API Reference
Complete reference for the RSOLV Platform API for vulnerability detection and AST validation.
Interactive API Documentation
Try the API interactively with our Swagger UI at api.rsolv.dev/docs
Test endpoints, view complete request/response schemas, and get code examples in multiple languages.
Base URL
https://api.rsolv.dev/api/v1
Authentication
All API requests require authentication using an API key. Include your API key in the
X-API-Key
header.
GET /api/v1/patterns HTTP/1.1
Host: api.rsolv.dev
X-API-Key: rsolv_your_api_key_here
Accept: application/json
Get Your API Key:
Sign up at rsolv.dev/signup. Your key starts with
rsolv_
Rate Limiting
API requests are rate limited to ensure fair usage and system stability.
| Limit | Window | Scope |
|---|---|---|
| 500 requests | 1 hour | Per API key |
Rate Limit Headers
Every response includes rate limit information:
-
X-RateLimit-Limit- Maximum requests per window -
X-RateLimit-Remaining- Requests remaining in current window -
X-RateLimit-Reset- Unix timestamp when the window resets
List Vulnerability Patterns
GET
/api/v1/patterns
Retrieves all available vulnerability detection patterns. These patterns are used by RSOLV to scan code for security issues.
Request
No request parameters required. Include authentication header only.
Response
Returns an array of pattern objects. Each pattern includes:
| Field | Type | Description |
|---|---|---|
| id | string (UUID) | Unique identifier for the pattern |
| name | string | Human-readable pattern name |
| description | string | Detailed explanation of the vulnerability |
| severity | string | One of: critical, high, medium, low |
| pattern | string (regex) | Regular expression for initial detection |
| language | string | Target language (e.g., javascript, python, ruby) |
| cwe_id | string | Common Weakness Enumeration identifier |
| remediation | string | Recommended fix for the vulnerability |
Example Response Structure
The response is an array containing pattern objects with the fields described above.
Visit api.rsolv.dev/docs for interactive examples.
Validate Vulnerability
POST
/api/v1/vulnerabilities/validate
Validates a potential vulnerability using AST (Abstract Syntax Tree) analysis. This reduces false positives by analyzing code structure rather than just pattern matching.
Request Headers
| Header | Value |
|---|---|
| X-API-Key | Your RSOLV API key |
| Content-Type | application/json |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| code | string | Yes | Source code snippet to validate (encrypted client-side before transmission) |
| language | string | Yes | Programming language (javascript, typescript, python, ruby, php, java) |
| pattern_id | string (UUID) | Yes | ID of the pattern to validate against (from /patterns endpoint) |
| file_path | string | No | Path to the file being validated (for context) |
| line_number | integer | No | Line number where potential vulnerability was detected |
Response
| Field | Type | Description |
|---|---|---|
| is_valid | boolean | True if vulnerability is confirmed, false if false positive |
| confidence | number (0-1) | Confidence score for the validation result |
| reason | string | Explanation of why the code is or isn't vulnerable |
| ast_nodes | array | Relevant AST nodes that informed the validation decision |
| metadata | object | Additional context about the validation (parser version, etc.) |
Security Note
Code is encrypted client-side using AES-256-GCM before transmission. The platform decrypts it only in memory for analysis and never stores source code permanently. Only vulnerability metadata is retained.
Error Responses
All errors follow a consistent structure to help you handle them programmatically.
| Status Code | Error Type | Description |
|---|---|---|
| 400 | Bad Request | Invalid request parameters or malformed JSON |
| 401 | Unauthorized | Missing or invalid API key |
| 403 | Forbidden | API key lacks permission for this resource |
| 404 | Not Found | Requested resource does not exist |
| 422 | Unprocessable Entity | Request valid but cannot be processed (e.g., unsupported language) |
| 429 | Too Many Requests | Rate limit exceeded (500 requests/hour) |
| 500 | Internal Server Error | Unexpected server error (contact support if persistent) |
| 503 | Service Unavailable | Service temporarily unavailable (maintenance or overload) |
Error Response Structure
All error responses include these fields:
| Field | Type | Description |
|---|---|---|
| error | string | Human-readable error message |
| error_code | string | Machine-readable error identifier (e.g., INVALID_API_KEY) |
| details | object (optional) | Additional context about the error (validation errors, etc.) |
Supported Languages
The RSOLV platform currently supports AST validation for the following languages:
Need another language? Contact us at support@rsolv.dev to request support for additional languages.