The Escape Public API (V3) provides programmatic access to DAST scanning profiles, assets, integrations, scan results, authentications, issues, and job/report exports. Endpoints support automation of API security testing workflows and CI/CD pipeline integration.
openapi: 3.1.0
servers:
- url: https://public.escape.tech/v3
tags:
- name: Profiles
description: 'A Profile is a configuration for the DAST scanning feature.
It includes various parameters such as authentication details, environment settings, a schema...
Profiles allow you to start scans on an endpoint and will keep track of the scan history.
This ensures consistency in repeated scans and helps track changes or improvements over time.
See [our documentation](https://docs.escape.tech/documentation/#profile) for more details.'
- name: Assets
description: 'Manage every discovered Assets.
The public API provide basic CRUDs operations for all available assets.
See [our documentation](https://docs.escape.tech/documentation/asm/asset-management/) for more details.'
- name: Integrations
description: 'Manage 3rd party integrations.
The public API provide basic CRUDs operations for all available integrations.
See [our documentation](https://https://docs.escape.tech/documentation/asm/integrations/) for more details.'
- name: Workflows
description: 'Workflows Management
The public API provides CRUDs operations to manage workflows.'
- name: Scans
description: 'A Scan is a run of the DAST or ASM scanning feature on an profile (DAST/ASM).
With the public API, you can trigger scans, track their status, and retrieve their results.
See [our documentation](https://docs.escape.tech/documentation/dast/) for more details.'
- name: Emails
description: 'Read scan inbox emails.
The public API provides endpoints to list inbox emails and read their raw content without exposing storage links.'
- name: Issues
description: 'Manage issues.
Identify, prioritize, and remediate the security issues and sensitive data exposures uncovered during ASM and DAST scanning
See [our documentation](https://docs.escape.tech/documentation/governance/vulnerability-management/) for more details.'
- name: Jobs
description: 'Asynchronous jobs.
Trigger export jobs and poll for completion and artefacts.'
- name: Events
description: 'Manage events.
The public API provides basic CRUDs operations to manage events.'
- name: Tags
description: 'Manage tags.
The public API provides basic CRUDs operations to manage tags.'
- name: CustomRules
description: 'Manage your custom rules.
The public API provides basic CRUDs operations to manage custom rules.
See [our documentation](https://docs.escape.tech/documentation/dast/custom-rules/) for more details.'
- name: Upload
description: 'Upload helper for Escape Platform.
The public API provides endpoints to upload files to the platform.'
- name: Locations
description: 'A Location is a proxy environment through which Escape sends requests.
The public API provide basic CRUDs operations for your private locations.
See [our documentation](https://docs.escape.tech/documentation/tooling/private-location/) for more details.'
- name: Audit
description: 'List audit logs.
The public API provides endpoints to list audit logs.
See [our documentation](https://docs.escape.tech/documentation/enterprise/audit-logs/) for more details.'
- name: Projects
description: 'Projects Management
The public API provides CRUDs operations to manage projects.'
- name: Roles
description: 'Roles Management
The public API provides CRUDs operations to manage roles.'
- name: Users
description: 'Users Management
The public API provides CRUDs operations to manage users.'
- name: Statistics
description: 'Organization Statistics
High-level organization security posture statistics.'
- name: Asm
description: 'Attack Surface Management
Trigger and manage ASM discovery scans on your attack surface.
See [our documentation](https://docs.escape.tech/documentation/asm/) for more details.'
- name: Beta
description: 'Beta
These endpoints are in beta and are subject to change.'
info:
version: 3.0.0
title: Escape Public API
description: 'This API enables you to operate [Escape](https://escape.tech/) programmatically.
All requests must be authenticated with a valid API key, provided in the `X-ESCAPE-API-KEY` header.
For example: `X-ESCAPE-API-KEY: YOUR_API_KEY`.
You can find your API key in the [Escape dashboard](https://app.escape.tech/user/).'
security:
- apiKey: []
components:
securitySchemes:
apiKey:
type: apiKey
in: header
name: X-ESCAPE-API-KEY
schemas: {}
parameters: {}
paths:
/profiles:
get:
tags:
- Profiles
summary: List profiles
operationId: listProfiles
description: List and search profiles of the organization.
parameters:
- schema:
type: string
description: The cursor to start the pagination from. Returned by the previous page response. If not provided, the
first page will be returned.
example: R1BDOlM6NTEwMzk4NTYtNGIyOS00NTlkLTg0ZDYtMWJhYjM0NWMzZjU5
required: false
description: The cursor to start the pagination from. Returned by the previous page response. If not provided, the
first page will be returned.
name: cursor
in: query
- schema:
type: integer
minimum: 1
maximum: 100
default: 50
description: The number of items to return per page
example: 50
required: false
description: The number of items to return per page
name: size
in: query
- schema:
type: string
enum:
- LAST_SCAN
- NAME
- SCORE
- SEVERITY
description: The type to sort by
required: false
description: The type to sort by
name: sortType
in: query
- schema:
type: string
enum:
- asc
- desc
default: asc
description: The direction to sort by
required: false
description: The direction to sort by
name: sortDirection
in: query
- schema:
anyOf:
- type: string
- type: array
items:
type: string
description: Filter by asset IDs
example: 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001
required: false
description: Filter by asset IDs
name: assetIds
in: query
- schema:
anyOf:
- type: string
- type: array
items:
type: string
description: Filter by domain
example: example.com,example.org
required: false
description: Filter by domain
name: domains
in: query
- schema:
anyOf:
- type: string
- type: array
items:
type: string
description: Filter by issue IDs
example: 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001
required: false
description: Filter by issue IDs
name: issueIds
in: query
- schema:
anyOf:
- type: string
- type: array
items:
type: string
description: Filter by tag IDs
example: 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001
required: false
description: Filter by tag IDs
name: tagIds
in: query
- schema:
type: string
description: Search term to filter profiles by name or description
example: profile1
required: false
description: Search term to filter profiles by name or description
name: search
in: query
- schema:
type: array
items:
type: string
enum:
- APPLICATION_CREATION
- CI
- INVENTORY
- MANUAL
- SCHEDULED
- UNKNOWN
description: Filter by initiator
required: false
description: Filter by initiator
name: initiators
in: query
- schema:
type: array
items:
type: string
enum:
- ASM_AKAMAI_ACCOUNT
- ASM_AWS_ACCOUNT
- ASM_AWS_LAMBDA
- ASM_AZURE_TENANT
- ASM_BITBUCKET_ORGANIZATION
- ASM_BITBUCKET_REPOSITORY
- ASM_BURPSUITE_EXPORT
- ASM_CLOUDFLARE_ACCOUNT
- ASM_CODE_PROJECT
- ASM_DNS
- ASM_GCP_PROJECT
- ASM_GITHUB_ORGANIZATION
- ASM_GITHUB_REPOSITORY
- ASM_GITLAB_GROUP
- ASM_GITLAB_REPOSITORY
- ASM_GRAPHQL
- ASM_GRAPHQL_SCHEMA
- ASM_GRPC
- ASM_HAR_EXPORT
- ASM_INSOMNIA
- ASM_IPV4
- ASM_IPV4_RANGE
- ASM_IPV6
- ASM_KUBERNETES_CLUSTER
- ASM_MCP
- ASM_OPENAPI
- ASM_PACKAGE
- ASM_POSTMAN_COLLECTION
- ASM_POSTMAN_ENVIRONMENT
- ASM_POSTMAN_ORGANIZATION
- ASM_REST
- ASM_SOAP
- ASM_SOFTWARE
- ASM_WEBAPP
- ASM_WEBSOCKET
- ASM_WIZ_ACCOUNT
- ASM_WP_JSON
- AUTOMATED_PENTEST_GRAPHQL
- AUTOMATED_PENTEST_REST
- AUTOMATED_PENTEST_WEBAPP
- BLST_GRAPHQL
- BLST_REST
- FRONTEND_DAST
description: Filter by kind
required: false
description: Filter by kind
name: kinds
in: query
- schema:
type: array
items:
type: string
enum:
- CRITICAL_FINDING
- EXPOSED
- OPEN_SCHEMA
- PRIVATE
- PROD_ONLY_MODE
- SENSITIVE_DATA
- UNAUTHENTICATED
description: Filter by risk
required: false
description: Filter by risk
name: risks
in: query
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
properties:
nextCursor:
type:
- string
- 'null'
totalCount:
type: integer
default: 100
example: 20
data:
type: array
items:
type: object
properties:
id:
type: string
format: uuid
description: The id of the profile
name:
type: string
description: The name of the profile
description:
type: string
description: The description of the profile
createdAt:
type: string
description: The date and time the profile was created
initiators:
type: array
items:
type: string
enum:
- APPLICATION_CREATION
- CI
- INVENTORY
- MANUAL
- SCHEDULED
- UNKNOWN
description: The initiators of the profile
cron:
type:
- string
- 'null'
description: The cron of the profile
schemaAssetId:
type:
- string
- 'null'
format: uuid
description: Schema asset id derived from the first `extraAssets` entry with class SCHEMA, or the
legacy `assetSchemaId` when the link is not yet visible in `extraAssets`.
extraAssets:
type: array
items:
type: object
properties:
id:
type: string
format: uuid
description: The id of the asset
name:
type: string
description: The name of the asset
class:
type: string
enum:
- API_SERVICE
- CDN
- CLOUD_COMPONENT
- CLOUD_HOSTING
- CODE_PROJECT
- CSPM
- DEV_TOOLS
- FRONTEND
- HOST
- NETWORK
- REPOSITORY
- SCHEMA
- SOURCE_CODE_MANAGEMENT
- TECHNOLOGY
description: The class of the asset
type:
type: string
enum:
- AKAMAI_ACCOUNT
- AWS_ACCOUNT
- AWS_LAMBDA
- AZURE_TENANT
- BITBUCKET_ORGANIZATION
- BITBUCKET_REPOSITORY
- BURPSUITE_EXPORT
- CLOUDFLARE_ACCOUNT
- CODE_PROJECT
- DNS
- GCP_PROJECT
- GITHUB_ORGANIZATION
- GITHUB_REPOSITORY
- GITLAB_GROUP
- GITLAB_REPOSITORY
- GRAPHQL
- GRAPHQL_SCHEMA
- GRPC
- HAR_EXPORT
- INSOMNIA
- IPV4
- IPV4_RANGE
- IPV6
- KUBERNETES_CLUSTER
- MCP
- OPENAPI
- PACKAGE
- POSTMAN_COLLECTION
- POSTMAN_ENVIRONMENT
- POSTMAN_ORGANIZATION
- REST
- SOAP
- SOFTWARE
- WEBAPP
- WEBSOCKET
- WIZ_ACCOUNT
- WP_JSON
description: The type of the asset
status:
type: string
enum:
- DEPRECATED
- FALSE_POSITIVE
- MONITORED
- OUT_OF_SCOPE
- THIRD_PARTY
description: The status of the asset
createdAt:
type: string
description: The date and time the asset was created
isActive:
type: boolean
description: True when this asset's id equals the profile's resolved `schemaAssetId`. Callers
can filter `class === 'SCHEMA' && isActive` to find the schema currently driving scans.
signedUrl:
type:
- string
- 'null'
description: Time-limited HTTPS URL to download the backing schema bytes. Non-null only for
`class === "SCHEMA"` entries; null for other asset classes.
required:
- id
- name
- class
- type
- status
- createdAt
- isActive
- signedUrl
title: ProfileExtraAsset
description: Extra asset associated with a profile
description: Extra assets linked to the profile
asset:
type: object
properties:
id:
type: string
format: uuid
description: The id of the asset
class:
type: string
enum:
- API_SERVICE
- CDN
- CLOUD_COMPONENT
- CLOUD_HOSTING
- CODE_PROJECT
- CSPM
- DEV_TOOLS
- FRONTEND
- HOST
- NETWORK
- REPOSITORY
- SCHEMA
- SOURCE_CODE_MANAGEMENT
- TECHNOLOGY
type:
type: string
enum:
- AKAMAI_ACCOUNT
- AWS_ACCOUNT
- AWS_LAMBDA
- AZURE_TENANT
- BITBUCKET_ORGANIZATION
- BITBUCKET_REPOSITORY
- BURPSUITE_EXPORT
- CLOUDFLARE_ACCOUNT
- CODE_PROJECT
- DNS
- GCP_PROJECT
- GITHUB_ORGANIZATION
- GITHUB_REPOSITORY
- GITLAB_GROUP
- GITLAB_REPOSITORY
- GRAPHQL
- GRAPHQL_SCHEMA
- GRPC
- HAR_EXPORT
- INSOMNIA
- IPV4
- IPV4_RANGE
- IPV6
- KUBERNETES_CLUSTER
- MCP
- OPENAPI
- PACKAGE
- POSTMAN_COLLECTION
- POSTMAN_ENVIRONMENT
- POSTMAN_ORGANIZATION
- REST
- SOAP
- SOFTWARE
- WEBAPP
- WEBSOCKET
- WIZ_ACCOUNT
- WP_JSON
name:
type: string
description: The name of the asset
externalUrl:
type:
- string
- 'null'
description: The external url of the asset
faviconUrl:
type:
- string
- 'null'
description: The favicon url of the asset
description:
type:
- string
- 'null'
description: The description of the asset
createdAt:
type: string
description: The date and time the asset was created
lastSeenAt:
type: string
description: The date and time the asset was last seen
scheduledForDeletionAt:
type:
- string
- 'null'
description: The date and time the asset is scheduled for deletion
status:
type: string
enum:
- DEPRECATED
- FALSE_POSITIVE
- MONITORED
- OUT_OF_SCOPE
- THIRD_PARTY
description: The status of the asset
owners:
type: array
items:
type: string
description: The owners of the asset
tags:
type: array
items:
type: object
properties:
id:
type: string
format: uuid
description: The id of the tag
name:
type: string
description: The name of the tag
color:
type: string
description: The color of the tag
required:
- id
- name
- color
title: Tag
description: Information about a tag
description: The tags of the asset
risks:
type: array
items:
type: string
enum:
- CRITICAL_FINDING
- EXPOSED
- OPEN_SCHEMA
- PRIVATE
- PROD_ONLY_MODE
- SENSITIVE_DATA
- UNAUTHENTICATED
description: The risks of the asset
firstSeenScan:
type:
- object
- 'null'
properties:
id:
type: string
format: uuid
description: The id of the scan
status:
type: string
description: The status of the scan
createdAt:
type: string
description: The date and time the scan was created
finishedAt:
type:
- string
- 'null'
description: The date and time the scan was finished
score:
type:
- number
- 'null'
description: The score of the scan
coverage:
type:
- number
- 'null'
description: Aggregate API coverage ratio for this scan (0–1), when the scan has finished
with coverage data
duration:
type: number
description: The duration of the scan
progressRatio:
type: number
description: The progress ratio of the scan
initiator:
type: string
description: The initiator of the scan
kind:
type: string
description: The kind of the scan
commitHash:
type:
- string
- 'null'
description: The commit hash of the scan
commitBranch:
type:
- string
- 'null'
description: The commit branch of the scan
links:
type: object
properties:
scanIssues:
type: string
description: The url to view the scan issues in the platform
required:
- scanIssues
description: The links of the scan
required:
- id
- status
- createdAt
- finishedAt
- score
- coverage
- duration
- progressRatio
- initiator
- kind
- commitHash
- commitBranch
- links
title: ScanSummarized
description: The first seen scan of the asset
lastSeenScan:
type:
- object
- 'null'
properties:
id:
type: string
format: uuid
description: The id of the scan
status:
type: string
description: The status of the scan
createdAt:
type: string
description: The date and time the scan was created
finishedAt:
type:
- string
- 'null'
description: The date and time the scan was finished
score:
type:
- number
- 'null'
description: The score of the scan
coverage:
type:
- number
- 'null'
description: Aggregate API coverage ratio for this scan (0–1), when the scan has finished
with coverage data
duration:
type: number
description: The duration of the scan
progressRatio:
type: number
description: The progress ratio of the scan
initiator:
type: string
description: The initiator of the scan
kind:
type: string
description: The kind of the scan
commitHash:
type:
- string
- 'null'
description: The commit hash of the scan
commitBranch:
type:
- string
- 'null'
description: The commit branch of the scan
links:
type: object
properties:
scanIssues:
type: string
description: The url to view the scan issues in the platform
required:
- scanIssues
description: The links of the scan
required:
- id
- status
- createdAt
- finishedAt
- score
- coverage
- duration
- progressRatio
- initiator
- kind
- commitHash
- commitBranch
- links
title: ScanSummarized
description: The last seen scan of the asset
service:
type:
- object
- 'null'
properties:
type:
type: string
enum:
- GRAPHQL
- GRPC
- MCP
- REST
- SOAP
- WEBSOCKET
url:
type: string
framework:
type:
- string
- 'null'
authProtocol:
type:
- string
# --- truncated at 32 KB (13227 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/escape/refs/heads/main/openapi/escape-openapi.yml