§ Docs

API reference

Programmatic access to scans, findings, deliverables, and more.

The Brektra API is REST over HTTPS. Authentication is a Bearer token issued from Settings → API keys. Tokens are prefixed bk_live_ or bk_test_.

Base URL

https://brektra.com

Scans

Start a CI scan

POST /api/v1/scans/ci
content-type: application/json
authorization: Bearer bk_live_...

{
  "target": "https://app.example.com",
  "surfaces": ["ai"],
  "mode": "safe"
}

Response:

{
  "id": "f5b2...",
  "status": "queued"
}

Get scan status

GET /api/v1/scans/ci/{id}
authorization: Bearer bk_live_...

Response includes status, findings_count, exploits_confirmed, replay_url, and a list of findings with severity and category.

Atlas

Run a single Atlas pattern

POST /api/atlas/run
{
  "pattern_id": "uuid",
  "domain_id": "uuid"
}

Findings

List findings for a scan

GET /api/v1/scans/ci/{id}/findings

Deliverables

Generate a client deliverable (Business+ only)

POST /api/deliverables
{
  "scan_id": "uuid",
  "outputs": { "full_pdf": true, "executive_pdf": true, "share_links": true }
}

Webhooks

Configure in Settings → Notifications. Events are POSTed as JSON with HMAC-SHA256 signature in x-brektra-signature. See Webhooks for the event schemas.

Errors

Errors return JSON { "error": string, "code"?: string }. Plan-gate errors include "code": "plan_gate" and "upgrade_url".