Developers

REST API

The API lives at https://index365.co/api/v1. The machine-readable reference is published at /openapi.json with agent-grade operation descriptions, examples, and error codes.

Authentication

Send your key in the Authorization header. Query-string tokens are rejected by design. Authentication covers scopes, the security model, and how to mint a key.

curl -s https://index365.co/api/v1/me \
  -H "Authorization: Bearer i365_..."

GET /api/v1/me works with any valid key and returns your organization, scopes, and the contract version. Call it first in any integration.

Start an audit and read the results

bash
# 1. Find your project
curl -s "https://index365.co/api/v1/projects" -H "Authorization: Bearer $KEY"

# 2. Start the audit (202 returns the run immediately; retry-safe via Idempotency-Key)
curl -s -X POST "https://index365.co/api/v1/runs" \
  -H "Authorization: Bearer $KEY" \
  -H "Idempotency-Key: deploy-42" \
  -H "Content-Type: application/json" \
  -d '{"projectId":"<projectId>"}'

# 3. Poll until status is terminal
curl -s "https://index365.co/api/v1/runs/<runId>" -H "Authorization: Bearer $KEY"

# 4. Read the compact report context first, then page through findings
curl -s "https://index365.co/api/v1/runs/<runId>/report" -H "Authorization: Bearer $KEY"
curl -s "https://index365.co/api/v1/runs/<runId>/findings?severity=critical" \
  -H "Authorization: Bearer $KEY"

Marketing Signal audits

bash
# Start a Marketing Signal run (same endpoint, scanMode picks the product)
curl -s -X POST "https://index365.co/api/v1/runs" \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{"projectId":"<projectId>","scanMode":"paid_marketing_signal"}'

# Latest Marketing Signal report for a project (stage scores + source coverage)
curl -s "https://index365.co/api/v1/projects/<projectId>/marketing/report" \
  -H "Authorization: Bearer $KEY"

# Connected-signal providers and per-project status (planned until they launch)
curl -s "https://index365.co/api/v1/projects/<projectId>/integrations" \
  -H "Authorization: Bearer $KEY"

Marketing Signal findings flow through the same findings endpoints and carry an extra stage field (find, trust, act, measure, improve). The report context names its evidence base via sourceCoverage: public signals today, connected sources when account integrations launch.

Website Security audits

bash
# Start a Website Security run (same endpoint, scanMode picks the product)
curl -s -X POST "https://index365.co/api/v1/runs" \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{"projectId":"<projectId>","scanMode":"paid_website_security"}'

# Read the findings (deterministic public-surface posture checks)
curl -s "https://index365.co/api/v1/runs/<runId>/findings?severity=critical" \
  -H "Authorization: Bearer $KEY"

Website Security is a deterministic public-surface posture scan (TLS, headers, cookies, DNS, exposure). It runs through the same run endpoint and findings flow, selected by scanMode.

The agent result contract

Findings are served as contract v2: stable findingId, a category, severity and confidence, an evidence array, affectedUrls, remediation text, agentActions, timestamps, provenance (scan mode and model), and a humanUrl that links your teammates to the same data in the dashboard. Completed runs are immutable, so finding ids and report payloads are safe to cache and reference across sessions.

Pagination, caching, and rate limits

  • List endpoints are cursor-paginated: pass cursor from the previous pagination.nextCursor until it is null. limit caps at 100.
  • Completed runs return cacheable responses; in-flight runs are no-store. Poll roughly every 10 seconds.
  • 60 requests per minute per key. A 429 includes Retry-After.

Errors

Every error is JSON: {"error":{"code":"...","message":"..."}}. Codes you should handle: unauthorized (401), insufficient_scope (403), not_found (404), insufficient_credits and no_active_subscription (402), run_in_flight (409), rate_limited (429).

Tip

Building an agent integration? The MCP server and CLI wrap the core endpoints above (projects, runs, findings, reports) so your agent rarely touches raw HTTP.