API Overview
Programmatically manage your CSP configuration, sites, scans, and policies.
Enterprise Plan Required
API access is only available on the Enterprise plan. Free and Pro plans can use the web dashboard for all operations.
Base URL
All API requests should be made to:
https://scriptattest.com/api
Note: There is no version prefix. All endpoints are under /api/.
Authentication
Authenticate requests using an API key. You can generate keys in the API Keys section of your dashboard (Enterprise plan only).
Include your API key in the Authorization header using the Bearer scheme:
Authorization: Bearer qs_your_api_key_hereExample Request
curl -X GET https://scriptattest.com/api/sites \
-H "Authorization: Bearer qs_your_api_key_here"API Key Format
API keys are prefixed with qs_ and are 32 bytes of base64url-encoded random data. Example:
qs_A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6Security Warning
API keys provide full access to your organization's data. Keep them secure and never commit them to version control. The full key is only shown once when created - store it securely immediately.
Request Format
All requests must use:
- Content-Type:
application/json(for POST/PATCH requests) - Authorization:
Bearer YOUR_API_KEY
Response Format
All responses are JSON with the following structure:
- Success responses: Return the requested data directly (e.g.,
{"sites": [...]}) - Error responses: Return
{"error": "Error message"}with appropriate HTTP status codes
HTTP Status Codes
| Code | Meaning |
|---|---|
200 | Success |
201 | Created (resource successfully created) |
400 | Bad Request (invalid parameters) |
401 | Unauthorized (missing or invalid API key) |
403 | Forbidden (plan restriction or insufficient permissions) |
404 | Not Found (resource doesn't exist) |
409 | Conflict (resource already exists) |
500 | Internal Server Error |
Rate Limits
API requests are limited to 1000 requests per hour per organization. Rate limit headers are included in responses:
X-RateLimit-Limit: Maximum requests per hourX-RateLimit-Remaining: Remaining requests in current windowX-RateLimit-Reset: Unix timestamp when the limit resets
When the rate limit is exceeded, you'll receive a 429 Too Many Requests response.
Plan Restrictions
Some endpoints require specific plan tiers:
- Free Plan: Basic site management, discovery scans, policy generation
- Pro Plan: All Free features, plus scheduled scans, validation scans, ScriptAttest (attestation)
- Enterprise Plan: All Pro features, plus API access, unlimited sites, advanced features
Endpoints that require Pro+ or Enterprise will return 403 Forbidden with an error message indicating the required plan.
Pagination
List endpoints support optional pagination via query parameters:
limit: Number of items per page (default: 50, max: 100)offset: Number of items to skip (for pagination)
Error Handling
Always check the HTTP status code. Error responses include a JSON body with an error field:
{
"error": "Site not found"
}
Some errors may include additional fields like requiredPlan for plan restriction errors.
Next Steps
Ready to start using the API? Check out the complete endpoint reference for detailed schemas, examples, and request/response formats.