Developer Documentation

Base URL

All API endpoints are served over HTTPS. There is no versioning prefix the path prefix identifies the service.

https://lorikeetsecurity.com/ptaas/api/

All URLs are extensionless. Do not include .php in API calls. For example:

POST  https://lorikeetsecurity.com/ptaas/api/login
POST  https://lorikeetsecurity.com/ptaas/api/createproject
GET   https://lorikeetsecurity.com/ptaas/api/findinginfo?finding_id=42

Authentication

Lorikeet Security uses passwordless, magic-link authentication there are no passwords stored anywhere on the platform. Sign-in is a two-step flow:

1. Request a magic link POST your email to /ptaas/api/login. A one-time login link is emailed to you.
2. Validate the link opening the emailed link hits /ptaas/api/validate, which establishes a session cookie in your browser.

For programmatic / scripted access, contact support@lorikeetsecurity.com to provision a long-lived API token tied to your account. The interactive endpoints below assume you already hold a valid session cookie obtained through the browser flow.

Step 1: Request a Magic Link

curl -X POST https://lorikeetsecurity.com/ptaas/api/login \
  -d "[email protected]"

The response always indicates success regardless of whether the account exists (to prevent account enumeration). If the email is valid, a login link arrives within seconds.

Step 2: Validate the Magic Link

The emailed link points at /ptaas/api/validate?token=<token>. Opening it in a browser sets a PHPSESSID cookie scoped to .lorikeetsecurity.com. All authenticated endpoints below accept that cookie.

curl -b cookies.txt https://lorikeetsecurity.com/ptaas/api/getUserInfo

Session Data Available After Validation

{
  "loggedin":      true,
  "email":         "[email protected]",
  "id":            "<user uuid>",
  "company_id":    47,
  "company_name":  "Acme Corp",
  "fullname":      "Jane Smith",
  "role":          "admin",
  "account_admin": true,
  "partner_id":    0,
  "session_id":    "<php session id>"
}

Rate Limiting

Rate limits are enforced per IP address. Exceeding a limit returns HTTP 429 Too Many Requests.

Error Handling

All API responses are JSON. Errors return a success: false or status: "error" field alongside a human-readable message.

// Standard error format
{
  "success": false,
  "message": "Unauthorized"
}

// Public endpoint format
{
  "status":  "error",
  "message": "Email is required"
}

Contact Form API

On success the sales team is notified in Microsoft Teams and the submitter receives a confirmation email.

Newsletter Subscribe API

// Success
{ "status": "success", "message": "You're subscribed! Check your inbox for a welcome email." }

// Already subscribed
{ "status": "error", "message": "This email is already subscribed." }

Request a Quote

Projects API

All project operations are scoped to your company_id from the active session.

Assets API

Assets define the targets in scope for a pentest engagement.

Findings API

Query vulnerability findings from your pentest engagements. Sorted by severity (Critical → Info) by default.

Finding Schema

{
  "id":           42,
  "title":        "SQL Injection in /api/search",
  "severity":     "Critical",
  "status":       "Open",
  "category":     "Injection",
  "cwe_id":       "CWE-89",
  "cvss_score":   9.8,
  "description":  "The search parameter is vulnerable to blind SQL injection...",
  "remediation":  "Use parameterized queries or prepared statements...",
  "evidence":     "[request/response proof]",
  "project_id":   7,
  "project_name": "Q1 2026 Web App Assessment",
  "company_id":   47,
  "created_at":   "2026-01-15 14:23:00"
}

ASM Scan API

The Attack Surface Management module continuously monitors your external-facing assets.

Webhooks

Receive real-time HTTP POST notifications when events occur in your account. Custom webhooks are available on the Professional plan and above.

Configuring a Webhook

Webhooks are configured from the portal at Settings → Integrations → Custom Webhook, or programmatically through the integration controller:

Webhook Events

test.connection is fired when you click Test on a webhook in the portal it is not a subscribable event.

Generic Payload Format

{
  "event":     "finding.created",
  "timestamp": "2026-05-30T09:00:00+00:00",
  "source":    "lorikeet-asm",
  "data": {
    "finding": {
      "id":             42,
      "title":          "SQL Injection in /api/search",
      "severity":       "Critical",
      "category":       "Injection",
      "status":         "Open",
      "description":    "The search parameter is vulnerable to blind SQLi...",
      "affected_asset": "api.example.com/search",
      "created_at":     "2026-05-30 09:00:00",
      "updated_at":     "2026-05-30 09:00:00"
    }
  }
}

For finding.updated and ticket.updated events, the payload also includes a changes object describing which fields changed. scan.completed includes aggregate counts (subdomains_found, ips_found, technologies_found, findings_count).

Verifying Signatures

If you configure a secret_key, every payload includes an X-Webhook-Signature header containing sha256=<hmac-hex> computed over the raw request body.

# Python
import hmac, hashlib
def verify(secret, body, header_sig):
    expected = 'sha256=' + hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, header_sig)

// Node.js
const crypto = require('crypto');
function verify(secret, body, headerSig) {
  const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(headerSig));
}

Delivery Guarantees

Webhooks are delivered at-most-once with a 15-second request timeout and up to 3 redirect follows. Failures (non-2xx responses, connection errors, timeouts) are logged to the integration activity feed in your portal but are not automatically retried subscribe to a queueing system on your end if you need durability guarantees. Use the Test button in the portal to verify endpoint reachability before going live.

Slack Integration

Post security alerts to your Slack workspace when findings are discovered or scan jobs complete.

Setup

1. In Slack: Apps → Incoming Webhooks → Add to Slack. Choose a channel and copy the webhook URL.
2. In your portal: Settings → Integrations → Slack paste the URL.

Jira Integration

Auto-create Jira issues when Critical and High findings are reported.

Setup

1. Generate a Jira API token at id.atlassian.com → Security → API tokens.
2. In your portal: Settings → Integrations → Jira.

Microsoft Teams Integration

Send alerts to a Teams channel via an Incoming Webhook connector.

Setup

1. In Teams: channel settings → Integrations → Incoming Webhook → Configure. Copy the URL.
2. In your portal: Settings → Integrations → Microsoft Teams.

Discord Integration

Receive security alerts in a Discord channel.

Setup

1. In Discord: channel settings → Integrations → Create Webhook. Copy the URL.
2. In your portal: Settings → Integrations → Discord.

GitHub Integration

Link repositories to findings. Findings can be auto-converted to GitHub security advisories or issues.

Setup

1. Generate a GitHub PAT with repo and security_events scopes.
2. In your portal: Settings → Integrations → GitHub. Enter your username, PAT, and repo name.

GitLab Integration

Push pentest findings into GitLab as issues, linked to a specific project. Mirrors the GitHub integration's behavior for self-hosted and SaaS GitLab.

Setup

1. In GitLab: User Settings → Access Tokens create a personal access token with the api scope.
2. In your portal: Settings → Integrations → GitLab. Enter your GitLab instance URL (defaults to https://gitlab.com), the project ID, and the access token.

Azure DevOps Integration

Sync findings into Azure DevOps Boards as work items, with severity mapped to area paths and priority levels.

Setup

1. In Azure DevOps: User Settings → Personal Access Tokens → New Token. Grant Work Items (Read & Write) scope.
2. In your portal: Settings → Integrations → Azure DevOps. Enter your organization, project, and PAT. Optionally specify a default work item type (defaults to Bug).

Enterprise & Compliance Integrations

Available on the Company plan tier. These connectors stream findings into security operations platforms, cloud-native security tooling, and compliance frameworks.

SIEM & Logging

• Splunk HEC ingestion of findings, scan completions, and audit events
• Microsoft Sentinel custom log table ingestion via Data Collection Rules
• Elastic Security bulk indexing into a configured datastream

Cloud Security

• AWS Security Hub findings written in ASFF format
• Microsoft Defender for Cloud recommendations attached to subscription resources
• Google Cloud Security Command Center finding ingestion into your org's source

Compliance & GRC

• Drata evidence pushed against pentest controls
• Vanta automated test results synced into your trust report
• Anchorpoint partner integration for compliance program management

Paging & Notification

• PagerDuty Critical and High findings routed to your on-call schedule
• SMS direct text notifications via the integration controller

Severity Levels