Documentation
REST API
Programmatic access to scans, findings, documents, and subprocessors via personal access tokens.
Last updated May 8, 2026
On Scale and above, every workspace gets a versioned REST API
under /api/v1. Tokens are issued as personal access tokens scoped
to the workspace, never to a user — that means programmatic access keeps
working through team changes.
Authentication
Send the token in the Authorization header:
Authorization: Bearer atst_live_<random>
Tokens are 32 random bytes encoded as URL-safe base64, prefixed by
atst_live_. The full token value is shown once on creation; we
store only a hash. Lose the token → revoke and reissue.
Index endpoint
GET /api/v1
Returns a JSON catalogue of every endpoint, with a sample curl
invocation. Useful as a sanity check that your token works.
Available endpoints
| Endpoint | Description |
|---|---|
GET /api/v1 | Catalogue of available endpoints. |
GET /api/v1/scans | Recent scans with repo metadata, status, and finding counts. |
GET /api/v1/findings?scanId=&kind= | Findings from a specific scan, optionally filtered by kind. |
GET /api/v1/subprocessors | Live subprocessor inventory with last-detected timestamp and source citation. |
GET /api/v1/documents | Document metadata, current version number, and public trust-center URL. |
Issuing and revoking tokens
Settings → API tokens. Click Issue token, give it a name, and copy the value to your secrets manager. Revoke from the same page; revocation is immediate (the token hash is removed from the database).
Rate limits
100 requests per minute per token, soft. We'll surface a deprecation header when this becomes meaningful for your workspace.
Forward compatibility
We follow URL-versioned
semantics: /api/v1 will not break existing fields. New fields and
endpoints may be added at any time — handle unknown keys gracefully.
Webhooks
For event-driven integration, prefer Webhooks over polling — they're available on Growth and above.