API reference

Public REST + tRPC, OTel-compatible ingestion.

Three surfaces. Public endpoints anyone can verify with no auth, project endpoints behind an API key, and the firewall service for runtime scans.

Public — no auth

Public — no auth

GET/.well-known/jwks.json

Public key set used to verify Living Cert JWTs. Rotates with the cert signing key.

GET/api/public/cert/:hash

Fetch a signed cert by its public hash. Returns the JWT + decoded payload.

POST/api/public/scan

Free interactive scanner. 10 req/min/IP token bucket, 8 KB prompt ceiling, 8s upstream timeout.

Authenticated — project API key

Authenticated — project API key

POST/api/v1/traces

OTel-compatible trace ingestion. Accepts the OTLP/HTTP JSON format.

POST/api/v1/findings

Submit a finding from your own detector pipeline.

GET/api/v1/agents/:id/cert

Latest cert for the agent (signed JWT + components).

POST/api/v1/redteam/runs

Trigger a red-team pack against a target.

Firewall — runtime scan

Firewall — runtime scan

POST/scan/prompt

Pre-tool prompt injection + exfil scan. Runs LLM-Guard + custom regex + ML classifier.

POST/scan/output

Post-generation scan. Catches PII leaks, tool argument anomalies, policy violations.

GET/readyz

Readiness probe. 200 OK once the HF model cache has loaded.

Read the OpenAPI spec.

Auto-generated from the source via Fern. Lives at /api/v1/openapi.json once you self-host or in the docs section of your tenant.

Open docsSDK reference