SentrAISentrAI
Agency + Enterprise

API Documentation

Programmatic access to SentrAI's security scanning engine. Run scans, retrieve results, and integrate into your workflows.

Authentication

All API requests require a Bearer token in the Authorization header. Generate your API key from Dashboard → Settings.

Authorization: Bearer YOUR_API_KEY

API keys are hashed before storage. Save your key when generated — it cannot be retrieved later.

Rate Limits

100 requests per hour per API key. Rate limit headers are included in every response.

X-RateLimit-Limit: 100

X-RateLimit-Remaining: 97

X-RateLimit-Reset: 1716076800

POST/api/v1/scan

Run a passive security scan on a domain. Returns risk score, findings, and positive indicators.

Request

curl -X POST https://www.sentrai.co.uk/api/v1/scan \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

Response (200 OK)

{
  "domain": "example.com",
  "riskScore": 65,
  "riskLevel": "MODERATE",
  "platform": "Cloudflare",
  "scannedAt": "2026-05-18T12:00:00Z",
  "findings": [
    {
      "title": "No Content Security Policy",
      "severity": "HIGH",
      "confidence": "PROVEN",
      "category": "Browser Security",
      "description": "No CSP header present...",
      "evidence": "Content-Security-Policy header absent",
      "businessImpact": "Increases XSS risk...",
      "fix": "Add Content-Security-Policy header..."
    }
  ],
  "positiveFindings": [
    "SSL certificate valid and not expiring soon",
    "HSTS header configured"
  ]
}

Error Responses

401 Invalid or missing API key

403 Plan does not include API access

400 Invalid domain format

429 Rate limit exceeded

502 Scan failed (domain unreachable)

Key Management

GET/api/v1/key

Check if you have an active API key. Requires Clerk session auth.

POST/api/v1/key

Generate a new API key. Returns the plaintext key once — save it immediately.

What's Scanned

Each scan checks these areas (passive, non-intrusive):

DNS records & configuration
SSL/TLS certificate validity
HTTP security headers
Content Security Policy
Email authentication (SPF/DMARC/DKIM)
Third-party script supply chain
CORS configuration
CAA records & DNSSEC
Cookie consent compliance
Origin exposure detection

Support

Questions about the API? Email hello@sentrai.co.uk or book a call.