API v1.0 · 2026

Developer Documentation

Integrate with the Lorikeet Security PTaaS platform. Pull your pentest findings, configure real-time webhook alerts, and connect your security workflow to the tools your team already uses.

Early access: Integration capabilities are available to all active PTaaS and ASM subscribers. Reach out to [email protected] if you need a dedicated API key or custom integration support.

Base URL

All API endpoints are served over HTTPS. There is no versioning prefix the path prefix identifies the service.

https://lorikeetsecurity.com/ptaas/api/

All URLs are extensionless. Do not include .php in API calls. For example:

POST  https://lorikeetsecurity.com/ptaas/api/login
POST  https://lorikeetsecurity.com/ptaas/api/createproject
GET   https://lorikeetsecurity.com/ptaas/api/findinginfo?finding_id=42

Authentication

The API uses session-based authentication. You must first log in to obtain a session cookie, then include that cookie in all subsequent requests.

Step 1: Login

POST /ptaas/api/login public

Authenticate with your portal credentials and receive a session cookie.

Parameter	Type	Required	Description
email	string	required	Your registered email address
password	string	required	Your account password

Example curl

curl -c cookies.txt -X POST https://lorikeetsecurity.com/ptaas/api/login \
  -d "[email protected]&password=yourpassword"

On success the server sets a PHPSESSID session cookie. Pass this cookie on all authenticated requests:

curl -b cookies.txt https://lorikeetsecurity.com/ptaas/api/getUserInfo

Sessions expire after 1 hour of inactivity. If you receive a 401 Unauthorized, re-authenticate and retry.

Session Data Available After Login

{
  "email":      "[email protected]",
  "company_id": 47,
  "user_id":    112,
  "username":   "Jane Smith"
}

Rate Limiting

Rate limits are enforced per IP address. Exceeding a limit returns HTTP 429 Too Many Requests.

Endpoint	Limit	Window
Login	10 attempts	15 minutes
Signup	3 attempts	15 minutes
Email validation	10 attempts	15 minutes
Create project	5 requests	5 minutes
Create asset	10 requests	60 seconds

Error Handling

All API responses are JSON. Errors return a success: false or status: "error" field alongside a human-readable message.

// Standard error format
{
  "success": false,
  "message": "Unauthorized"
}

// Public endpoint format
{
  "status":  "error",
  "message": "Email is required"
}

HTTP Status	Meaning
`200`	Success
`400`	Bad request missing or invalid parameters
`401`	Unauthenticated session missing or expired
`403`	Forbidden insufficient permissions
`405`	Method not allowed
`429`	Rate limit exceeded
`500`	Internal server error

Contact Form API

POST /ptaas/api/contact public

Submit a contact/sales inquiry. Requires a corporate email address free provider domains (Gmail, Yahoo, etc.) are rejected.

Parameter	Type	Required	Description
email	string	required	Corporate email address
fullname	string	required	Full name
jobtitle	string	optional	Job title
company	string	required	Company name
industry	string	optional	Industry vertical
country	string	optional	Country
how_heard	string	optional	How did you hear about us
services_interest	string	optional	Service of interest
message	string	required	Message body (English only)

On success, the team is notified via Slack and you receive a confirmation email.

Newsletter Subscribe API

POST /api/newsletter-subscribe public

Subscribe an email to the Lorikeet Security newsletter. Sends a welcome email immediately on success.

Parameter	Type	Required	Description
email	string	required	Email address to subscribe
first_name	string	optional	Subscriber first name (derived from email prefix if omitted)

// Success
{ "status": "success", "message": "You're subscribed! Check your inbox for a welcome email." }

// Already subscribed
{ "status": "error", "message": "This email is already subscribed." }

Request a Quote

POST /ptaas/api/get-quote public

Submit a scoped engagement request. The team responds with pricing within 24 hours.

For programmatic quote generation and custom project scoping, contact [email protected].

Projects API

All project operations are scoped to your company_id from the active session.

POST /ptaas/api/createproject auth required

Parameter	Type	Required	Description
project_name	string	required	Unique project name within your account
project_type	string	required	See project types: webapp, api, mobile, cloud, thickclient, iot, hardware, physical, pcidss, iso, atm, kiosk, redteam, soc2, activedirectory
start_date	date	optional	Engagement start date `YYYY-MM-DD`
end_date	date	optional	Engagement end date `YYYY-MM-DD`
csrf_token	string	required	CSRF token from session

POST /ptaas/api/deleteproject auth required

Parameter	Type	Required	Description
project_id	integer	required	ID of the project to delete

Assets API

Assets define the targets in scope for a pentest engagement.

POST /ptaas/api/creatasset auth required

Parameter	Type	Required	Description
asset_name	string	required	Asset identifier (URL, IP, hostname)
asset_type	string	required	web, api, mobile, network, cloud
testing_type	string	optional	black-box, grey-box, white-box
asset_storage	string	optional	cloud, on-prem, hybrid
additional_information	string	optional	Extra context for the pentest team

POST /ptaas/api/assetupdate auth required

Update an existing asset's metadata.

POST /ptaas/api/assetdelete auth required

Parameter	Type	Required	Description
asset_id	integer	required	ID of the asset to delete

Findings API

Query vulnerability findings from your pentest engagements. Sorted by severity (Critical → Info) by default.

GET /ptaas/api/findinginfo?finding_id=<ID> auth required

Retrieve a single finding by ID with full detail including remediation, evidence, and CVSS score.

POST /ptaas/api/markreadyforretesting auth required

Mark a finding as remediated and ready for retest verification.

Parameter	Type	Required	Description
finding_id	integer	required	ID of the finding to mark

Finding Schema

{
  "id":           42,
  "title":        "SQL Injection in /api/search",
  "severity":     "Critical",
  "status":       "Open",
  "category":     "Injection",
  "cwe_id":       "CWE-89",
  "cvss_score":   9.8,
  "description":  "The search parameter is vulnerable to blind SQL injection...",
  "remediation":  "Use parameterized queries or prepared statements...",
  "evidence":     "[request/response proof]",
  "project_id":   7,
  "project_name": "Q1 2026 Web App Assessment",
  "company_id":   47,
  "created_at":   "2026-01-15 14:23:00"
}

ASM Scan API

The Attack Surface Management module continuously monitors your external-facing assets.

POST /ptaas/asm/ajax/process-scan-job auth required

Parameter	Type	Required	Description
target	string	required	Domain to scan (e.g. `example.com`)
scan_type	string	optional	`full` or `quick` (default: full)

GET /ptaas/asm/ajax/get-findings auth required

Retrieve all ASM findings for your account, ordered by severity.

Scans run in three phases: subdomain enumeration, security checks, then AI-enriched finding generation. Full scans typically complete in 3–10 minutes.

Webhooks

Receive real-time HTTP POST notifications when events occur in your account.

POST /ptaas/api/integrations/IntegrationController?action=save auth required

Parameter	Type	Required	Description
integration_type	string	required	`webhook`
endpoint_url	string	required	Your receiving URL (must be HTTPS)
secret_key	string	optional	Used to generate HMAC-SHA256 signature header
auth_header	string	optional	Authorization header value (e.g. `Bearer token123`)
events[]	array	optional	Events to subscribe to (see below)

Webhook Events

finding.created finding.updated finding.resolved scan.started scan.completed asset.discovered ticket.created ticket.updated test.connection

Payload Format

{
  "event":      "finding.created",
  "timestamp":  "2026-03-03T09:00:00+00:00",
  "company_id": 47,
  "data": {
    "id":         42,
    "title":      "SQL Injection in /api/search",
    "severity":   "Critical",
    "status":     "Open",
    "project_id": 7,
    "cwe_id":     "CWE-89"
  }
}

Verifying Signatures

If you set a secret_key, every payload includes an X-PTaaS-Signature header containing an HMAC-SHA256 of the raw request body.

# Python
import hmac, hashlib
def verify(secret, body, header_sig):
    expected = 'sha256=' + hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, header_sig)

// Node.js
const crypto = require('crypto');
function verify(secret, body, headerSig) {
  const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(headerSig));
}

Retry Policy

If your endpoint returns a non-2xx response, the webhook retries up to 3 times with exponential backoff (30s, 5m, 30m). After 3 failures the webhook is disabled and you are notified by email.

Slack Integration

Post security alerts to your Slack workspace when findings are discovered or scan jobs complete.

Setup

In Slack: Apps → Incoming Webhooks → Add to Slack. Choose a channel and copy the webhook URL.
In your portal: Settings → Integrations → Slack paste the URL.

Field	Required	Description
webhook_url	required	Slack Incoming Webhook URL
channel	optional	Override the default channel (e.g. `#security-alerts`)
username	optional	Bot display name (default: Lorikeet Security)

Jira Integration

Auto-create Jira issues when Critical and High findings are reported.

Setup

Generate a Jira API token at id.atlassian.com → Security → API tokens.
In your portal: Settings → Integrations → Jira.

Field	Required	Description
base_url	required	Your Jira base URL (e.g. `https://yourorg.atlassian.net`)
email	required	Jira account email
api_token	required	Jira API token
project_key	required	Jira project key (e.g. `SEC`)
issue_type	optional	Issue type (default: Bug)

Microsoft Teams Integration

Send alerts to a Teams channel via an Incoming Webhook connector.

Setup

In Teams: channel settings → Integrations → Incoming Webhook → Configure. Copy the URL.
In your portal: Settings → Integrations → Microsoft Teams.

Discord Integration

Receive security alerts in a Discord channel.

Setup

In Discord: channel settings → Integrations → Create Webhook. Copy the URL.
In your portal: Settings → Integrations → Discord.

GitHub Integration

Link repositories to findings. Findings can be auto-converted to GitHub security advisories or issues.

Setup

Generate a GitHub PAT with repo and security_events scopes.
In your portal: Settings → Integrations → GitHub. Enter your username, PAT, and repo name.

Severity Levels

Severity	CVSS Range	Description
Critical	9.0–10.0	Immediate exploitation risk; full system compromise likely
High	7.0–8.9	Significant impact; realistic exploitation path
Medium	4.0–6.9	Exploitable with prerequisites; material security risk
Low	0.1–3.9	Minimal direct impact; defense-in-depth value
Info	0.0	Informational; no direct exploitability

Need help? Email [email protected] or open a ticket from your portal dashboard.

Also see: Product Knowledge Base for portal guides and FAQs.

Last updated: March 2026 · Lorikeet Security