Skip to main content
API Documentation

Build with Vysiro API

Integrate domain security scanning, TrustScore monitoring, and automated auto-fix into your applications with our RESTful API and MCP server.

API is in Beta. Endpoints and response formats are subject to change.

Quick Start

Get up and running with the Vysiro API in minutes

1

Authentication

All API requests require a Bearer token. Get your API key from the settings.

HTTP Header
Authorization: Bearer YOUR_API_KEY
2

Run Your First Scan

cURL
curl -X POST https://www.vysiro.com/api/v1/scan \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "domain": "example.com" }'
3

Response

JSON Response
{
  "scanId": "scan_1709312400_a1b2c3",
  "domain": "example.com",
  "trustScore": {
    "score": 620,
    "maxScore": 1000,
    "percentage": 82.7,
    "grade": "A",
    "categories": [
      { "id": "dmarc", "name": "DMARC", "maxPoints": 150, "earnedPoints": 120 },
      { "id": "spf", "name": "SPF", "maxPoints": 100, "earnedPoints": 95 },
      { "id": "ssl", "name": "SSL/TLS", "maxPoints": 100, "earnedPoints": 100 }
    ]
  },
  "recommendations": [
    { "title": "Upgrade DMARC to p=reject", "impact": "high" }
  ],
  "scanDurationMs": 2340,
  "scannedAt": "2026-03-01T10:30:00Z"
}
4

Node.js / TypeScript Example

TypeScript
const API_KEY = process.env.VYSIRO_API_KEY;
const BASE = 'https://www.vysiro.com/api';

// Run a full domain scan
const res = await fetch(`${BASE}/v1/scan`, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ domain: 'example.com' }),
});

const scan = await res.json();
console.log(`TrustScore: ${scan.trustScore.score}/1000`);
console.log(`Grade: ${scan.trustScore.grade}`);

// Public endpoint - no auth required
const score = await fetch(`${BASE}/v1/score/example.com`);
const data = await score.json();
console.log(`Quick Score: ${data.score}/1000 (${data.grade})`);

API Endpoints

Base URL: https://www.vysiro.com/api

POST/v1/scan
GET/v1/score/{domain}
GET/v1/history
GET/v1/report/{id}
POST/v1/api-keys
POST/v1/chat
POST/v1/trust-coach
GET/v1/threat-intel
GET/v1/benchmarks
POST/v1/fixes

SDKs & Tools

Official client libraries and MCP integration. Use the REST API directly or connect via our MCP server for AI agents.

Node.js / TypeScript

Coming Soon
npm install @vysiro/sdk

Python

Coming Soon
pip install vysiro

Go

Coming Soon
go get github.com/vysiro/go-sdk

MCP Server

https://www.vysiro.com/api/mcp
MCP Server

AI Agent Integration

Connect AI agents to Vysiro via the MCP server. Scan domains, check TrustScores, compare protocols, and trigger fixes autonomously from Claude Code, Cursor, VS Code, or any MCP-compatible client.

  • vysiro_scan - Run a full domain scan
  • vysiro_score - Get TrustScore for a domain
  • vysiro_check_protocol - Check a specific protocol (DMARC, SPF, etc.)
  • vysiro_compare - Compare security across domains
MCP Configuration (Claude Code / Cursor)
{
  "mcpServers": {
    "vysiro": {
      "url": "https://www.vysiro.com/api/mcp"
    }
  }
}

Public Endpoints

  • GET /api/v1/score/{domain} - Public TrustScore, no auth required
  • /openapi.json - OpenAPI specification
  • POST /api/v1/api-keys - API key management

Rate Limits

API rate limits by plan. Exceeded limits return HTTP 429.

PlanMonthly LimitBurst Rate
Free100 requests/month5/minute
Starter ($29/mo)5,000 requests/month20/minute
Growth ($99/mo)10,000 requests/month200/minute
MSP PartnerCustomCustom

Webhooks

Receive real-time notifications when events occur in your account. Register a webhook endpoint via POST /v1/webhooks.

Event Types

scan.completedFired when a domain scan finishes
score.changedFired when a domain TrustScore changes
certificate.expiringFired 30/14/7 days before SSL cert expires
compliance.violationFired when a compliance check fails
agent.alertFired when AgentShield detects a threat

Signature Verification

Every webhook request includes an X-Vysiro-Signature header. Verify it using HMAC-SHA256 with your webhook secret:

TypeScript
import { createHmac } from 'crypto';

function verifyWebhook(body: string, signature: string, secret: string): boolean {
  const expected = createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return signature === `sha256=${expected}`;
}

// In your webhook handler:
const isValid = verifyWebhook(rawBody, req.headers['x-vysiro-signature'], WEBHOOK_SECRET);
if (!isValid) return new Response('Invalid signature', { status: 401 });

Retry Policy

  • 3 retries with exponential backoff (10s, 60s, 300s)
  • Your endpoint must respond with 2xx within 10 seconds
  • After 3 failures, the webhook is disabled and you are notified via email

Error Codes

All errors return a consistent JSON structure with an HTTP status code.

Error Response Shape
{
  "error": "Rate limit exceeded",
  "code": 429,
  "requestId": "req_1709312400_x7k2m"
}
CodeName
400Bad Request
401Unauthorized
403Forbidden
404Not Found
409Conflict
429Too Many Requests
500Internal Server Error
503Service Unavailable

Start Building Today

Get your API key and start integrating domain security into your applications. Free tier includes 10 requests per day.

Get API Key