{"id":64521,"date":"2026-06-13T11:40:05","date_gmt":"2026-06-13T18:40:05","guid":{"rendered":"https:\/\/sn1persecurity.com\/wordpress\/documentation\/api\/"},"modified":"2026-06-13T11:40:05","modified_gmt":"2026-06-13T18:40:05","slug":"api","status":"publish","type":"page","link":"https:\/\/sn1persecurity.com\/wordpress\/documentation\/api\/","title":{"rendered":"API Reference"},"content":{"rendered":"
Documentation<\/a>\/<\/span>API Reference<\/span><\/div>\n

Sn1per Professional 2026 ships a lightweight JSON API<\/strong> for programmatic, read-only access to your workspaces, hosts, and findings, plus structured JSON \/ CSV \/ TXT export<\/strong> of vulnerability and host data. Together they let you pull Sn1per results into dashboards, SIEMs, ticketing systems, and SOAR pipelines without scraping the web UI.<\/p>\n

Base URL & authentication<\/h2>\n

The API is served from the same HTTPS host and port as the Sn1per web UI (default port 1337<\/code>):<\/p>\n

https:\/\/<your-sn1per-host>:1337\/pro\/api.php<\/code><\/pre>\n
Every request is authenticated with HTTP Digest authentication<\/strong>, using the same admin<\/code> credentials as the web UI. The admin password is generated at install time and stored in \/usr\/share\/sniper\/pro\/data\/.admin-password<\/code>. Supply the credentials with each call:<\/p>\n
curl -k --digest -u admin:'YOUR_ADMIN_PASSWORD' \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=workspaces\"<\/code><\/pre>\n
The -k<\/code> flag accepts the self-signed certificate Sn1per installs by default; drop it once you have configured a trusted certificate. Responses are pretty-printed application\/json<\/code>. Errors return an {\"error\": \"...\"}<\/code> object with an appropriate HTTP status code:<\/p>\n\n\n\n\n\n\n\n
Status<\/th>\nMeaning<\/th>\n<\/tr>\n<\/thead>\n
400<\/code><\/td>\nBad request (e.g. missing workspace<\/code> parameter, or unknown action)<\/td>\n<\/tr>\n
404<\/code><\/td>\nWorkspace not found<\/td>\n<\/tr>\n
405<\/code><\/td>\nWrong HTTP method (e.g. GET on a POST-only action)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Note:<\/strong> the API is read-only apart from the cache-clear action. Always call it over HTTPS and treat the admin credentials as a secret.<\/p>\n
Endpoints<\/h2>\n
Routing is driven by the action<\/code> query parameter. A request with no action<\/code> returns the API catalog (name, version, and the list of endpoints).<\/p>\n\n\n\n\n\n\n\n\n\n\n
Action<\/th>\nMethod<\/th>\nDescription<\/th>\nRequired params<\/th>\n<\/tr>\n<\/thead>\n
(none)<\/em><\/td>\nGET<\/td>\nAPI info & endpoint catalog<\/td>\n—<\/td>\n<\/tr>\n
workspaces<\/code><\/td>\nGET<\/td>\nList all workspaces with summary stats<\/td>\n—<\/td>\n<\/tr>\n
hosts<\/code><\/td>\nGET<\/td>\nList hosts in a workspace<\/td>\nworkspace<\/code><\/td>\n<\/tr>\n
vulns<\/code><\/td>\nGET<\/td>\nVulnerability severity summary (counts)<\/td>\nworkspace<\/code><\/td>\n<\/tr>\n
status<\/code><\/td>\nGET<\/td>\nScan progress & live counters<\/td>\nworkspace<\/code><\/td>\n<\/tr>\n
cache_clear<\/code><\/td>\nPOST<\/td>\nClear the report cache<\/td>\n—<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
List workspaces<\/h3>\n
curl -k --digest -u admin:PASS \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=workspaces\"<\/code><\/pre>\n
{\n  \"count\": 2,\n  \"workspaces\": [\n    {\n      \"name\": \"example.com\",\n      \"size_mb\": 14.2,\n      \"hosts\": 47,\n      \"running_tasks\": 0,\n      \"vuln_score\": 38\n    }\n  ]\n}<\/code><\/pre>\n
List hosts in a workspace<\/h3>\n
curl -k --digest -u admin:PASS \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=hosts&workspace=example.com\"<\/code><\/pre>\n
{\n  \"workspace\": \"example.com\",\n  \"count\": 47,\n  \"hosts\": [\n    {\n      \"target\": \"www.example.com\",\n      \"dns\": \"93.184.216.34\",\n      \"ports\": \"80,443\",\n      \"title\": \"Example Domain\",\n      \"server\": \"ECS\",\n      \"status\": \"200\",\n      \"os\": \"\",\n      \"vulns\": { \"Critical\": 0, \"High\": 1, \"Medium\": 3, \"Low\": 5, \"Info\": 12 }\n    }\n  ]\n}<\/code><\/pre>\n
Vulnerability summary<\/h3>\n
curl -k --digest -u admin:PASS \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=vulns&workspace=example.com\"<\/code><\/pre>\n
{\n  \"workspace\": \"example.com\",\n  \"vulnerabilities\": { \"Critical\": 1, \"High\": 4, \"Medium\": 9, \"Low\": 21, \"Info\": 60 }\n}<\/code><\/pre>\n
This endpoint returns severity counts<\/em>. For the full finding list (title, URL, and detail per issue), use JSON export<\/a>.<\/p>\n
Scan status<\/h3>\n
curl -k --digest -u admin:PASS \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=status&workspace=example.com\"<\/code><\/pre>\n
{\n  \"workspace\": \"example.com\",\n  \"total_targets\": 47,\n  \"scanned_targets\": 47,\n  \"unscanned_targets\": 0,\n  \"scan_percentage\": 100.0,\n  \"running_tasks\": 0,\n  \"notifications\": 3,\n  \"scheduled_tasks\": 2,\n  \"takeovers\": 0,\n  \"cracked_credentials\": 0,\n  \"vulnerabilities\": { \"Critical\": 1, \"High\": 4, \"Medium\": 9, \"Low\": 21, \"Info\": 60 }\n}<\/code><\/pre>\n
Poll this endpoint to track a running scan — scan_percentage<\/code> reaches 100.0<\/code> and running_tasks<\/code> drops to 0<\/code> when the workspace is fully scanned.<\/p>\n
Clear report cache<\/h3>\n
curl -k --digest -u admin:PASS -X POST \n  \"https:\/\/127.0.0.1:1337\/pro\/api.php?action=cache_clear\"<\/code><\/pre>\n
{ \"message\": \"Cache cleared\" }<\/code><\/pre>\n
Exporting findings (JSON \/ CSV \/ TXT)<\/h2>\n
Full findings — severity, title, URL, and detail for every issue — are exported from the workspace report’s Export<\/strong> dropdown in the web UI. Choose JSON<\/strong> (CSV and TXT are also available, plus client-side PDF and Excel). The JSON document looks like this:<\/p>\n
{\n  \"report_type\": \"vulnerabilities\",\n  \"workspace\": \"example.com\",\n  \"target\": null,\n  \"generated\": \"2026-06-13T18:30:00+00:00\",\n  \"summary\": {\n    \"total\": 95,\n    \"critical\": 1,\n    \"high\": 4,\n    \"medium\": 9,\n    \"low\": 21,\n    \"info\": 60,\n    \"risk_score\": 55\n  },\n  \"findings\": [\n    {\n      \"severity\": \"Critical\",\n      \"title\": \"Unauthenticated File Upload to RCE\",\n      \"url\": \"https:\/\/www.example.com\/upload\",\n      \"detail\": \"Upload endpoint accepts .php files without authentication.\"\n    }\n  ]\n}<\/code><\/pre>\n
A host-inventory export (the Hosts<\/strong> table) produces a parallel { \"report_type\": \"hosts\", \"summary\": { \"total_hosts\": N }, \"hosts\": [ ... ] }<\/code> document, with each host keyed by its report columns.<\/p>\n
Because the export is launched from the authenticated, CSRF-protected web UI, it is intended for on-demand downloads. For unattended pipelines, poll the JSON API<\/a> on a schedule, or archive the whole workspace from the CLI (below).<\/p>\n
CLI: archive a workspace<\/h2>\n
The sniper<\/code> CLI can archive an entire workspace — loot, reports, and vulnerability files — into a single tarball, useful for backups, transfers between hosts, or offline ingestion:<\/p>\n
sudo sniper -w example.com --export\n# writes \/sniper\/exports\/example.com.tar.gz<\/code><\/pre>\n
Feeding SIEM, SOAR & ticketing<\/h2>\n
Sn1per Professional does not ship native SIEM\/SOAR connectors; instead it gives you clean, stable JSON to drive your own automation. Typical patterns:<\/p>\n