Use the Invicti Platform API
The Invicti Platform REST API lets you manage applications, assets, vulnerabilities, and more programmatically. You can use it to integrate Invicti into your own tools, automate workflows, or export data.
The API is documented using Swagger UI, which provides an interactive interface for exploring and testing endpoints directly in your browser.
This document explains how to authenticate with the API and navigate the Swagger UI.
Prerequisites
Before you begin:
- You need an API key. Refer to Manage your API key.
- You need access to the Swagger UI. Refer to Access API documentation.
Authenticate in Swagger UI
All API requests require authentication. In Swagger UI, you set this once and it applies to all requests in that session.
- Open the Swagger UI.
- Click the Authorize button (lock icon) at the top right of the page.
- In the dialog that opens, find the xAuth (apiKey) field.
- Paste your API key into the field.
- Click Authorize, then Close.
The lock icons on each endpoint now appear closed, indicating your session is authenticated.
Your API key doesn't expire, but keep it secure. If you regenerate your key, update it here.
Select an API definition
The Swagger UI contains multiple API definitions. Use the Select a definition dropdown at the top right of the page to switch between them.
| Definition | Use it to… |
|---|---|
| Inventory API | Manage applications, assets, collections, and vulnerabilities. This is the primary API for most integration use cases. |
| DAST API | Manage scan targets, trigger and monitor scans, retrieve results, and generate reports. |
| External Scan API | Import vulnerability findings from third-party tools such as Mend or SARIF-compatible scanners. |
| Inventory REST API | Manage API definitions, API targets, and their links to DAST scan targets. |
| API Importers API | Configure and trigger integrations that automatically import API definitions from external sources. |
| Integrations API | Manage plugin integrations, automation rules, CI/CD scan profiles, and Jira connections. |
| Identity Management API | Manage SAML SSO configuration, client applications, organizations, and licenses. |
| Identity SCIM v2 | Provision and manage users, groups, and roles using the SCIM 2.0 standard. |
Authentication is per session and per definition. When you switch to a different definition, click Authorize again and re-enter your API key.
Navigate the Swagger UI
The Swagger UI groups endpoints by resource type, such as Applications, Assets, Vulnerabilities, and Collections.
To try an endpoint:
- Click a resource group to expand it.
- Click an individual endpoint to expand its details.
- Click Try it out.
- Fill in any required parameters or request body.
- Click Execute.
- Review the response in the Responses section below.
Optional request headers
Some endpoints include optional header parameters. You can fill these in the Parameters section when using Try it out.
| Header | Description |
|---|---|
X-Correlation-ID | A UUID you provide to trace a request across services. Useful for debugging and support. |
X-Invicti-OrganizationId | The organization ID to associate with the request. Required if your account has access to multiple organizations. |
X-Invicti-UserId | The user ID to associate with the request. |
API reference
For endpoint-specific examples, refer to the individual API reference docs:
- API Importers API
- Inventory REST API
- External Scan API
- DAST API
- Identity Management API
- Identity SCIM v2
- Integrations API
- Inventory API
Pagination
All list endpoints support pagination using pageSize and pageNumber:
pageSize- number of results per page (check each endpoint for the maximum allowed)pageNumber- page to retrieve, starting from1
The response always includes a pageInfo object with totalCount and totalPages so you can iterate through all results.
Error responses
| HTTP status | Meaning |
|---|---|
400 Bad Request | Invalid parameters or request body. Check the response body for details. |
401 Unauthorized | Missing or invalid bearer token. Re-authenticate using the Authorize button. |
403 Forbidden | Your account does not have permission for this operation. |
404 Not Found | The specified resource does not exist. |
422 Unprocessable Entity | Request was understood but failed validation. |
Need help?
The Support team is ready to provide you with technical help. Go to Help Center