Skip to main content

API conventions

AISafe REST endpoints share a set of cross-cutting rules: base URLs, authentication, pagination, error handling, rate limits, and identifier formats. For per-endpoint reference, see the API Reference.

Base URL

EnvironmentBase URL
Productionhttps://api.aisafe.io

Routes live under /api/v1/. The v1 namespace is a content freeze. Additive changes (new optional fields, new endpoints, new enum values on responses) stay backwards-compatible. Breaking changes bump the version.

curl https://api.aisafe.io/api/v1/assessments \
-H "Authorization: Bearer $AISAFE_API_KEY"

Authentication

API requests need a Bearer token in the Authorization header:

Authorization: Bearer sk-ais-xxxxxxxxxxxxxxxxxxxx

AISafe supports two bearer flavors:

  • API keys carry the prefix sk-ais- and scope per key. Each key carries an explicit scope list (e.g. assessments:create, findings:read). A key missing the required scope for an endpoint returns 403.
  • Session JWT: the login/OAuth flows issue a JWT, carried in an httpOnly cookie for browsers or in the header for programmatic clients.

See Authentication for full details on obtaining and using API keys.

Identifiers

AISafe uses two families of identifiers:

Customer-visible IDs: hyphenated uppercase

Organizations, Assessments, Findings, and Reports carry human-readable IDs of the form AIS-{ORG}-{APP}[-{NNN}]:

ResourceFormatExample
AssessmentAIS-{ORG}-{CODE}AIS-ACME-TLP
FindingAIS-{ORG}-{ASSESSMENT}-{NNN}AIS-ACME-TLP-001

These IDs are immutable, appear in URLs, reports, and exports, and are safe to share in support tickets.

Opaque IDs: prefixed tokens

Other resources (users, teams, API keys, webhook subscriptions, etc.) use short opaque identifiers with a prefix (e.g. user_, team_, apikey_, webhook_).

Pagination

List endpoints use cursor-based pagination. The response envelope includes:

{
"items": [...],
"total": 150,
"page": 1,
"page_size": 20,
"total_pages": 8,
"next_cursor": "eyJ...",
"has_total": true
}
  • next_cursor: pass this as the cursor query parameter to fetch the next page. If absent, there are no more results.
  • page_size controls the number of items per page (capped per endpoint).
  • has_total indicates whether the total field is accurate. Some endpoints skip the expensive COUNT query for performance.

Inbound VCS webhook delivery logs

VCS webhook delivery logs help diagnose why a push or pull request did or did not trigger project automation. Delivery rows expose only non-secret fields: provider, event type, repository, commit SHA, PR number or branch, processing status, ignored reason, and timestamps.

EndpointScope
GET /api/v1/projects/{id}/webhook-deliveriesProject members can list recent deliveries for the project's bound VCS repository. Missing or foreign projects return 404.
GET /api/v1/integrations/vcs/connections/{connection_id}/webhook-deliveriesOrganization members who can view the VCS connection can list recent deliveries for that connection, including events that did not match a project.

Both endpoints are newest-first and cursor paginated. Use limit and cursor; optional filters include status, event_kind, and ignored_reason.

Rate limiting

AISafe enforces rate limits using sliding windows keyed on the authenticated principal (user ID or API key owner). Exceeding the limit produces:

  • The response status is 429 Too Many Requests.
  • The response includes a Retry-After header (in seconds). You must honor this before retrying.
# Example: rate-limited response
HTTP/1.1 429 Too Many Requests
Retry-After: 30
Content-Type: application/json

{"detail": "Rate limit exceeded. Retry after 30s."}

Strict input validation

API request bodies use strict validation. Sending an unknown field returns 422 with a validation error. The API rejects typos and blocks injection of server-managed fields. Send only the fields documented for the endpoint you are calling.

Response status codes

StatusMeaning
200Success
400Malformed input or business-rule validation failure
401Missing, expired, or invalid credentials
403Authenticated but not authorized (role too low or scope missing)
404Resource not found (or the API collapses cross-organization access to not-found)
409State conflict (e.g. resource cannot transition from current state)
422Semantic validation failure
429Rate-limited: check Retry-After header
500Unexpected server error

See Errors for the full status code reference and handling guidance.