API Reference

DebtRadar REST API v1. Scan code for AI-generated tech debt, security vulnerabilities, and hallucinated dependencies.

Authentication

All API requests require an API key. Include it in the request header:

Authorization: Bearer dr_your_api_key_here

# or
X-API-Key: dr_your_api_key_here

Get your API key by signing up and visiting your dashboard, or use the demo key: dr_demo_test_key_2026 (5 scans/month).

Base URL

https://debtradar.avipilcer.com/api/v1

Endpoints

POST/api/v1/scan

Full code scan for AI-generated tech debt, quality issues, and security vulnerabilities.

Request Body

{
  "code": "const apiKey = 'sk_live_abc123';\nconst data = query(`SELECT * FROM users WHERE id = ${userId}`);",
  "filename": "app.ts"  // optional, helps with language detection
}

Response

{
  "scanId": "scan_1709571234_abc1234",
  "timestamp": "2026-03-04T12:00:00.000Z",
  "language": "typescript",
  "linesOfCode": 2,
  "debtScore": 85,
  "issues": [
    {
      "type": "hardcoded-secret",
      "severity": "critical",
      "line": 1,
      "endLine": 1,
      "message": "Potential Stripe secret key hardcoded in source code.",
      "suggestion": "Move to environment variables.",
      "category": "security"
    },
    {
      "type": "sql-injection",
      "severity": "critical",
      "line": 2,
      "endLine": 2,
      "message": "Template literal in SQL query -- potential SQL injection.",
      "suggestion": "Use parameterized queries.",
      "category": "security"
    }
  ],
  "summary": {
    "totalIssues": 2,
    "critical": 2,
    "major": 0,
    "minor": 0,
    "info": 0,
    "categories": { "debt": 0, "security": 2, "dependency": 0, "quality": 0 }
  }
}

POST/api/v1/scan/security

Security-focused scan only. Checks for hardcoded secrets, SQL injection, XSS, prototype pollution, and unsafe regex patterns.

Request Body

{
  "code": "const password = 'admin123';\ndocument.write(userInput);",
  "filename": "auth.js"
}

Response

{
  "scanId": "scan_1709571234_def5678",
  "timestamp": "2026-03-04T12:00:00.000Z",
  "language": "javascript",
  "securityScore": 40,
  "vulnerabilities": [...],
  "summary": {
    "totalVulnerabilities": 2,
    "critical": 2,
    "major": 0,
    "minor": 0
  }
}

POST/api/v1/scan/dependencies

Validate AI-suggested dependencies. Checks for hallucinated packages, deprecated libraries, and suspicious names.

Request Body

{
  "content": "{\"dependencies\": {\"sklearn\": \"*\", \"express\": \"^4.18\", \"moment\": \"^2.29\"}}",
  "packageManager": "npm"  // optional: "npm" | "pip"
}

Response

{
  "scanId": "scan_1709571234_ghi9012",
  "timestamp": "2026-03-04T12:00:00.000Z",
  "packageManager": "npm",
  "totalDependencies": 3,
  "dependencies": [
    {
      "name": "sklearn",
      "version": "*",
      "status": "hallucinated",
      "reason": "Commonly hallucinated by AI. Correct name is 'scikit-learn'.",
      "recommendation": "Use 'scikit-learn' instead."
    },
    {
      "name": "express",
      "version": "^4.18",
      "status": "valid",
      "reason": "Package appears legitimate.",
      "recommendation": null
    },
    {
      "name": "moment",
      "version": "^2.29",
      "status": "deprecated",
      "reason": "This package is deprecated.",
      "recommendation": "Use 'date-fns' or 'luxon' instead."
    }
  ],
  "summary": {
    "valid": 1,
    "suspicious": 0,
    "hallucinated": 1,
    "deprecated": 1,
    "vulnerable": 0
  }
}

GET/api/v1/reports

List all your scan reports.

Response

{
  "scans": [
    { "scanId": "scan_xxx", "type": "full", "createdAt": "2026-03-04T12:00:00Z" },
    { "scanId": "scan_yyy", "type": "security", "createdAt": "2026-03-04T11:00:00Z" }
  ],
  "total": 2
}

GET/api/v1/reports/{scanId}

Retrieve a specific scan report by ID.

Response

// Returns the full scan result object (same shape as the scan response)

GET/api/v1/usage

Check your API usage and remaining scans.

Response

{
  "tier": "starter",
  "scansUsed": 23,
  "scanLimit": 100,
  "scansRemaining": 77,
  "resetDate": "2026-04-01"
}

Rate Limits

Plan	Scans/Month	Price
Free	5	$0
Starter	100	$99/mo
Pro	1,000	$299/mo

Quick Start

# Full scan
curl -X POST https://debtradar.avipilcer.com/api/v1/scan \
  -H "Authorization: Bearer dr_demo_test_key_2026" \
  -H "Content-Type: application/json" \
  -d '{"code": "const key = \"sk_live_abc\"; eval(userInput);"}'

# Security scan only
curl -X POST https://debtradar.avipilcer.com/api/v1/scan/security \
  -H "Authorization: Bearer dr_demo_test_key_2026" \
  -H "Content-Type: application/json" \
  -d '{"code": "document.write(userInput);"}'

# Dependency validation
curl -X POST https://debtradar.avipilcer.com/api/v1/scan/dependencies \
  -H "Authorization: Bearer dr_demo_test_key_2026" \
  -H "Content-Type: application/json" \
  -d '{"content": "{\"dependencies\": {\"sklearn\": \"*\"}}"}'

# Check usage
curl https://debtradar.avipilcer.com/api/v1/usage \
  -H "Authorization: Bearer dr_demo_test_key_2026"

Error Codes

Status	Meaning
`400`	Bad request (missing or invalid parameters)
`401`	Missing or invalid API key
`404`	Scan report not found
`413`	Request body too large
`429`	Monthly scan limit reached