Skip to content

API Overview

The Sable Integration API lets external systems create and manage projects, pentest sessions, findings, and documents in Vulnetic. The current contract is published as OpenAPI 3.1.0 with API version 1.0.0, and all documented endpoints live under /api/v1.

Warning

The Integration API is currently in beta.

Beta access is limited to Pro and Enterprise subscribers.

Prerequisites

  • A Vulnetic account with available account balance
  • A Pro or Enterprise subscription with beta API access enabled
  • An API key for the beta Integration API. See Create an API key video
  • An integration client with the scopes required for the operations you plan to call
  • A credential issued for the beta API at https://app.vulnetic.ai/api/v1

What the API covers

  • Identity and scopes through GET /api/v1/me
  • Projects
  • Sessions
  • Findings
  • Documents
  1. Quickstart
  2. Authentication
  3. Environments
  4. Pagination and Filters
  5. Errors
  6. Resource reference pages for Projects, Sessions, Findings, and Documents

Core workflow

  1. Verify your integration identity with GET /api/v1/me
  2. Create or select a project
  3. Create a halted pentest session
  4. Start the session by updating its lifecycle status
  5. Poll the session and inspect its events
  6. Review and manage findings
  7. Create or update supporting documents

Key resource groups

Identity

  • GET /api/v1/me

Returns the authenticated integration identity, including account, API client, delegated user, roles, and scopes.

Projects

  • GET /api/v1/projects
  • POST /api/v1/projects
  • GET /api/v1/projects/{project_id}
  • PATCH /api/v1/projects/{project_id}

Sessions

  • GET /api/v1/sessions
  • POST /api/v1/sessions
  • GET /api/v1/sessions/{session_id}
  • PATCH /api/v1/sessions/{session_id}
  • GET /api/v1/sessions/{session_id}/events
  • PATCH /api/v1/sessions/{session_id}/status
  • PATCH /api/v1/sessions/{session_id}/project

Findings

  • GET /api/v1/findings/{finding_id}
  • PATCH /api/v1/findings/{finding_id}
  • GET /api/v1/sessions/{session_id}/findings
  • GET /api/v1/findings/{finding_id}/history
  • POST /api/v1/findings/{finding_id}/transition

Documents

  • GET /api/v1/documents
  • POST /api/v1/documents
  • GET /api/v1/documents/{document_id}
  • PATCH /api/v1/documents/{document_id}
  • GET /api/v1/documents/{document_id}/view-pdf

Important enums

Session status

  • active
  • active_auto
  • complete
  • queued
  • failed
  • halted

Finding status

  • OPEN
  • FALSE_POSITIVE
  • IN_RETEST
  • REMEDIATED
  • ACCEPTED_RISK

Document type

  • note
  • report

Session type

  • pentest
  • retest

OpenAPI gaps to finalize before public release

Warning

The current OpenAPI file does not publish a servers section or securitySchemes definition. The current beta base URL is https://app.vulnetic.ai/api/v1, but the final public OpenAPI contract should still publish that host directly and document the concrete auth scheme.

The current spec also only models 422 validation errors explicitly. Conventional auth, permission, not-found, and server-error responses should be documented before the API reference is treated as complete.