "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b", "domain": "example.com", "authConfigMode": "runner_local" }, "verified": true, "deprecated": true, "message": "Target ownership verification is no longer required for self-hosted runners." } ``` GET`/v1/targets/:id/verify/instructions` ### Deprecated verification instructions Deprecated compatibility endpoint. Self-hosted targets do not have verification tokens or ownership proof instructions. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Example Request bashCopy ``` curl -X GET "https://apviso.com/api/v1/targets/:id/verify/instructions" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns an empty compatibility payload and deprecated=true. jsonCopy ``` { "token": null, "methods": {}, "deprecated": true, "message": "Target ownership verification is no longer required for self-hosted runners." } ``` GET`/v1/targets/:id/verify/status` ### Check verification status Deprecated compatibility endpoint. Self-hosted targets do not use ownership verification records. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Example Request bashCopy ``` curl -X GET "https://apviso.com/api/v1/targets/:id/verify/status" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns a deprecated compatibility status for legacy clients. jsonCopy ``` { "status": "verified", "method": null, "verifiedAt": null, "deprecated": true, "message": "Target ownership verification is no longer required for self-hosted runners." } ``` PUT`/v1/targets/:id/auth` ### Set authentication config (retired) Retired. Target application authentication credentials must be configured on the self-hosted runner with `APVISO\_TARGET\_AUTH\_CONFIG\_FILE`; APVISO Cloud no longer accepts or stores these secrets. Use the runner-local JSON file for bearer, basic, cookie, API key, custom header, or login-based authentication. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Request Body #### Example Request bashCopy ``` curl -X PUT "https://apviso.com/api/v1/targets/:id/auth" \ -H "X-API-Key: apvk_your_key_here" \ -H "Content-Type: application/json" \ -d '{}' ``` #### Response Returns HTTP 410 Gone. Configure target credentials locally on the runner instead. jsonCopy ``` { "error": "Target authentication config is runner-local only. Store credentials on the self-hosted runner with APVISO_TARGET_AUTH_CONFIG_FILE." } ``` DELETE`/v1/targets/:id/auth` ### Clear authentication config (retired) Retired. Remove or edit the matching entry in the runner-local auth JSON file instead. #### Path Parameters NameTypeDescription`id`required `string`Target ID (UUIDv7) #### Example Request bashCopy ``` curl -X DELETE "https://apviso.com/api/v1/targets/:id/auth" \ -H "X-API-Key: apvk_your_key_here" ``` #### Response Returns HTTP 410 Gone. There is no cloud-stored target auth config to clear. jsonCopy ``` { "error": "Target authentication config is runner-local only. Remove credentials from the runner-local auth file instead." } ``` [Back to API Reference](/docs/api) [Overview](#overview)[POST /v1/targets](#create-target)[GET /v1/targets](#list-targets)[GET /v1/targets/:id](#get-target)[DELETE /v1/targets/:id](#delete-target)[POST /v1/targets/:id/verify](#verify-target)[GET /v1/targets/:id/verify/instructions](#get-verification-instructions)[GET /v1/targets/:id/verify/status](#get-verification-status)[PUT /v1/targets/:id/auth](#set-target-auth)[DELETE /v1/targets/:id/auth](#delete-target-auth) [APVISO](/)Autonomous AI-powered penetration testing for modern web applications. Subscribe [](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/) [![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso) Product - [Features](/#features) - [Pricing](/pricing) - [Integrations](/integrations) - [Benchmarks](/#compare) - [Affiliate Program](/affiliate) - [Partners](/partners) - [Enterprise](/enterprise) Resources - [Blog](/blog) - [Use Cases](/use-cases) - [Glossary](/glossary) - [Comparisons](/comparisons) - [Alternatives](/alternatives) - [Compliance](/compliance) - [Vulnerabilities](/vulnerabilities) - [Industries](/industries) - [OWASP APTS](/trust/apts) Developers - [Knowledge Base](/docs) - [API Reference](/docs/api) - [MCP Server](/docs/mcp) Company - [About](/about) - [Contact](/contact) - [Status](https://status.apviso.com) - [Privacy Policy](/legal/privacy) - [Terms of Service](/legal/terms) © 2026 APVISO. All rights reserved.