OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
reference

API Reference

Attestd exposes a single REST endpoint. All responses are JSON.

Base URL

https://api.attestd.io

Authentication

Pass your API key in the Authorization header as a Bearer token.

Authorization: Bearer YOUR_API_KEY

Use attestd_demo_key during development. Get a production key from the developer portal.

endpoint

GET /v1/check

Returns the current risk assessment for a product version.

Query parameters

ParameterDescription
productRequired. Product slug (e.g. nginx, log4j, openssh). See Quickstart for the full list.
versionRequired. Version string in any standard format (e.g. 1.24.0, 2.14.1, 8.0p1).

Example request

bash
curl "https://api.attestd.io/v1/check?product=nginx&version=1.20.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Responses

200 OK(supported product)
json
{
  "product": "nginx",
  "version": "1.20.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "remote_code_execution",
    "no_authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.20.1",
  "confidence": 0.88,
  "cve_ids": ["CVE-2021-23017"],
  "last_updated": "2026-02-23T18:21:30Z"
}
200 OK(product not in coverage)
json
{
  "supported": false
}

Supply chain signals

For monitored PyPI and npm packages, the 200 OK response includes a supply_chain object with integrity data (compromised, sources, advisory_url, etc.). For CVE-only products (nginx, PostgreSQL, etc.), supply_chain is null.

See the Supply Chain Integrity guide for the full list of monitored packages and field semantics.

error codes
StatusMeaning
400Missing or invalid query parameters (product or version omitted)
401Missing or invalid API key
422Version string could not be parsed
429Rate limit exceeded (see Retry-After header)
500Internal server error (transient, safe to retry with backoff)
bash
HTTP/1.1 429 Too Many Requests
Retry-After: 60

{
  "detail": "Rate limit exceeded"
}
rate limits
TierMonthly limitPer-minute limit
Free1,000 calls60/min
Starter25,000 calls300/min
Pro200,000 calls600/min
Team1,000,000 calls1,200/min

Monthly limits reset on your billing anniversary. The 429 response includes a Retry-After header with seconds to wait.