API overview Growth+¶
The CredWatch REST API lets you query findings, scans, and trigger actions from your own tooling. Useful for:
- Importing findings into a SIEM (Splunk, Elastic, Datadog).
- Building internal dashboards on top of CredWatch data.
- Automating triage with custom rules ("auto-suppress anything in repos tagged
archived"). - Wiring CredWatch into your incident response workflow.
Quick start¶
# 1. Generate an API key in the portal under Profile → API keys
# 2. Use it as a Bearer token
curl https://app.cred-watch.com/api/v1/findings \
-H "Authorization: Bearer cw_sk_a3f8...c2b1"
Response:
{
"data": [
{
"id": "01HXYZ...",
"status": "active",
"validation_status": "valid",
"composite_score": 87,
"source_type": "repo",
"source_url": "https://github.com/acme/web/blob/abc/src/config.ts#L42",
"matched_text": "sk-a1****cd34",
"pattern": {"name": "OpenAI API Key", "secret_type": "openai"},
...
}
],
"meta": {"total": 142, "page": 1, "per_page": 25, "pages": 6}
}
Base URL¶
https://app.cred-watch.com
All API routes are prefixed with /api/v1.
Endpoints¶
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/findings |
Paginated, filterable list of findings |
| GET | /api/v1/findings/{id} |
Single finding by ID |
| POST | /api/v1/findings/{id}/suppress |
Mark a finding suppressed |
| POST | /api/v1/findings/{id}/resolve |
Mark a finding resolved (optional ?note=...) |
| GET | /api/v1/scans |
Recent scan runs (GitHub + scrape) |
| GET | /api/v1/scans/{id} |
Single scan run detail |
The full machine-readable spec is at /openapi.json and rendered on the reference page.
Conventions¶
Response envelopes¶
All responses use one of three envelopes:
// List
{"data": [...], "meta": {"total": N, "page": P, "per_page": PP, "pages": Q}}
// Single resource
{"data": {...}}
// Mutation
{"data": {"id": "...", "status": "..."}}
Errors¶
{"error": "code", "message": "human-readable explanation"}
The HTTP status code is also set correctly (400 for bad input, 401 for missing/invalid auth, 403 for forbidden, 404 for not found, 429 for rate-limited, 500 for our problem).
IDs¶
All resource IDs are ULIDs encoded as base32 (26 characters, sortable by creation time).
Timestamps¶
All timestamps are ISO-8601 with UTC offset: 2026-05-21T14:33:12+00:00. Never local time.
What the API can do¶
| Capability | Available |
|---|---|
| Read findings | ✓ |
| Filter and paginate | ✓ |
| Resolve / suppress findings | ✓ |
| Read scan history | ✓ |
| Trigger a scan | ✗ (use the portal) |
| Read team / billing / config | ✗ |
| Write integrations | ✗ |
| Create suppression rules | ✗ (planned) |
If a missing capability blocks your workflow, email [email protected] — the public API surface grows based on customer demand.
Next¶
- Authentication — how the Bearer token works
- Rate limits & errors — what to expect and how to back off
- Reference — the full auto-generated endpoint reference
- Webhook payloads — what gets posted to your outbound webhook