Introduction

Think of it as OpenAI for pentesting — but instead of LLM completion tokens you pay for scan tokens, and instead of completions you get vulnerability findings backed by request / response evidence and CVSS v3.1 scores.

Who this is for

• Engineering teams wiring continuous pentesting into CI/CD on every PR or release tag.
• Autonomous agents — LLM-driven assistants and orchestrators that need a programmatic pentest primitive.
• Security platforms embedding scan execution into a larger product.
• Bug-bounty researchers needing a paid, ToS-clean scanner with full audit trails.

The shape of the API

Pentify is a small, Stripe-shaped REST API over JSON. Resources are scans, targets, reports, webhooks and usage. Authentication is a single Authorization: Bearer pk_* header. Errors come in one envelope. Lists paginate by cursor. SDKs exist for TypeScript, Python and Go — all generated from the same OpenAPI 3.1 spec, so feature parity is automatic.

The four-step flow

1. Verify the target. Prove you own the hostname via DNS TXT or a file at /.well-known/pentify-verify.txt.
2. Start the scan. POST /v1/scans with the hostname and a scan_type. Pentify holds the token cost.
3. Wait. Subscribe a webhook (preferred) or poll GET /v1/scans/{id}.
4. Read the report. JSON, PDF (signed R2 URL), and a per-finding feed are all available.

What to read next

• Quickstart — five minutes from signup to your first scan.
• Authentication — key types, scopes and rotation.
• API reference — every endpoint, interactive.
• Integrate an autonomous agent — a complete TS recipe.