Exposure API
Exposure API endpoints require a Pro, Business, or Agency plan. Requests from free-tier accounts will receive a 402 response.
Retrieve exposure scores and security findings for domains, run new scans asynchronously, and inspect individual security check results.
GET/api/v1/exposure/:domainIdAuth required
Get the latest exposure score and security findings for a domain.
Response
json
{
"domain_id": "uuid",
"domain": "example.com",
"exposure_score": 72,
"exposure_grade": "C",
"last_scanned_at": "2026-03-28T09:00:00Z",
"findings": [
{
"type": "cve",
"severity": "high",
"title": "CVE-2024-1234",
"description": "Remote code execution vulnerability in nginx 1.24.x",
"affected_asset": "api.example.com"
}
]
}GET/api/v1/exposure/:domainId/checksAuth required
Get the individual security check results from the most recent scan.
Response
json
{
"checks": [
{
"check_type": "subdomain_takeover",
"status": "pass",
"detail": "No vulnerable subdomains found",
"checked_at": "2026-03-28T09:00:00Z"
},
{
"check_type": "open_ports",
"status": "warn",
"detail": "Port 8080 exposed publicly",
"checked_at": "2026-03-28T09:00:00Z"
}
]
}PATCH/api/v1/domains/:id/exposureAuth required
Enable or disable exposure scanning for a domain. Once enabled, the exposure-worker picks up the domain on its next scheduled cycle — there's no one-shot trigger. Domain must be verified.
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| enabled | boolean | Yes | true to start scanning the domain; false to stop. |
Example request
json
{
"enabled": true
}Response
json
{
"id": "uuid",
"domain": "example.com",
"is_verified": true,
"exposure_monitoring_enabled": true
}Error Codes
| Status | Description |
|---|---|
| 403 | Domain must be verified before exposure scanning can be enabled. |
| 402 | Exposure monitoring requires Pro or higher plan. |
See also: Exposure Monitoring guide