Authentication
API clients can send X-API-Key or Authorization: Bearer. Browser sessions use
POST /api/session to set an HttpOnly cookie.
Quickstart
Replace <KEY> and <BASE_URL> (example:
https://example.com/cves).
curl -H "X-API-Key: <KEY>" "<BASE_URL>/api/whoami"
curl -H "Authorization: Bearer <KEY>" "<BASE_URL>/api/cves?q=CVE-2024-3094&match=exact&limit=25"
curl -H "X-API-Key: <KEY>" "<BASE_URL>/api/health"
Troubleshooting
Use
GET /api/whoami to confirm the client IP the service sees, whether the IP is banned, and whether
your API key was accepted (
api_key_authenticated).
Full CVE IDs default to exact matching to avoid false-positive CVE IDs; use
match=contains to force
substring matching.
When no exact match is found, the response may include
suggestions with nearby CVE IDs.
Common responses:
401: API key missing/invalid (when an API key is required for search).403: IP banned or admin-only endpoint.429: free-tier per-IP limit reached.
For production integrations from a fixed backend server, request whitelisting for that server IP to avoid
rate-limit bans during automation.
Cross-origin browser calls are not enabled by default; use a backend proxy to avoid exposing API keys in the
browser.