Documentation Index Fetch the complete documentation index at: https://docs.lintliot.com/llms.txt
Use this file to discover all available pages before exploring further.
The LintLiot API is a REST API that powers both the dashboard and the SDK. You can use it directly to automate security workflows, pull data into your own tooling, or integrate with CI/CD pipelines. All responses use JSON and follow a consistent { ok, data } envelope.
Base URL Authentication All endpoints except GET /api/verify/:slug require a bearer token in the Authorization header.
Authorization : Bearer <LINTLIOT_API_KEY>
You can find your API key in the LintLiot dashboard under Settings → API Keys . API keys start with lk_live_.
Never expose your API key in client-side code or commit it to source control. Store it as an environment variable (LINTLIOT_API_KEY).
Apps Apps represent the applications you have connected to LintLiot.
List apps Returns all apps belonging to your account.
Response { "ok" : true , "data" : [ { "id" : "app_01j..." , "name" : "My SaaS" , "apiKey" : "lk_live_..." , "securityScore" : 87 , "plan" : "pro" , "status" : "active" , "createdAt" : "2025-01-15T10:00:00.000Z" , "updatedAt" : "2025-04-22T14:30:00.000Z" } ] }
Create app Creates a new app and generates an API key.
Request body Display name for the app. Must be between 1 and 100 characters.
GitHub repository in owner/repo format. Required to enable code scanning via GitHub webhooks.
Response 201 Created{ "ok" : true , "data" : { "id" : "app_01j..." , "name" : "My SaaS" , "apiKey" : "lk_live_abc123..." , "securityScore" : 0 , "plan" : "free" , "status" : "active" , "settings" : { "scanner" : { "blockOnCritical" : true , "blockOnHigh" : false , "scanOnPush" : true }, "shield" : { "mode" : "permissive" , "botDetection" : true }, "vault" : { "sensitiveFields" : [ "email" , "phone" , "ssn" ], "keyRotationDays" : 90 }, "monitor" : { "eventRetentionDays" : 90 } }, "createdAt" : "2025-04-27T09:00:00.000Z" , "updatedAt" : "2025-04-27T09:00:00.000Z" } }
Get app Returns details for a single app.
Update app Updates the app’s name or GitHub repository connection.
Request body New display name for the app.
GitHub repository in owner/repo format.
GitHub App installation ID, set automatically during the GitHub App flow.
Update app settings PATCH /api/apps/:id/settings
Updates security module settings for the app. You can send any subset of sections — unspecified sections are preserved.
Request body Scanner configuration. Block deploys when critical findings are detected.
Block deploys when high findings are detected.
Automatically scan on every GitHub push event.
Directory paths to exclude from scanning.
Request Shield configuration. Either permissive or strict.
Enable bot detection scoring.
Rate limit: { maxRequests: number, windowSeconds: number }.
Geo-block configuration: { enabled: boolean, blockedCountries: string[] }. Country codes are ISO 3166-1 alpha-2.
Data encryption (Vault) configuration. Field names to auto-encrypt with AES-256-GCM.
Days between automatic key rotations (1–3650).
Delete app Permanently deletes an app and all associated data.
Response { "ok" : true , "data" : { "id" : "app_01j..." } }
Security score and lockdown Get security score Returns the current Security Score and breakdown.
Pass ?refresh=true to force recalculation. Omit for the cached score.
Response Security score from 0–100.
Letter grade: A+, A, B, C, D, or F.
Tier label: platinum, gold, silver, bronze, or basic.
Per-module breakdown (populated when ?refresh=true).
{ "ok" : true , "data" : { "score" : 87 , "grade" : "A" , "tier" : "gold" , "modules" : {} } }
Toggle emergency lockdown POST /api/apps/:id/lockdown
Activates or deactivates emergency lockdown mode. When lockdown is active, all write endpoints (POST, PUT, PATCH, DELETE) are blocked and traffic is restricted to 1 request/minute per IP. Lockdown automatically lifts after 1 hour if not manually deactivated.
Emergency Lockdown is available on Team and Enterprise plans only.
Manage behavioral baselines POST /api/apps/:id/baseline
Retrieves or resets the behavioral baselines LintLiot builds during the 7-day learning phase. Baselines drive adaptive rate limiting and anomaly detection thresholds.
Events Ingest events Ingests one or more security events from the SDK. This endpoint is called automatically by the LintLiot middleware — you do not need to call it directly unless building a custom integration.
Accepts either a single event object or a JSON array of events. Also accepts Content-Type: text/plain for compatibility with navigator.sendBeacon().
Request body Event type string, e.g. request.blocked, auth.login, auth.impossible_travel.
Source module: shield, scanner, monitor, compliance, etc.
Severity level: CRITICAL, HIGH, MEDIUM, LOW, or INFO.
Short human-readable description of the event.
Extended description with context.
Source IP address. Used for geo-enrichment and impossible travel detection.
Your application’s user identifier. Used for session fingerprinting and impossible travel detection.
Arbitrary key-value metadata about the event (path, method, userAgent, etc.).
Response 201 Created{ "ok" : true , "data" : { "count" : 3 } }
Real-time SSE stream Opens a Server-Sent Events stream that delivers new security events to the dashboard in real time.
The app ID to stream events for.
A short-lived session token obtained from your dashboard session. SSE connections cannot send Authorization headers, so authentication uses this query parameter instead.
The stream emits three event types:
connected — sent immediately on connectevents — array of new event objectsheartbeat — empty event sent every 30 seconds to keep the connection alive
Get event analytics GET /api/events/analytics
Returns trend data, module breakdown, attack type distribution, and top threat countries for a given time window.
Time window: 24h, 7d, or 30d.
Response { "ok" : true , "data" : { "window" : "24h" , "totalEvents" : 1428 , "trend" : [ { "label" : "09:00" , "total" : 42 , "blocked" : 18 , "critical" : 2 } ], "moduleBreakdown" : [ { "module" : "shield" , "count" : 843 } ], "attackTypes" : [ { "type" : "request.blocked" , "count" : 341 } ], "severityBreakdown" : [ { "severity" : "HIGH" , "count" : 27 } ], "topCountries" : [ { "country" : "US" , "count" : 612 } ] } }
Scanner GitHub webhook receiver POST /api/scanner/webhook
Receives push and pull_request events from a GitHub App or webhook. LintLiot verifies the X-Hub-Signature-256 header and queues a scan job for every connected app matching the repository.
Set this URL as your GitHub webhook endpoint: https://api.lintliot.com/api/scanner/webhook
List scans Returns the 50 most recent scans for an app, ordered by start time descending.
App ID to list scans for.
List findings GET /api/scanner/findings
Returns scan findings with optional filters. Results are paginated and ordered by CVSS score descending.
Filter by severity: CRITICAL, HIGH, MEDIUM, LOW.
Filter by status: open, fixed, ignored, false_positive.
Filter by category: secret, iac, code, dependency.
Results per page. Maximum 100.
Response { "ok" : true , "data" : [ { "id" : "finding_01j..." , "appId" : "app_01j..." , "scanId" : "scan_01j..." , "rule" : "SEC003" , "severity" : "CRITICAL" , "category" : "secret" , "file" : "src/config.ts" , "line" : 14 , "title" : "Stripe Secret Key" , "status" : "open" , "cvssScore" : 9.1 } ], "meta" : { "page" : 1 , "limit" : 25 , "total" : 3 , "pages" : 1 } }
Shield Get WAF rules Returns the current WAF rules and IP rules active for the app. This endpoint uses SDK authentication (X-API-Key header with your app’s API key) and is called by the SDK middleware on startup.
Add IP block/allow rule POST /api/shield/ip-rules
Adds or updates an IP block or allow rule. If a rule already exists for the IP, it is overwritten.
Request body App ID to apply the rule to.
IPv4 or IPv6 address to target.
Human-readable reason for the rule, displayed in the dashboard.
ISO 8601 timestamp for automatic rule expiry. Omit for a permanent rule.
Response 201 Created{ "ok" : true , "data" : { "id" : "iprule_01j..." , "appId" : "app_01j..." , "ip" : "198.51.100.42" , "action" : "block" , "reason" : "Credential stuffing attempt" , "expiresAt" : "2025-05-01T00:00:00.000Z" } }
Compliance Compliance features require a Pro, Team, or Enterprise plan.
Initialize compliance framework POST /api/compliance/initialize
Seeds compliance controls for a framework. Call this once per framework per app. Returns 409 Conflict if the framework is already initialized — use POST /api/compliance/sync to refresh control statuses instead.
Request body App ID to initialize compliance for.
Framework to initialize. Supported values: SOC2, GDPR, HIPAA, PCI-DSS, ISO27001.
Get compliance report GET /api/compliance/status
Returns the current compliance status for a framework, including per-control pass/fail breakdown and a 0–100 score.
Framework to report on: SOC2, GDPR, HIPAA, PCI-DSS, ISO27001.
Response { "ok" : true , "data" : { "score" : 84 , "summary" : { "total" : 47 , "passing" : 38 , "partial" : 4 , "failing" : 5 }, "categories" : { "Access Control" : { "pass" : 8 , "partial" : 1 , "fail" : 0 , "total" : 9 } }, "controls" : [ { "id" : "ctrl_01j..." , "framework" : "SOC2" , "requirement" : "CC6.1" , "category" : "Access Control" , "status" : "pass" , "evidence" : "Brute force events blocked: 142" , "lastChecked" : "2025-04-27T08:00:00.000Z" } ] } }
Trigger compliance re-check POST /api/compliance/sync
Re-evaluates all compliance controls for the app by correlating recent security events with control requirements. Typically completes in under 30 seconds.
Limit sync to a specific framework. Omit to sync all initialized frameworks.
Verification (public) Get security certificate Returns the public security certificate data for an app. This endpoint requires no authentication and is cached at the edge with a 60-second TTL.
The :slug is the lowercased, hyphenated version of your app name (e.g., an app named “My SaaS” has slug my-saas).
Response certificate.securityScore
Current score from 0–100.
Score band: Excellent, Good, Fair, Poor, or Critical.
certificate.openCriticalFindings
Count of open critical scan findings.
certificate.openHighFindings
Count of open high scan findings.
certificate.threatsBlockedLast30Days
Total blocked requests in the last 30 days.
certificate.activeProtections
List of active protection modules.
Compliance framework pass rates.
certificate.badge.embedCode
Ready-to-paste HTML badge embed code.
{ "ok" : true , "certificate" : { "appName" : "My SaaS" , "slug" : "my-saas" , "securityScore" : 87 , "scoreBand" : "Good" , "scoreColor" : "#3b82f6" , "plan" : "pro" , "verifiedAt" : "2025-04-27T10:00:00.000Z" , "openCriticalFindings" : 0 , "openHighFindings" : 1 , "threatsBlockedLast30Days" : 2341 , "activeProtections" : [ "WAF — Web Application Firewall (150+ patterns)" , "Rate Limiting — Adaptive baseline-relative thresholds" , "Bot Detection — 12-signal behavioral scoring" ], "frameworks" : [ { "name" : "SOC2" , "passingControls" : 38 , "totalControls" : 47 , "passRate" : 81 } ], "badge" : { "imageUrl" : "https://app.lintliot.com/api/verify/my-saas/badge.svg" , "embedCode" : "<a href= \" https://lintliot.com/verify/my-saas \" ><img src= \" https://app.lintliot.com/api/verify/my-saas/badge.svg \" alt= \" Secured by LintLiot \" width= \" 180 \" /></a>" } } }
Pentest The Pentest API provides Dynamic Application Security Testing (DAST) against OWASP Top 10 vulnerabilities. All pentest operations require accepting the Terms of Service first.
Only run pentest scans against applications you own or have explicit written permission to test. Scanning third-party targets without authorization is prohibited and will result in account suspension.
List scans GET /api/pentest/:appId/scans
Filter by scan status: pending, running, completed, failed.
Create scan POST /api/pentest/:appId/scans
Creates a new pentest scan. The scan must be explicitly executed with a separate POST /api/pentest/:appId/scans/:scanId/execute call.
Request body Human-readable scan name.
Full URL of the target application. Must be a valid URL pointing to an application you own.
Subset of attack modules to run. Omit to run all available modules.
Module-specific configuration overrides.
Response 201 Created{ "ok" : true , "data" : { "id" : "ptscan_01j..." , "appId" : "app_01j..." , "name" : "April release scan" , "targetUrl" : "https://myapp.com" , "status" : "pending" , "createdAt" : "2025-04-27T10:00:00.000Z" } }
List findings GET /api/pentest/:appId/findings
Filter findings to a specific scan.
Filter by severity: critical, high, medium, low.
Filter by OWASP Top 10 category (e.g. A01, A03).
Filter by status: open, confirmed, false_positive, remediated, accepted.
Route sensitivity Route sensitivity lets you configure graduated protection levels for sensitive URL patterns. The built-in rules cover paths like /admin*, /payment*, /export*, and /bulk*. You can create custom rules on top of those defaults.
Get route sensitivity config GET /api/route-sensitivity/:appId
Returns all active rules (built-in and custom) plus a summary of enforcement activity.
Create custom rule POST /api/route-sensitivity/:appId/rules
Request body URL path pattern to match. Supports glob-style wildcards (e.g. /api/admin*).
Protection level: critical, high, medium, low, or disabled.
Enforcement action: require_admin, reauth, rate_limit, audit_log, monitor, exfiltration_check, or disabled.
Human-readable explanation of the rule, displayed in the dashboard.
Response 201 Created{ "ok" : true , "data" : { "id" : "rsrule_01j..." , "appId" : "app_01j..." , "pattern" : "/api/exports*" , "level" : "high" , "action" : "exfiltration_check" , "description" : "Monitor bulk data export endpoints" , "enabled" : true } }
Update rule PATCH /api/route-sensitivity/:appId/rules/:id
Request body Enable or disable the rule.
Updated protection level.
Updated enforcement action.
Delete rule DELETE /api/route-sensitivity/:appId/rules/:id
Permanently deletes a custom rule. Built-in rules cannot be deleted — use PATCH to disable them instead.
Error responses All errors follow a consistent format:
{ "ok" : false , "error" : "Human-readable error message" }
Status Meaning 400Invalid input or missing required parameter 401Missing or invalid API key 403Insufficient plan or ownership mismatch 404Resource not found 409Conflict (e.g. compliance framework already initialized) 429Rate limit exceeded 500Internal server error
