Sn1per Professional 2026 ships a lightweight JSON API for programmatic, read-only access to your workspaces, hosts, and findings, plus structured JSON / CSV / TXT export of vulnerability and host data. Together they let you pull Sn1per results into dashboards, SIEMs, ticketing systems, and SOAR pipelines without scraping the web UI.
Base URL & authentication
The API is served from the same HTTPS host and port as the Sn1per web UI (default port 1337):
https://<your-sn1per-host>:1337/pro/api.phpEvery request is authenticated with HTTP Digest authentication, using the same admin credentials as the web UI. The admin password is generated at install time and stored in /usr/share/sniper/pro/data/.admin-password. Supply the credentials with each call:
curl -k --digest -u admin:'YOUR_ADMIN_PASSWORD'
"https://127.0.0.1:1337/pro/api.php?action=workspaces"The -k flag accepts the self-signed certificate Sn1per installs by default; drop it once you have configured a trusted certificate. Responses are pretty-printed application/json. Errors return an {"error": "..."} object with an appropriate HTTP status code:
| Status | Meaning |
|---|---|
400 |
Bad request (e.g. missing workspace parameter, or unknown action) |
404 |
Workspace not found |
405 |
Wrong HTTP method (e.g. GET on a POST-only action) |
Note: the API is read-only apart from the cache-clear action. Always call it over HTTPS and treat the admin credentials as a secret.
Endpoints
Routing is driven by the action query parameter. A request with no action returns the API catalog (name, version, and the list of endpoints).
| Action | Method | Description | Required params |
|---|---|---|---|
| (none) | GET | API info & endpoint catalog | — |
workspaces |
GET | List all workspaces with summary stats | — |
hosts |
GET | List hosts in a workspace | workspace |
vulns |
GET | Vulnerability severity summary (counts) | workspace |
status |
GET | Scan progress & live counters | workspace |
cache_clear |
POST | Clear the report cache | — |
List workspaces
curl -k --digest -u admin:PASS
"https://127.0.0.1:1337/pro/api.php?action=workspaces"{
"count": 2,
"workspaces": [
{
"name": "example.com",
"size_mb": 14.2,
"hosts": 47,
"running_tasks": 0,
"vuln_score": 38
}
]
}List hosts in a workspace
curl -k --digest -u admin:PASS
"https://127.0.0.1:1337/pro/api.php?action=hosts&workspace=example.com"{
"workspace": "example.com",
"count": 47,
"hosts": [
{
"target": "www.example.com",
"dns": "93.184.216.34",
"ports": "80,443",
"title": "Example Domain",
"server": "ECS",
"status": "200",
"os": "",
"vulns": { "Critical": 0, "High": 1, "Medium": 3, "Low": 5, "Info": 12 }
}
]
}Vulnerability summary
curl -k --digest -u admin:PASS
"https://127.0.0.1:1337/pro/api.php?action=vulns&workspace=example.com"{
"workspace": "example.com",
"vulnerabilities": { "Critical": 1, "High": 4, "Medium": 9, "Low": 21, "Info": 60 }
}This endpoint returns severity counts. For the full finding list (title, URL, and detail per issue), use JSON export.
Scan status
curl -k --digest -u admin:PASS
"https://127.0.0.1:1337/pro/api.php?action=status&workspace=example.com"{
"workspace": "example.com",
"total_targets": 47,
"scanned_targets": 47,
"unscanned_targets": 0,
"scan_percentage": 100.0,
"running_tasks": 0,
"notifications": 3,
"scheduled_tasks": 2,
"takeovers": 0,
"cracked_credentials": 0,
"vulnerabilities": { "Critical": 1, "High": 4, "Medium": 9, "Low": 21, "Info": 60 }
}Poll this endpoint to track a running scan — scan_percentage reaches 100.0 and running_tasks drops to 0 when the workspace is fully scanned.
Clear report cache
curl -k --digest -u admin:PASS -X POST
"https://127.0.0.1:1337/pro/api.php?action=cache_clear"{ "message": "Cache cleared" }Exporting findings (JSON / CSV / TXT)
Full findings — severity, title, URL, and detail for every issue — are exported from the workspace report’s Export dropdown in the web UI. Choose JSON (CSV and TXT are also available, plus client-side PDF and Excel). The JSON document looks like this:
{
"report_type": "vulnerabilities",
"workspace": "example.com",
"target": null,
"generated": "2026-06-13T18:30:00+00:00",
"summary": {
"total": 95,
"critical": 1,
"high": 4,
"medium": 9,
"low": 21,
"info": 60,
"risk_score": 55
},
"findings": [
{
"severity": "Critical",
"title": "Unauthenticated File Upload to RCE",
"url": "https://www.example.com/upload",
"detail": "Upload endpoint accepts .php files without authentication."
}
]
}A host-inventory export (the Hosts table) produces a parallel { "report_type": "hosts", "summary": { "total_hosts": N }, "hosts": [ ... ] } document, with each host keyed by its report columns.
Because the export is launched from the authenticated, CSRF-protected web UI, it is intended for on-demand downloads. For unattended pipelines, poll the JSON API on a schedule, or archive the whole workspace from the CLI (below).
CLI: archive a workspace
The sniper CLI can archive an entire workspace — loot, reports, and vulnerability files — into a single tarball, useful for backups, transfers between hosts, or offline ingestion:
sudo sniper -w example.com --export
# writes /sniper/exports/example.com.tar.gzFeeding SIEM, SOAR & ticketing
Sn1per Professional does not ship native SIEM/SOAR connectors; instead it gives you clean, stable JSON to drive your own automation. Typical patterns:
- Scheduled poll → SIEM. Call
?action=vulnsand?action=statuson a timer from a small script and forward the JSON to a Splunk HTTP Event Collector, an Elastic / IBM QRadar ingest pipeline, or a Microsoft Sentinel log-ingestion endpoint. - Findings → tickets. Parse a JSON export and open a Jira or ServiceNow issue per Critical/High finding —
severity,title,url, anddetailmap directly onto ticket fields. - SOAR playbooks. Kick off a Sn1per scan, poll
?action=statusuntilscan_percentageis100, then pull the JSON export into your playbook for enrichment and response.
Every field shown above is stable JSON, so a thin custom connector — a few dozen lines — is all most teams need to wire Sn1per into an existing security-automation stack.
See also
- Usage — Web UI, CLI, and scan modes
- Configuration — notifications, AI providers, scan gates
- Installation — admin credentials & license management