API Reference
The Rorix REST API lets you integrate vulnerability scanning, SBOM generation, and project management into your own tools and workflows.
Base URL
https://rorix.io/api
Authentication
All authenticated endpoints require an API key passed in the Authorization header:
Authorization: Bearer rxk_your_api_key_here
See the Authentication page for details on creating and managing API keys.
Endpoints
| Method | Endpoint | Description |
| --- | --- | --- |
| POST | /api/audit | Scan dependencies for vulnerabilities |
| POST | /api/scan | Rate-limited scan (no auth required) |
| POST | /api/sbom | Generate an SBOM |
| GET | /api/vulnerabilities/summary | Get vulnerability summary |
| GET | /api/vulnerabilities/:id | Get vulnerability details |
| GET | /api/vulnerabilities/aging | Get vulnerability aging data |
| GET | /api/projects | List projects |
| POST | /api/projects | Create a project |
| GET | /api/projects/:id | Get project details |
| DELETE | /api/projects/:id | Delete a project |
| GET | /api/projects/:id/scans | List scans for a project |
| POST | /api/projects/:id/scan | Trigger a scan for a project |
Rate Limits
| Tier | Limit | | --- | --- | | Unauthenticated | 10 requests per minute | | Authenticated (Free) | 60 requests per minute | | Authenticated (Pro) | 300 requests per minute | | Authenticated (Business) | 1000 requests per minute |
Rate limit headers are included in every response:
X-RateLimit-Limit— maximum requests per windowX-RateLimit-Remaining— remaining requests in the current windowX-RateLimit-Reset— Unix timestamp when the window resets
Error Format
All errors follow a consistent JSON format:
{
"error": {
"code": "VALIDATION_ERROR",
"message": "The 'content' field is required.",
"status": 400
}
}| Field | Description |
| --- | --- |
| code | Machine-readable error code |
| message | Human-readable description |
| status | HTTP status code |