Skip to main content
ZZeriFlowv2.0
REST API

ZeriFlow inside your tools.

The REST API is for developers who want to use ZeriFlow as a building block — not as a product. Trigger scans from your VPS, your scripts, your Claude agent, or any CI system outside GitHub.

Get your API keyWhen should I use this?

API key prefix: zf_live_ · Available on Pro, Business & Unlimited

WHEN TO USE WHAT

Dashboard, GitHub Action, or API?

ZeriFlow has three ways to scan. Here's how to pick the right one.

Dashboard + Monitoring

No-code users

  • You want to scan manually from the browser
  • You want automated weekly/daily scans
  • You want Slack/email alerts without writing code
  • You want to read reports visually

Don't need the API.

GitHub Action

GitHub CI/CD users

  • Your code is on GitHub
  • You want to block PRs when score drops
  • You want bot comments on pull requests
  • You want 3-line CI setup

Don't need the raw API either.

REST API ← You are here

Developers who build

  • You want scans triggered from your own code
  • You use GitLab, Jenkins, or another CI
  • You're building a client portal or dashboard
  • You want to pipe results into your own system
  • You want Claude or an AI agent to run scans
  • You need a VPS cron that alerts your team
USE CASES

What developers build with it

🖥️Most common

VPS cron job

A Python or bash script on your server, scheduled weekly. It scans your site, logs the score, and sends a Slack/email alert if it drops. No dashboard needed — pure automation.

🤖Growing fast

Claude / AI agent

Give your API key to Claude via MCP or a system prompt. Your agent can scan a URL, interpret the findings, write fix recommendations, and even open a GitHub issue — all from a conversation.

🏢Agencies

Client security portal

Build a white-label web app for your agency clients. Your frontend calls ZeriFlow's API, displays results with your branding, and lets clients request on-demand scans.

⚙️DevOps

Non-GitHub CI/CD

GitLab CI, Bitbucket Pipelines, Jenkins, CircleCI — any CI system can call the API with a simple curl command. Fail the pipeline if the score drops below your threshold.

EXAMPLE

VPS cron script in 20 lines

Drop this on any server. It runs every Monday, checks your score, and alerts you if something breaks.

weekly_scan.py
#!/usr/bin/env python3
# cron: 0 8 * * 1   (every Monday at 8am)
import requests, os, smtplib

API_KEY  = os.environ["ZERIFLOW_API_KEY"]
SITE_URL = "https://yoursite.com"
ALERT_AT = 70   # alert if score drops below this

resp = requests.post(
    "https://zeriflow.com/functions/v1/scan-quick",
    headers={"X-API-Key": API_KEY},
    json={"url": SITE_URL},
).json()

score = resp["score"]
print(f"Score: {score}/100")

if score < ALERT_AT:
    # send alert email / Slack / PagerDuty
    print(f"⚠️  Score dropped to {score} — alerting team")

Set ZERIFLOW_API_KEY as an environment variable on your server. Never hardcode it.

QUICKSTART

One POST request. Full results.

terminal
curl -X POST https://zeriflow.com/functions/v1/scan-quick \
  -H "X-API-Key: zf_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://yoursite.com"}'

# Response
{
  "id": "scan_a1b2c3",
  "score": 74,
  "grade": "C",
  "status": "done"
}
REFERENCE

Endpoints

Base URL: https://zeriflow.com · Auth header: X-API-Key: zf_live_...

POST/functions/v1/scan-quick

Run a security scan on any URL. Returns full results in under 60 seconds.

Request body

{ "url": "https://yoursite.com" }

Response

{ "id": "...", "score": 74, "grade": "C", "status": "done", "findings": [...] }
GET/functions/v1/scan-results?scan_id=xxx

Retrieve full results for any scan, including all findings and category scores.

Response

{ "scan": { "id": "...", "score": 74, "categories": [...], "findings": [...] } }
GET/functions/v1/scan-quota

Check remaining API quota and reset date for the current billing period.

Response

{ "api_calls": { "used": 12, "limit": 100, "resets_at": "2026-06-01" } }
GET/functions/v1/scan-history

List recent scans with scores and timestamps. Useful for dashboards.

Response

{ "scans": [{ "id": "...", "url": "...", "score": 74, "created_at": "..." }] }

Error codes

401Missing or invalid API key
403Your plan doesn't include API access
429Monthly quota exceeded — buy token packs to top up
422Invalid URL or malformed request body
PRICING

API included from Pro

Every paid plan includes API access. Token packs let you top up when you need extra scans.

Pro

For solo developers

$4/mo

$48/yr · Save 20%

  • REST API — 30 calls / month
  • Unlimited quick web scans
  • 1 advanced scan / month
  • Weekly monitoring (5 URLs)
  • PDF export
  • API key management
Most popular

Business

For teams and agencies

$16/mo

$192/yr · Save 20%

  • REST API — 100 calls / month
  • Unlimited quick web scans
  • 5 advanced scans / month
  • Daily monitoring (15 URLs)
  • White-label PDF via API
  • GitHub code analysis

Unlimited

For power users

$32.50/mo

$390/yr · Save 33%

  • REST API — 1,000 calls / month
  • Unlimited quick web scans
  • 200 advanced scans / month*
  • Daily monitoring (unlimited URLs)
  • White-label PDF via API
  • Priority support

* Subject to fair use policy.

Need extra API calls? Buy tokens

One token = one scan call. On top of your monthly quota. Tokens never expire.

10

tokens

$4.99

$0.50/scan

Best value

50

tokens

$19.99

$0.40/scan

100

tokens

$34.99

$0.35/scan

FAQ

Common questions

Monitoring is a managed feature: you configure it in the dashboard and ZeriFlow handles scheduling, running scans, and sending Slack/email alerts automatically. The API is for when you want to control the scan yourself — trigger it from your own code, at your own cadence, and decide what to do with the results. Use Monitoring if you want a no-code solution; use the API if you want ZeriFlow as a building block inside your own system.

The GitHub Action is a pre-built wrapper around the API, designed specifically for GitHub pull request workflows. It handles everything: running the scan, posting results as a PR comment, and blocking merges if the score drops below your threshold. The raw API is for everything else — GitLab CI, Jenkins, custom scripts, VPS crons, Claude agents, or any context outside GitHub Actions.

Only POST /scan-quick and POST /scan-advanced consume a call from your monthly quota. Read-only endpoints (GET /scan-results, GET /scan-history, GET /scan-quota) are free and unlimited.

On the 1st of every calendar month. Unused calls don't carry over. Token packs never expire — they're a good option if your usage is irregular.

Yes. Any tool that can make an HTTP request can use the API. You can give your API key to Claude (via MCP or directly in a prompt) and ask it to scan a URL, interpret the findings, and suggest fixes. The JSON response is clean and structured, which makes it easy for LLMs to parse.

Yes. On Business and Unlimited plans, GET /functions/v1/scan-pdf?scan_id=xxx returns a PDF that respects your account's branding settings. This lets you fully automate the scan → branded report pipeline.

Ready to build?

Generate your API key in Profile settings. No approval, no waiting. Start scanning in 30 seconds.

Get your API keyView all plans