The HTTP API
Everything the console and the CLI do is plain HTTP against the daemon’s /v1
surface. The base URL is the hosted daemon:
https://api.vulnd.cypherassassin.comResponses are JSON. The corpus reads are public; the note routes require an OAuth bearer token (see Auth).
Reads — public
| Method · Route | Returns |
|---|---|
GET /v1/healthz | { ok, service, version } liveness. |
GET /v1/cve/{id} | One CVE: CVSS, KEV, EPSS, weaknesses, affected configs, references. |
GET /v1/cve?q=…&min_cvss=… | Filtered CVE list — the search model axes as query params. |
GET /v1/cwe/{id} | One CWE with hierarchy edges. |
GET /v1/cpe/{vendor}/{product}/{version} | CVEs matching an exact build. |
GET /v1/stats | Table-count snapshot. |
GET /v1/sync | Per-source freshness watermarks. |
No credential is needed, but anonymous traffic is rate-limited per IP at the edge. A bearer token lifts you to the authenticated tier and attributes the request to your account — see Limits.
curl -s https://api.vulnd.cypherassassin.com/v1/cve/CVE-2021-44228 | jq .
curl -s 'https://api.vulnd.cypherassassin.com/v1/cve?q=log4j&min_cvss=9' | jq '.items[].id'Notes — OAuth bearer required
| Method · Route | Action |
|---|---|
GET /v1/notes?tag=… | List notes carrying a tag (the notes scope). |
PUT /v1/notes/{kind}/{id} | Create or replace a note on a cve / cwe / cpe record. |
DELETE /v1/notes/{kind}/{id} | Remove a note. |
curl -s -H "Authorization: Bearer $TOKEN" \
-X PUT https://api.vulnd.cypherassassin.com/v1/notes/cve/CVE-2021-44228 \
-d '{"body":"patched in prod","tags":["log4shell"]}'Tokens come from the OAuth 2.1 flows, not a static key — the browser uses
authorization-code + PKCE, the CLI uses the device grant. There is no
client_credentials grant and no API-key header.