{"name":"Vibe Check Scan","description":"Passive web security scanner. Analyzes HTTP headers, TLS/SSL, CORS policy, and API surface exposure for any public URL. Returns an A–F grade scorecard. No authentication required.","api_version":"2026-03-27","site_url":"https://vibecheckscan.com","auth":{"required":false,"description":"No authentication needed. All endpoints are public."},"auth_discovery":{"published":false,"reason":"OAuth/OIDC discovery metadata is intentionally omitted because the public scan API does not currently use authenticated routes or access tokens."},"execution":{"preferred":"rest","description":"Use the REST endpoints directly. Scanning is asynchronous — start a scan, poll status, and prefer the terminal status response for the final result.","workflow":[{"step":1,"action":"POST /api/scan/start","body":{"url":"https://example.com"},"returns":"scanId"},{"step":2,"action":"GET /api/scan/status?id={scanId}&format=agent","description":"Poll every 2–3 seconds until top-level status is \"completed\" or \"error\". Final response includes result payload."}]},"rate_limits":{"scan_endpoints":"5 requests per IP per minute (POST /api/scan/start, POST /api/cve-2025-55182/check)","general":"100 requests per IP per minute (all other routes)","on_limit":"429 with Retry-After header (seconds) and code: \"rate_limit_exceeded\""},"scan_modules":[{"name":"headers","description":"CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy","weight":"35%"},{"name":"tls","description":"Protocol version, certificate expiry, trust chain, cipher strength","weight":"30%"},{"name":"cors","description":"Wildcard origins, credentials policy, localhost/null origin exposure","weight":"20%"},{"name":"apiSurface","description":"Classifies probed paths into confirmedExposure, protectedSurface, expectedPublicEndpoint, hardeningOpportunity. Only confirmedExposure findings affect the score.","weight":"15%"}],"grading":{"scale":{"A":"90–100","B":"80–89","C":"70–79","D":"60–69","F":"<60"},"note":"Grade is a weighted average across all modules."},"result_ttl":"24 hours — scan results are deleted after 24 hours","result_formats":{"status_terminal":"GET /api/scan/status?id={scanId}&format=agent returns final result inline when complete","full_json":"GET /api/scan/result?id={scanId}","summary_json":"GET /api/scan/result?id={scanId}&format=summary","agent_json":"GET /api/scan/result?id={scanId}&format=agent","text":"GET /api/scan/result?id={scanId}&format=text","markdown":"GET /api/scan/result?id={scanId}&format=markdown"},"safety":"Passive only. Uses GET/HEAD/OPTIONS requests. No fuzzing, brute-force, or POST requests during scanning.","contracts":{"capability_registry":"https://vibecheckscan.com/api/agent/capabilities","openapi_spec":"https://vibecheckscan.com/api/openapi.json","agent_card":"https://vibecheckscan.com/api/agent/card","skill":"https://vibecheckscan.com/api/agent/skill","interpret":"https://vibecheckscan.com/api/agent/interpret","llms_txt":"https://vibecheckscan.com/llms.txt","api_catalog":"https://vibecheckscan.com/.well-known/api-catalog","mcp_server_card":"https://vibecheckscan.com/.well-known/mcp/server-card.json","agent_skills_index":"https://vibecheckscan.com/.well-known/agent-skills/index.json"},"skill_installation":{"required":false,"description":"An optional skill file is available for agent runtimes that support it.","skill_url":"https://vibecheckscan.com/api/agent/skill"}}