← SHADOWCYPHER

API Documentation

v0.2.0 · Updated 2026-05-03

The ShadowCypher API is a Cloudflare Worker exposing JSON over HTTPS. Use it to build custom integrations, automate scans, or replace the dashboard entirely.

Auth Users Guardian Notifications AI Assistant Outbound webhooks Teams Billing Errors

Authentication

Every endpoint except /v1/health and /v1/billing/webhook requires a Bearer token:

Authorization: Bearer sc_live_<48 hex chars>

Get your key from your dashboard. To rotate, call POST /v1/keys/rotate — old key invalidated immediately.

Base URL

https://api.shadowcypher.site

The legacy workers.dev endpoint (https://shadowcypher-api.shadowcypher.workers.dev) is still active but deprecated — migrate to the custom domain.

Users

EndpointDescription
GET /v1/healthLiveness probe (no auth)
GET /v1/meProfile, plan, trial status, usage
POST /v1/keys/rotateIssue new API key (old invalidated)
POST /v1/keys/revokePermanently invalidate current key
POST /v1/me/deleteHard-delete account (body: {confirm_email})
GET /v1/me/exportDownload all your data as JSON
GET /v1/me/statsCounts + last 30 days activity

Example: GET /v1/me

$ curl https://shadowcypher-api.shadowcypher.workers.dev/v1/me \
    -H "Authorization: Bearer sc_live_..."

{
  "id": "uuid",
  "email": "you@example.com",
  "handle": "you",
  "plan": "community",
  "effective_plan": "guardian_pro",
  "in_trial": true,
  "trial_days_remaining": 11,
  "subscription_status": null
}

Guardian (devices, scans, incidents)

EndpointDescription
POST /v1/agents/registerRegister an agent install (idempotent on hostname)
POST /v1/agents/heartbeat?agent_id=Mark agent alive
POST /v1/scansUpload scan results (auto-creates new-device incidents)
GET /v1/devicesList devices on your network
GET /v1/scans/recentLast 25 scans
POST /v1/incidentsManually create an incident
GET /v1/incidentsList incidents (?open=1 filters unacknowledged)
POST /v1/incidents/ack?incident_id=Acknowledge an incident

Plan limits

LimitCommunityGuardian ProOperator
Max agents110Unlimited
Scan history7 days90 daysUnlimited
Real-time alerts

Notifications

EndpointDescription
GET /v1/notifications/preferencesRead your settings
POST /v1/notifications/preferencesUpdate email + push toggles
POST /v1/notifications/testSend a test alert

AI assistant

EndpointDescription
POST /v1/assistant/queryAsk a natural-language question grounded in your data
GET /v1/assistant/usageCurrent quota usage
POST /v1/assistant/byokSet/clear your own Anthropic key (no quota)
POST /v1/assistant/ollamaSet/clear self-hosted Ollama URL

Quotas (platform AI only — BYOK and Ollama are unmetered)

Threat feed (CVE)

Live CVE data from the NIST NVD API. No API key required. Responses are cached at the edge for 1 hour.

EndpointDescription
GET /v1/threatsRecent CVEs. Query params: days (1–30, default 7), severity (CRITICAL|HIGH|MEDIUM|LOW), limit (1–100, default 25)
GET /v1/threats/statsCVE counts by severity for the last 7 days

Example response — GET /v1/threats?severity=CRITICAL&limit=5

{
  "cves": [
    {
      "id": "CVE-2025-12345",
      "description": "...",
      "severity": "CRITICAL",
      "cvss": 9.8,
      "published": "2025-05-01T00:00:00.000Z",
      "modified": "2025-05-02T12:00:00.000Z",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12345",
      "cwe": "CWE-787"
    }
  ],
  "total": 5,
  "days": 7,
  "as_of": "2025-05-08T00:00:00.000Z"
}

Outbound webhooks

Pro feature. Forward incidents to Slack / Discord / PagerDuty / any HTTPS URL. Each webhook is signed with a per-webhook HMAC-SHA256 secret.

EndpointDescription
POST /v1/webhooksCreate webhook (body: url, label, min_severity)
GET /v1/webhooksList your webhooks
POST /v1/webhooks/deleteSoft-delete (body: id)
POST /v1/webhooks/testSend synthetic incident

Verifying signatures (your receiver)

const sig = req.headers.get('X-ShadowCypher-Signature').slice(7); // strip "sha256="
const expected = hmacSha256Hex(YOUR_SIGNING_SECRET, await req.text());
if (!constantTimeEqual(sig, expected)) throw new Error('invalid signature');

Integration recipes

Datadog: Create a webhook to https://http-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=YOUR_KEY. ShadowCypher incidents map to Datadog log entries with service:shadowcypher.

Splunk HEC: Point the webhook at https://YOUR_SPLUNK_HOST:8088/services/collector/event with header Authorization: Splunk YOUR_HEC_TOKEN. Use a middleware relay to reformat the payload if needed.

ConnectWise / ServiceNow: Use the generic HTTPS webhook to hit the platform's REST API. Set min_severity=warning to avoid ticket noise from info-level events.

PagerDuty: Create an Events API v2 integration in PagerDuty, copy the Integration Key, and register https://events.pagerduty.com/v2/enqueue as your webhook URL with min_severity=critical.

Teams (Operator only)

EndpointDescription
POST /v1/teamsCreate team (body: name)
GET /v1/teamsList teams I own or belong to
POST /v1/teams/inviteInvite member by email (body: team_id, email)
GET /v1/teams/invitesList pending invites for me
POST /v1/teams/acceptAccept invite (body: team_id)
POST /v1/teams/leaveLeave team (body: team_id)

Members of an Operator team automatically inherit Operator-tier features.

Billing

EndpointDescription
POST /v1/billing/checkoutCreate Stripe Checkout session (body: plan)
POST /v1/billing/portalOpen Stripe Customer Portal
POST /v1/billing/webhookStripe → us (signature-verified, no auth)

Error responses

All errors return JSON: {"error": "code", "message": "..."} with appropriate HTTP status.

CodeStatusMeaning
missing_or_invalid_key401Auth header absent or malformed
key_not_found401Key valid format but doesn't match any user
plan_required402Endpoint needs a higher plan tier
quota_exceeded429Monthly platform AI quota hit; switch to BYOK or wait
not_found404Resource doesn't exist or doesn't belong to you
invalid_signature400Stripe webhook signature failed (only on /v1/billing/webhook)

Source: github.com/jakes1345/ShadowCypher · Home · Blog · Self-Host · Privacy · Terms