API reference
Every API route a user can call. Authentication uses the dashboard session unless noted.
N/Ws — N requests per W seconds.Conventions
- Base URL. All endpoints are relative to
https://app.infiniview.dev. - Content type. Request and response bodies are JSON unless the endpoint advertises another type — CSV exports return
text/csv, live progress streams returntext/event-stream. - Authentication. Endpoints use the dashboard session cookie. Two endpoints are public:
GET /api/healthandPOST /api/validate-infiniview-yml. - Idempotency. Mutations are not idempotent unless an endpoint says so. The GitHub webhook receiver deduplicates by
X-GitHub-Delivery. - Timestamps. ISO 8601 in UTC, ending with
Z.
Errors
Error responses share a single shape. The code is stable, the message is human-readable, and details may carry field-level validation errors.
{
"error": {
"code": "validation_failed",
"message": "Invalid request body.",
"details": {
"branch": ["must be a non-empty string"]
}
}
}| Status | When |
|---|---|
400 | Request body or query parameters failed validation. |
401 | Session missing or expired. Sign in again from the dashboard. |
403 | You don’t own the requested resource, or the capability is gated by plan. |
404 | Resource doesn’t exist or isn’t visible to you. |
409 | State conflict — for example, asking for a run CSV before the run reaches a terminal status. |
422 | Request was well-formed but referenced unknown scanner IDs or invalid threshold values. |
429 | Bucket exhausted. See the Retry-After header. |
5xx | Server-side error. The dashboard surfaces a banner; retries are safe for idempotent reads. |
Pagination
List endpoints accept ?page (1-indexed) and ?perPage. Defaults and caps vary by endpoint:
| Resource | Default | Max |
|---|---|---|
| Scan runs | 20 | 100 |
| Findings | 20 | 500 |
| Suppressions | 20 | 100 |
| Reviews | 20 | 100 |
Responses include page, perPage, total, and a hasMore flag where applicable.
Rate limits
Limits are per signed-in user, per route bucket. When a bucket is exhausted, the API returns 429 with a Retry-After header containing the number of seconds before another request will succeed. Bucketed endpoints are flagged in the tables below — anything without a rate-limit note shares the global account quota.
- 5/60s — review creation, billing checkout.
- 10/60s — reruns, repo-secret writes, suppression deletes.
Health
Public health probe. Returns 200 with status ok or 503 with status degraded.
/api/healthGitHub
OAuth handshake, repo discovery, and the signed webhook receiver.
/api/github/connectredirects to GitHub OAuth/api/github/callbackhandled by Infiniview/api/github/disconnect/api/github/repos?page, ?q/api/github/webhooksignature-verifiedReviews
Manage reviews and trigger reruns. DELETE archives by default; hard-delete is available in dev mode.
/api/reviews/api/reviews{ repoFullName, branch? } · 5/60s/api/reviews/{id}?includeOverviewStats=1/api/reviews/{id}{ name }/api/reviews/{id}?mode=hard-delete (dev only)/api/reviews/{id}/rerun10/60sScan runs
Listing is paginated (default 20 per page, max 100). Live progress is delivered as Server-Sent Events.
/api/scan-runs?scope=active|archived|all/api/scan-runs/{id}/progress/api/scan-runs/{id}/livetext/event-stream/api/scan-runs/{id}/csv/api/scan-runs/{id}/compare/api/scan-runs/{id}/trustFindings
Listing is paginated (default 20, max 500) with filters: severity, category, exploitability, sourcePhase, reviewId, scanRunId, repoFullName, scope, q.
/api/security-findings/api/security-findings/{id}/replay/api/security-findings/{id}/bundle/api/security-findings/export?scope, ?reviewId, ?scanRunIdConfiguration
Scan configuration is gated by an account-level capability. The validation endpoint is unauthenticated.
/api/scan-config/api/scan-config/api/validate-infiniview-ymlno auth/api/settings/api/settings/api/repo-secrets?repoFullName/api/repo-secrets{ repoFullName, key, value } · 10/60s/api/repo-secrets{ id } · 10/60sSuppressions
Listing is paginated (max 100/page) with optional filters scope, repoFullName, search.
/api/finding-suppressions/api/finding-suppressions{ query, scope, reviewId?, scanRunId?, repoFullName? }/api/finding-suppressions/{id}10/60sBilling
Plan status and checkout. The dashboard launches checkout via an in-app overlay.
/api/billing/status/api/billing/checkout-session{ planKey } · 5/60s