v0.2.0 · Updated 2026-05-03
The ShadowCypher API is a Cloudflare Worker exposing JSON over HTTPS. Use it to build custom integrations, automate scans, or replace the dashboard entirely.
Every endpoint except /v1/health and /v1/billing/webhook requires a Bearer token:
Authorization: Bearer sc_live_<48 hex chars>
Get your key from your dashboard. To rotate, call POST /v1/keys/rotate — old key invalidated immediately.
https://api.shadowcypher.site
The legacy workers.dev endpoint (https://shadowcypher-api.shadowcypher.workers.dev) is still active but deprecated — migrate to the custom domain.
| Endpoint | Description |
|---|---|
| GET /v1/health | Liveness probe (no auth) |
| GET /v1/me | Profile, plan, trial status, usage |
| POST /v1/keys/rotate | Issue new API key (old invalidated) |
| POST /v1/keys/revoke | Permanently invalidate current key |
| POST /v1/me/delete | Hard-delete account (body: {confirm_email}) |
| GET /v1/me/export | Download all your data as JSON |
| GET /v1/me/stats | Counts + last 30 days activity |
$ curl https://shadowcypher-api.shadowcypher.workers.dev/v1/me \
-H "Authorization: Bearer sc_live_..."
{
"id": "uuid",
"email": "you@example.com",
"handle": "you",
"plan": "community",
"effective_plan": "guardian_pro",
"in_trial": true,
"trial_days_remaining": 11,
"subscription_status": null
}
| Endpoint | Description |
|---|---|
| POST /v1/agents/register | Register an agent install (idempotent on hostname) |
| POST /v1/agents/heartbeat?agent_id= | Mark agent alive |
| POST /v1/scans | Upload scan results (auto-creates new-device incidents) |
| GET /v1/devices | List devices on your network |
| GET /v1/scans/recent | Last 25 scans |
| POST /v1/incidents | Manually create an incident |
| GET /v1/incidents | List incidents (?open=1 filters unacknowledged) |
| POST /v1/incidents/ack?incident_id= | Acknowledge an incident |
| Limit | Community | Guardian Pro | Operator |
|---|---|---|---|
| Max agents | 1 | 10 | Unlimited |
| Scan history | 7 days | 90 days | Unlimited |
| Real-time alerts | — | ✓ | ✓ |
| Endpoint | Description |
|---|---|
| GET /v1/notifications/preferences | Read your settings |
| POST /v1/notifications/preferences | Update email + push toggles |
| POST /v1/notifications/test | Send a test alert |
| Endpoint | Description |
|---|---|
| POST /v1/assistant/query | Ask a natural-language question grounded in your data |
| GET /v1/assistant/usage | Current quota usage |
| POST /v1/assistant/byok | Set/clear your own Anthropic key (no quota) |
| POST /v1/assistant/ollama | Set/clear self-hosted Ollama URL |
Live CVE data from the NIST NVD API. No API key required. Responses are cached at the edge for 1 hour.
| Endpoint | Description |
|---|---|
| GET /v1/threats | Recent CVEs. Query params: days (1–30, default 7), severity (CRITICAL|HIGH|MEDIUM|LOW), limit (1–100, default 25) |
| GET /v1/threats/stats | CVE counts by severity for the last 7 days |
{
"cves": [
{
"id": "CVE-2025-12345",
"description": "...",
"severity": "CRITICAL",
"cvss": 9.8,
"published": "2025-05-01T00:00:00.000Z",
"modified": "2025-05-02T12:00:00.000Z",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12345",
"cwe": "CWE-787"
}
],
"total": 5,
"days": 7,
"as_of": "2025-05-08T00:00:00.000Z"
}
Pro feature. Forward incidents to Slack / Discord / PagerDuty / any HTTPS URL. Each webhook is signed with a per-webhook HMAC-SHA256 secret.
| Endpoint | Description |
|---|---|
| POST /v1/webhooks | Create webhook (body: url, label, min_severity) |
| GET /v1/webhooks | List your webhooks |
| POST /v1/webhooks/delete | Soft-delete (body: id) |
| POST /v1/webhooks/test | Send synthetic incident |
const sig = req.headers.get('X-ShadowCypher-Signature').slice(7); // strip "sha256="
const expected = hmacSha256Hex(YOUR_SIGNING_SECRET, await req.text());
if (!constantTimeEqual(sig, expected)) throw new Error('invalid signature');
Datadog: Create a webhook to https://http-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=YOUR_KEY. ShadowCypher incidents map to Datadog log entries with service:shadowcypher.
Splunk HEC: Point the webhook at https://YOUR_SPLUNK_HOST:8088/services/collector/event with header Authorization: Splunk YOUR_HEC_TOKEN. Use a middleware relay to reformat the payload if needed.
ConnectWise / ServiceNow: Use the generic HTTPS webhook to hit the platform's REST API. Set min_severity=warning to avoid ticket noise from info-level events.
PagerDuty: Create an Events API v2 integration in PagerDuty, copy the Integration Key, and register https://events.pagerduty.com/v2/enqueue as your webhook URL with min_severity=critical.
| Endpoint | Description |
|---|---|
| POST /v1/teams | Create team (body: name) |
| GET /v1/teams | List teams I own or belong to |
| POST /v1/teams/invite | Invite member by email (body: team_id, email) |
| GET /v1/teams/invites | List pending invites for me |
| POST /v1/teams/accept | Accept invite (body: team_id) |
| POST /v1/teams/leave | Leave team (body: team_id) |
Members of an Operator team automatically inherit Operator-tier features.
| Endpoint | Description |
|---|---|
| POST /v1/billing/checkout | Create Stripe Checkout session (body: plan) |
| POST /v1/billing/portal | Open Stripe Customer Portal |
| POST /v1/billing/webhook | Stripe → us (signature-verified, no auth) |
All errors return JSON: {"error": "code", "message": "..."} with appropriate HTTP status.
| Code | Status | Meaning |
|---|---|---|
| missing_or_invalid_key | 401 | Auth header absent or malformed |
| key_not_found | 401 | Key valid format but doesn't match any user |
| plan_required | 402 | Endpoint needs a higher plan tier |
| quota_exceeded | 429 | Monthly platform AI quota hit; switch to BYOK or wait |
| not_found | 404 | Resource doesn't exist or doesn't belong to you |
| invalid_signature | 400 | Stripe webhook signature failed (only on /v1/billing/webhook) |
Source: github.com/jakes1345/ShadowCypher · Home · Blog · Self-Host · Privacy · Terms