OpsCurb
Sign in
product

API Documentation

REST API reference for scans, findings, accountability, and supporting workflows.

2 min read
Updated 2026-03-08

API Documentation

Base URL: https://<your-railway-backend>/api

On this page

Authentication

There is currently no "API Keys" UI in OpsCurb.

Customer-facing endpoints use a Supabase access token:

curl -H "Authorization: Bearer <SUPABASE_ACCESS_TOKEN>" \
  https://<your-railway-backend>/api/ai/preferences

Internal automation endpoints use shared-secret headers:

  • X-Scan-Secret for scheduled scan triggers
  • X-Digest-Secret for weekly digest endpoints
  • X-Reconcile-Secret for subscription reconciliation

Health & Discovery

  • GET /api — API root (docs + endpoint links)
  • GET /api/health/live — liveness probe
  • GET /api/health — readiness/dependency health
  • GET /api/docs — Swagger UI
  • GET /api/openapi.json — OpenAPI spec

Authenticated Customer Endpoints (Bearer token required)

  • GET /api/ai/preferences

  • PUT /api/ai/preferences

  • GET /api/ai/models/available

  • GET /api/ai/usage

  • GET /api/recommendations/{finding_id}/instructions

  • POST /api/deep-inspect/{finding_id}

  • PATCH /api/findings/{finding_id}/accountability

  • POST /api/scans/trigger

  • GET /api/forecasting

  • GET /api/forecasting/accounts

  • GET /api/forecasting/budget

  • PUT /api/forecasting/budget

  • GET /api/tagging/policy

  • PUT /api/tagging/policy

  • POST /api/tagging/apply

  • POST /api/anomaly/check

  • GET /api/savings-plans (requires aws_account_id query param)

  • GET /api/reserved-instances (requires aws_account_id query param)

Internal / Automation Endpoints

  • POST /api/scans/run-scheduled — cron-triggered scheduled scans, requires X-Scan-Secret
  • POST /api/weekly-digest/send — requires X-Digest-Secret
  • POST /api/weekly-digest/send/{customer_id} — requires X-Digest-Secret
  • POST /api/reconcile/subscriptions — requires X-Reconcile-Secret

Important Notes

  • The previous docs listing GET /api/scans, GET /api/findings, and GET /api/recommendations was outdated; those endpoints are not present in current router code.
  • For exact request/response schemas, use GET /api/openapi.json or Swagger at GET /api/docs.

Questions? Email support@opscurb.com.