Inventory REST API

The Inventory REST API lets you view API targets and definitions in the system. Use it to upload new API definitions, edit existing ones, link API targets to DAST scan targets for vulnerability scanning, and retrieve scan results per definition.

For authentication and general Swagger UI navigation, refer to Use the Invicti Platform API. Open this API definition directly in Swagger UI.

Common examples

List API targets

Use this to retrieve all API targets in your organization, with optional filtering and sorting.

View list API targets example

Endpoint: GET /api/apihub/v1/inventory/api-targets

Try it in Swagger UI:

Expand API Targets and select GET /api/apihub/v1/inventory/api-targets.
Click Try it out.
Set limit to 20 and leave cursor as 0 to get the first page.
Optionally use search to filter by name, or sort to order results.
Click Execute.

Example response:

{
  "targets": [
    {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "name": "My API",
      "description": "No description provided",
      "alternativeUrls": [
        "http://api.example.com"
      ],
      "definitions": [
        {
          "id": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
          "source": {
            "mode": "Provided",
            "origin": "Manually uploaded"
          },
          "format": "Openapi3",
          "name": "",
          "url": null,
          "sourceName": null
        }
      ],
      "definitionFormat": "Openapi3",
      "createdAt": "2025-11-15T10:30:00Z",
      "modifiedAt": "2025-11-20T14:22:00Z",
      "lastScanned": "2025-11-19T09:15:00Z",
      "lastScanStatus": "Completed",
      "operationsCount": 25,
      "isHidden": false,
      "vulnerabilityCounts": {
        "critical": 2,
        "high": 5,
        "medium": 12,
        "low": 8,
        "info": 3
      },
      "links": [],
      "annotations": [],
      "apiCredentialId": null
    }
  ],
  "totalCount": 7,
  "nextPage": null,
  "previousPage": null
}

Use nextPage as the cursor value to retrieve the next page of results. Note that vulnerabilityCounts, lastScanned, and lastScanStatus may be null if the target has not been scanned.

Supported sort values: name, createdAt, modifiedAt, lastScanned, lastScanStatus, definitionFormat, operationsCount

Supported definitionFormat values: Openapi3, Openapi2, Genericapi, Graphql, Grpc, Raml, Wsdl, Wadl

Get an API target by ID

Use this to retrieve details for a specific API target, including its operations and vulnerability counts.

View get API target example

Endpoint: GET /api/apihub/v1/inventory/api-targets/{apiTargetId}

Try it in Swagger UI:

Expand API Targets and select GET /api/apihub/v1/inventory/api-targets/{apiTargetId}.
Click Try it out.
Enter the apiTargetId. You can retrieve this from the list API targets endpoint.
Click Execute.

Example response:

{
  "target": {
    "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "name": "My API",
    "description": "No description provided",
    "alternativeUrls": [
      "http://api.example.com"
    ],
    "definitions": [
      {
        "id": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
        "source": {
          "mode": "Discovered",
          "origin": "dast_engine_api_discovery"
        },
        "format": "Genericapi",
        "name": "",
        "url": null,
        "sourceName": "Invicti Scan (Reconstructed)"
      }
    ],
    "definitionFormat": "Genericapi",
    "createdAt": "2025-11-15T10:30:00Z",
    "modifiedAt": "2025-11-20T14:22:00Z",
    "lastScanned": "2025-11-19T09:15:00Z",
    "lastScanStatus": "Completed",
    "operationsCount": 4,
    "isHidden": false,
    "vulnerabilityCounts": {
      "critical": 0,
      "high": 3,
      "medium": 0,
      "low": 0,
      "info": 4
    },
    "links": [],
    "annotations": [],
    "apiCredentialId": null
  },
  "operations": [
    {
      "id": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
      "type": "GET",
      "endpoint": "/api/v1/users",
      "name": "getapiv1users",
      "lastScanned": "2025-11-19T09:15:00Z",
      "lastUpdate": "2025-11-20T14:22:00Z",
      "excludeOperation": false,
      "source": {
        "mode": "Discovered",
        "origin": "dast_engine_api_discovery"
      },
      "vulnerabilityCounts": {
        "critical": 0,
        "high": 1,
        "medium": 0,
        "low": 0,
        "info": 0
      },
      "annotations": []
    }
  ]
}

Upload an API definition

Use this to upload an API specification file and create a new API target from it.

View upload API definition example

Endpoint: POST /api/apihub/v1/inventory/api-targets/create-from-definition

Try it in Swagger UI:

Expand API Targets and select POST /api/apihub/v1/inventory/api-targets/create-from-definition.
Click Try it out.
Set the required query parameters:
- format - the specification format, see the following values
- mode - set to provided for manually uploaded definitions
- origin - a label for the source, for example manual-upload
Upload your API definition file in the body field.
Click Execute.

Supported format values: openapi3, openapi2, graphql, grpc, raml, genericapi, wsdl, wadl

A successful response returns HTTP 200 with the new API target details, including its ID.

Link an API target to a DAST scan target

Use this to associate an API target in the API Hub with a DAST scan target so Invicti can scan the API for vulnerabilities.

View link API target example

Endpoint: POST /api/apihub/v1/inventory/links

Try it in Swagger UI:

Expand Links and select POST /api/apihub/v1/inventory/links.
Click Try it out.
Enter a request body with the required fields:

{
  "apiTargetId": "string",
  "baseUrl": "string",
  "remoteTargetId": "string",
  "remoteTargetDisplayName": "string",
  "remoteTargetAdditionalInfo": "string",
  "remoteTargetScanProfile": {
    "id": "string",
    "name": "string",
    "remoteTargetId": "string",
    "remoteTargetUri": "string",
    "hasRemoteTargetId": true
  },
  "remoteTargetExtra": {
    "tags": [],
    "agentId": "string",
    "environmentId": "string",
    "businessImpact": "low",
    "targetType": "web",
    "collections": [],
    "applications": []
  }
}

Click Execute.

A successful response returns HTTP 200 with the link details.

note

You can retrieve the apiTargetId from the list API targets endpoint and the remoteTargetId from the DAST API targets endpoint.

Export API inventory

Use this to export API target or operation data for reporting or external processing.

View export inventory example

Endpoint: POST /api/apihub/v1/inventory/export

Try it in Swagger UI:

Expand Export and select POST /api/apihub/v1/inventory/export.
Click Try it out.
Optionally set query parameters - these are optional filters that control which records get included in the export. If left empty, the export includes all targets or operations.
Enter a request body specifying what to export and the format:

{
  "exportType": "targets",
  "format": "csv"
}

Click Execute.
The response returns a binary file. Click Download in Swagger UI to save it.

Field	Values
`exportType`	`targets`, `operations`
`format`	`csv`, `json`, `xml`
`definitionFormat`	Comma-separated definition formats to filter on
`scanDate`	Filter by last scan date
`operationsCount`	Filter by number of operations
`createdAt`	Filter by creation date
`modifiedAt`	Filter by last modification date

If no query parameters are set, all targets or operations are exported.

Need help?

The Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Common examples​

List API targets​

Get an API target by ID​

Upload an API definition​

Link an API target to a DAST scan target​

Export API inventory​

Need help?​

Common examples

List API targets

Get an API target by ID

Upload an API definition

Link an API target to a DAST scan target

Export API inventory

Need help?