quickstart

Make your first API call

No signup required. Use the demo key attestd_demo_key for all examples below.

1. Query a product version

Pass a product slug and version string as query parameters. The response is always JSON.

bash

curl "https://api.attestd.io/v1/check?product=log4j&version=2.14.1" \
  -H "Authorization: Bearer attestd_demo_key"

2. Read the response

Log4j 2.14.1 is Log4Shell. You should see risk_state: "critical" with actively_exploited: true.

json

{
  "product": "log4j",
  "version": "2.14.1",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "active_exploitation",
    "remote_code_execution",
    "no_authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "2.17.1",
  "confidence": 0.94,
  "cve_ids": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"],
  "last_updated": "2026-02-23T18:21:30Z"
}

3. Try a safe version

nginx 1.27.4 has no known relevant vulnerabilities. The response will have risk_state: "none".

bash

curl "https://api.attestd.io/v1/check?product=nginx&version=1.27.4" \
  -H "Authorization: Bearer attestd_demo_key"

4. Use the Python SDK

Install the SDK, then call client.check(). The SDK handles retries, parses the response into a typed dataclass, and raises named exceptions for auth errors and rate limits.

bash

pip install attestd

check.py

import attestd

client = attestd.Client(api_key="attestd_demo_key")

result = client.check("nginx", "1.27.4")

print(result.risk_state)        # "none"
print(result.actively_exploited) # False
print(result.cve_ids)           # []

# Blocking check
if result.risk_state in ("critical", "high"):
    raise SystemExit(f"Deployment blocked: {result.risk_state} risk in nginx {result.version}")

5. Supported products

Use the exact slugs listed below. Attestd returns supported: false for anything not in this list. An unsupported product is not a safety signal — it means attestd has no data for that product.

nginxlog4jopensshapache-httpdpostgresqlredisvmware-esximicrosoft-exchange

next steps

→ Response Field Reference — semantics of every field including aggregation rules
→ SDK Reference — AsyncClient, error types, and the testing module
→ CI/CD Integration — GitHub Actions and GitLab CI examples