Skip to main content

API Reference

BreachResponse exposes a RESTful API through the Next.js frontend. All endpoints are served from the same origin as the Command Center dashboard.

Base URL

EnvironmentURL
Local Developmenthttp://localhost:3000/api
Production (Vercel)https://your-domain.vercel.app/api

All endpoints are prefixed with /api/.

Authentication

Public Endpoints (No Auth)

EndpointMethodAuth Required
/api/auditPOSTNo
/api/analyzePOSTNo
/api/comparePOSTNo
/api/gas-estimatePOSTNo
/api/sentinelsGETNo
/api/vault/statusGETNo
/api/metrics/value-monitoredGETNo

Agent-Only Endpoints (Bearer Token)

EndpointMethodAuth Required
/api/sentinelsPOST, PUTOptional (INGEST_TOKEN)
/api/nodes/heartbeatPOSTOptional (INGEST_TOKEN)
/api/logs/ingestPOSTOptional (INGEST_TOKEN)
/api/logs/streamGETOptional (INGEST_TOKEN)

Bearer Token Authentication

When INGEST_TOKEN is configured in the environment, agent-only endpoints require:

Authorization: Bearer <INGEST_TOKEN>

The token is compared using constant-time comparison (timingSafeEqual) to prevent timing attacks:

const a = Buffer.from(token);
const b = Buffer.from(expected);
if (a.length !== b.length) return false;
return timingSafeEqual(a, b);

If INGEST_TOKEN is not set, these endpoints are open -- suitable for local development.

The agent sends the token via reporter.py:

def ingest_headers() -> dict:
    headers = {"Content-Type": "application/json"}
    token = os.getenv("INGEST_TOKEN")
    if token:
        headers["Authorization"] = f"Bearer {token}"
    return headers

Common Request Patterns

Content Type

All POST endpoints accept and return:

Content-Type: application/json

Error Responses

Errors follow a consistent format:

{
  "error": "Human-readable error description"
}

HTTP status codes:

CodeMeaning
200Success
400Bad request -- invalid input parameters
401Unauthorized -- missing or invalid INGEST_TOKEN
404Not found -- resource doesn't exist
422Unprocessable -- valid request but operation failed
500Internal server error -- unexpected failure

Fallback Behavior

AI-dependent endpoints return deterministic fallback data when no API key is configured:

// Example: /api/analyze fallback
const FALLBACK = {
  confidence: 0.91,
  severity: 'CRITICAL',
  evidencePoints: ['Recursive external call detected', ...],
  recommendation: 'Pause protocol',
  reasoning: '...',
  gasAnomalyFlag: true,
  gasAnomalyFactor: 4.2,
};

Fallback responses include the same structure as live responses but are clearly identifiable by the absence of AI-specific reasoning detail.

Rate Limiting

The API does not currently enforce rate limits server-side. However:

  • Groq API has its own rate limits (typically 30 requests/minute on free tier)
  • Hunyuan API has its own rate limits (varies by plan)
  • Mantle RPC public endpoints may rate-limit excessive calls

For production deployments, consider adding rate limiting middleware.

API Endpoints Summary

EndpointMethodDescription
/api/auditPOSTAI-powered contract security audit
/api/analyzePOSTSingle-model threat classification
/api/comparePOSTDual-model (Groq vs Hunyuan) parallel analysis
/api/gas-estimatePOSTOn-chain gas cost estimation with AI optimizations
/api/sentinelsGETList registered sentinel nodes
/api/sentinelsPOSTRegister a new sentinel node
/api/sentinelsPUTToggle sentinel status (ACTIVE ↔ PAUSED)
/api/nodes/heartbeatPOSTAgent heartbeat ping
/api/vault/statusGETCheck TargetVault pause status
/api/metrics/value-monitoredGETTotal value monitored across sentinels
/api/logs/ingestPOSTIngest telemetry from agent
/api/logs/streamGETSSE stream of telemetry events

Runtime

All API routes run in the Node.js runtime (runtime = 'nodejs'), not Edge. This is required because routes use:

  • process.env for environment variables
  • pg (node-postgres) for database access
  • crypto module for timingSafeEqual
  • ethers for RPC calls
  • EventEmitter for SSE

Next Steps