API Overview
Base URL, authentication, request format, and response conventions.
Base URL
All endpoints are relative to this base URL. All requests must be made over HTTPS.
Authentication
All requests require a Bearer token in the Authorization header.
See Authentication for how to obtain and manage API keys.
Request format
All POST request bodies must be JSON with the Content-Type: application/json header set.
Response format
All responses are JSON. All successful responses are wrapped in a consistent top-level structure. All error responses use the standard error envelope.
Response headers
Every response includes the following headers:
| Header | Description |
|---|---|
X-Request-ID | A unique identifier for this request. Include this in any support communications. |
X-RateLimit-Limit | Maximum requests allowed in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
X-RateLimit-Reset | Unix timestamp when the rate limit window resets. |
Rate limiting
The default rate limit is 100 requests per hour per API key. If you exceed this limit, you receive a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait before retrying.
If your use case requires higher limits, contact support@exonalab.com.
HTTP status codes
| Code | Meaning |
|---|---|
200 OK | Successful retrieval. |
201 Created | Scan successfully created. |
400 Bad Request | Invalid request: see the error body for details. |
401 Unauthorized | Missing or invalid API key. |
403 Forbidden | Valid key but access denied (e.g. IP not in allowlist). |
404 Not Found | The requested resource does not exist. |
429 Too Many Requests | Rate limit exceeded. |
500 Internal Server Error | Exona-side error. The X-Request-ID header is always present: include it in support requests. |
Endpoints
| Method | Path | Description |
|---|---|---|
POST | /v1/scans | Create a new scan for a company. |
GET | /v1/scans/{id} | Retrieve a scan by ID. |