API Overview

Base URL

https://api.modernpentest.com/api/v1

All API requests require an API key passed in the X-API-Key header:

curl -X GET https://api.modernpentest.com/api/v1/applications \
  -H "X-API-Key: mpt_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

API keys provide access to your organization's data. Never share them or commit them to version control.

List and retrieve application details

List pentests and trigger new security scans

Retrieve and filter vulnerability findings

Each API key requires specific permissions to access different endpoints:

Permission	Description
`applications:read`	View applications and their details
`pentests:read`	View pentest results and history
`pentests:create`	Trigger new pentests
`vulnerabilities:read`	View vulnerability findings

API requests are rate limited based on your subscription tier:

Tier	Per Minute	Per Hour	Per Day
Starter	100	1,000	10,000
Professional	500	5,000	50,000
Enterprise	2,000	20,000	200,000

Rate limit information is included in response headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1734567890

All errors follow a consistent format:

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid application ID",
    "timestamp": 1734567890000
  }
}

Code	HTTP Status	Description
`UNAUTHENTICATED`	401	Invalid or missing API key
`API_KEY_EXPIRED`	401	API key has expired
`FORBIDDEN`	403	Missing required permission
`NOT_FOUND`	404	Resource not found
`RATE_LIMIT_EXCEEDED`	429	Too many requests
`VALIDATION_ERROR`	400	Invalid request body
`INTERNAL_ERROR`	500	Server error

The full OpenAPI 3.0 specification is available at:

You can use this spec to generate type-safe clients for any programming language using tools like:

Last updated: February 1, 2026