Targets

Manage self-hosted pentest targets

POST/v1/targets

Create a target

Request Body

Name	Type	Description
`domain`required	`string`	Canonical domain name or host label for the target.
`displayUrl`	`string`	Human-facing URL shown in APVISO. Defaults to `domain`.
`scanUrl`	`string`	Runtime URL the runner should scan. Use this for private, localhost, or split-horizon addresses reachable only from the runner.
`visibility`	`string` publicstaging_previewprivate_internallocalhostpartner_client	Target visibility class used for license checks and runner networking.

Example Request

bash

curl -X POST "https://apviso.com/api/v1/targets" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "domain": "staging.example.com",
  "displayUrl": "https://staging.example.com",
  "scanUrl": "http://host.docker.internal:4000",
  "visibility": "localhost"
}'

Response

Returns the newly created target with its unique ID. Pentest starts are gated by license state, target visibility, and runner readiness.

json

{
  "target": {
    "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
    "domain": "staging.example.com",
    "displayUrl": "https://staging.example.com",
    "scanUrl": "http://host.docker.internal:4000",
    "visibility": "localhost",
    "executionMode": "self_hosted_runner",
    "authConfigMode": "runner_local",
    "createdAt": "2026-05-03T09:15:32Z"
  }
}

GET/v1/targets

List targets

Retrieve a paginated list of all targets registered to your account. Results are ordered by creation date (newest first).

Query Parameters

Name	Type	Description
`page`	`number` Default: `1`	Page number for pagination
`limit`	`number` Default: `20`	Number of results per page (max 100)

Example Request

bash

curl -X GET "https://apviso.com/api/v1/targets" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns a paginated list of targets with last pentest timestamp and runner-local authentication mode.

json

{
  "targets": [
    {
      "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
      "domain": "example.com",
      "displayUrl": "https://example.com",
      "scanUrl": "https://example.com",
      "visibility": "public",
      "authConfigMode": "runner_local",
      "createdAt": "2026-05-03T09:15:32Z"
    },
    {
      "id": "019414b2-a3d1-7e8b-c4f6-1d2e3f4a5b6c",
      "domain": "staging.example.com",
      "displayUrl": "https://staging.example.com",
      "scanUrl": "http://host.docker.internal:4000",
      "visibility": "localhost",
      "authConfigMode": "runner_local",
      "createdAt": "2026-05-02T10:48:21Z"
    }
  ],
  "total": 2,
  "page": 1,
  "limit": 20,
  "totalPages": 1
}

GET/v1/targets/:id

Get target details

Retrieve detailed information about a specific target, including runner-local authentication mode and pentest history summary.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Example Request

bash

curl -X GET "https://apviso.com/api/v1/targets/:id" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns the full target object including pentest count, open findings count, and auth mode. Target app credentials are runner-local and are never sent to APVISO.

json

{
  "target": {
    "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
    "domain": "example.com",
    "displayUrl": "https://example.com",
    "scanUrl": "https://example.com",
    "visibility": "public",
    "executionMode": "self_hosted_runner",
    "authConfigMode": "runner_local",
    "createdAt": "2026-05-03T09:15:32Z"
  }
}

DELETE/v1/targets/:id

Delete a target

Permanently delete a target and its associated runner routing settings. This operation will fail with a 409 Conflict if any pentests exist for this target. Delete all associated pentests first, or use this only for targets that were never scanned.

This endpoint returns 409 Conflict if the target has any associated pentests. You must delete all pentests for the target before deleting it.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Example Request

bash

curl -X DELETE "https://apviso.com/api/v1/targets/:id" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns a confirmation message on success. Returns 409 Conflict if pentests exist for this target.

json

{
  "message": "Target deleted"
}

POST/v1/targets/:id/verify

Deprecated target verification

Deprecated compatibility endpoint. Self-hosted targets do not require DNS, file, or meta-tag ownership verification.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Request Body

Name	Type	Description
`method`	`string` dns_txtfilemeta_tag	Ignored compatibility field

Example Request

bash

curl -X POST "https://apviso.com/api/v1/targets/:id/verify" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "method": "dns_txt"
}'

Response

Returns a verified=true compatibility response with a deprecated flag.

json

{
  "target": {
    "id": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
    "domain": "example.com",
    "authConfigMode": "runner_local"
  },
  "verified": true,
  "deprecated": true,
  "message": "Target ownership verification is no longer required for self-hosted runners."
}

GET/v1/targets/:id/verify/instructions

Deprecated verification instructions

Deprecated compatibility endpoint. Self-hosted targets do not have verification tokens or ownership proof instructions.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Example Request

bash

curl -X GET "https://apviso.com/api/v1/targets/:id/verify/instructions" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns an empty compatibility payload and deprecated=true.

json

{
  "token": null,
  "methods": {},
  "deprecated": true,
  "message": "Target ownership verification is no longer required for self-hosted runners."
}

GET/v1/targets/:id/verify/status

Check verification status

Deprecated compatibility endpoint. Self-hosted targets do not use ownership verification records.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Example Request

bash

curl -X GET "https://apviso.com/api/v1/targets/:id/verify/status" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns a deprecated compatibility status for legacy clients.

json

{
  "status": "verified",
  "method": null,
  "verifiedAt": null,
  "deprecated": true,
  "message": "Target ownership verification is no longer required for self-hosted runners."
}

PUT/v1/targets/:id/auth

Set authentication config (retired)

Retired. Target application authentication credentials must be configured on the self-hosted runner with `APVISO_TARGET_AUTH_CONFIG_FILE`; APVISO Cloud no longer accepts or stores these secrets.

Use the runner-local JSON file for bearer, basic, cookie, API key, custom header, or login-based authentication.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Request Body

Example Request

bash

curl -X PUT "https://apviso.com/api/v1/targets/:id/auth" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{}'

Response

Returns HTTP 410 Gone. Configure target credentials locally on the runner instead.

json

{
  "error": "Target authentication config is runner-local only. Store credentials on the self-hosted runner with APVISO_TARGET_AUTH_CONFIG_FILE."
}

DELETE/v1/targets/:id/auth

Clear authentication config (retired)

Retired. Remove or edit the matching entry in the runner-local auth JSON file instead.

Path Parameters

Name	Type	Description
`id`required	`string`	Target ID (UUIDv7)

Example Request

bash

curl -X DELETE "https://apviso.com/api/v1/targets/:id/auth" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns HTTP 410 Gone. There is no cloud-stored target auth config to clear.

json

{
  "error": "Target authentication config is runner-local only. Remove credentials from the runner-local auth file instead."
}

Back to API Reference