Inventory API

The Inventory API is the primary API for most integration use cases. Use it to manage applications, assets, vulnerabilities, and collections programmatically.

For authentication and general Swagger UI navigation, refer to Use the Invicti Platform API. Open this API definition directly in Swagger UI.

Common examples

List applications

Use this to retrieve all applications in your organization. Applications group related assets together.

View list applications example

Endpoint: GET /api/inventory/v1/applications

Try it in Swagger UI:

Expand Applications and select GET /api/inventory/v1/applications.
Click Try it out.
Set pageSize to 10 and pageNumber to 1.
Optionally set includeAssetCounts to true to see how many assets belong to each application.
Click Execute.

Example response:

{
  "items": [
    {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "organizationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "collectionIds": [
        "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
      ],
      "assetIds": [
        "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
      ],
      "name": "Barnaby Stores App South",
      "description": null,
      "tags": [],
      "assetCounts": {
        "targets": 3,
        "repositories": 0
      }
    }
  ],
  "pageInfo": {
    "totalCount": 1,
    "pageSize": 10,
    "currentPage": 1,
    "totalPages": 1
  }
}

Create an application

Use this to create a new application programmatically, for example as part of an onboarding pipeline.

View create application example

Endpoint: POST /api/inventory/v1/applications

Try it in Swagger UI:

Expand Applications and select POST /api/inventory/v1/applications.
Click Try it out.
Replace the example request body with your values:

{
  "name": "string",
  "description": "string",
  "tags": ["string"]
}

Click Execute.

A successful response returns HTTP 201 Created with a Location header containing the URL of the new application.

Field	Required	Notes
`name`	Yes	1-255 characters
`description`	No	Up to 1,023 characters
`tags`	No	Array of strings

List assets

Use this to retrieve all assets in your organization, with optional filtering by application, type, or URL.

View list assets example

Endpoint: GET /api/inventory/v1/assets

Try it in Swagger UI:

Expand Assets and select GET /api/inventory/v1/assets.
Click Try it out.
Use any combination of the following filters:
- applicationId - limit results to a specific application
- assetType - filter by Target or Repository
- targetUrl - filter by URL
- pageSize and pageNumber - control pagination
Click Execute.

Example response:

{
  "items": [
    {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "organizationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "applicationIds": [
        "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
      ],
      "assetType": "Target",
      "name": "Production API",
      "targetUrl": "https://api.example.com",
      "tags": ["api", "production"],
      "deleted": false
    }
  ],
  "pageInfo": {
    "totalCount": 120,
    "pageSize": 20,
    "currentPage": 1,
    "totalPages": 6
  }
}

List vulnerabilities with filters

Use this to retrieve vulnerabilities, filtered by severity, status, or asset.

View list vulnerabilities example

Endpoint: GET /api/inventory/v1/vulnerabilities

Try it in Swagger UI:

Expand Vulnerabilities and select GET /api/inventory/v1/vulnerabilities.
Click Try it out.
Use any combination of the following filters:
- vulnerabilitySeverities - filter by severity (for example, Critical, High)
- vulnerabilityStatus - filter by status (for example, open, fixed)
- assetId - limit results to a specific asset (use the UUID from the assets endpoint)
- pageSize and pageNumber - control pagination
Click Execute.

Example response:

{
  "items": [
    {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "assetId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "name": "Directory listings",
      "status": "open",
      "severity": "medium",
      "confirmed": true,
      "firstSeen": "2025-11-13T10:39:15Z",
      "lastSeen": "2025-11-13T10:39:15Z",
      "dast": {
        "url": "http://aspnet.testinvicti.com/",
        "method": null,
        "parameter": ""
      },
      "tags": []
    }
  ]
}

tip

Use firstSeen and lastSeen together with firstSeenOperator and lastSeenOperator to filter vulnerabilities by date range.

Bulk update vulnerability status

Use this to update the status of multiple vulnerabilities at once, for example to mark a batch as accepted risk or confirmed fixed.

View bulk update vulnerability status example

Endpoint: PATCH /api/inventory/v1/vulnerabilities

Try it in Swagger UI:

Expand Vulnerabilities and select PATCH /api/inventory/v1/vulnerabilities.
Click Try it out.
Enter a request body with the vulnerability IDs and the target status:

{
  "ids": [
    "string",
    "string"
  ],
  "newStatus": "fixed"
}

Click Execute.

A successful response returns HTTP 200.

Supported newStatus values:

Value	Description
`open`	Vulnerability is active and unresolved.
`fixed`	Vulnerability has been remediated and confirmed fixed.
`fixedUnconfirmed`	Marked as fixed but not yet verified by a scan.
`falsePositive`	Identified as a false positive finding.
`ignored`	Acknowledged but not being actioned.
`reDiscovered`	Previously fixed vulnerability detected again in a subsequent scan. Typically assigned by the platform automatically.
`notChecked`	Vulnerability has not been checked yet.
`notFound`	Vulnerability was not found in the most recent scan.

note

You can retrieve vulnerability IDs using GET /api/inventory/v1/vulnerabilities.

List collections

Use this to retrieve all collections in your organization. Collections group applications by business unit, team, region, or other criteria.

View list collections example

Endpoint: GET /api/inventory/v1/collections

Try it in Swagger UI:

Expand Collections and select GET /api/inventory/v1/collections.
Click Try it out.
Set pageSize and pageNumber to control pagination.
Click Execute.

Example response:

{
  "items": [
    {
      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "organizationId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "name": "Finance Systems",
      "description": "All financial processing applications",
      "collectionType": "BusinessUnit",
      "tags": ["finance", "pci-dss"],
      "createdAt": "2025-11-01T09:00:00Z",
      "updatedAt": "2025-11-20T15:30:00Z"
    }
  ],
  "pageInfo": {
    "totalCount": 8,
    "pageSize": 10,
    "currentPage": 1,
    "totalPages": 1
  }
}

Supported collectionType values: BusinessUnit, ProductFamily, Region, Team, Other

Export data

Use this to export vulnerability or asset data as a file for reporting or external processing.

View export data example

Endpoint: POST /api/inventory/v1/export

Try it in Swagger UI:

Expand Export and select POST /api/inventory/v1/export.
Click Try it out.
Specify the data you want to export and the format in the request body.
Click Execute.
The response returns a binary file. Click Download in Swagger UI to save it.

Need help?

The Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Common examples​

List applications​

Create an application​

List assets​

List vulnerabilities with filters​

Bulk update vulnerability status​

List collections​

Export data​

Need help?​

Common examples

List applications

Create an application

List assets

List vulnerabilities with filters

Bulk update vulnerability status

List collections

Export data

Need help?