API referenceOverview

Pencheff SaaS API

Base URL:

  • Production: https://app.pencheff.com/api
  • Local dev: http://localhost:8000

Interactive API explorer: browse and test every endpoint in your browser at https://api.pencheff.com/docs (Swagger UI). Click Authorize, paste a pcf_live_… API key, and use Try it out. See API keys → Interactive API explorer for the full walkthrough, including how to find your workspace id.

All endpoints require a bearer token issued by Clerk. See Authentication.

Endpoints at a glance

NamespaceEndpointsDocs
/authLogin, signup, logoutauthentication
/targetsCRUD for scan targetstargets
/scansTrigger scans, stream progress, fetch resultsscans
/findingsList, suppress, verify, comment, assignfindings
/schedulesCron-driven recurring scansschedules
/assetsAttack surface inventoryassets
/integrationsSlack, Teams, PagerDuty, Splunk, webhookintegrations
/sboms/{scan_id}SBOM browse + downloadsboms
/dependencies/{scan_id}SCA dep inventorydependencies
/proxyIntercepting proxy sessionsproxy

MCP tools (plugin side)

When you run Pencheff as an MCP server, the following 81 MCP tools are available — see MCP tool reference for the full list.

Response conventions

  • Always JSON (Content-Type: application/json)
  • Timestamps in ISO 8601 UTC ("2026-04-21T14:23:00+00:00")
  • UUIDs for all primary keys
  • Errors: { "detail": "..." } for client errors, { "detail": "ClassName: message" } for server errors
  • Validation errors follow FastAPI’s shape: { "detail": [{ "loc": [...], "msg": "..." }, ...] }

Rate limits

  • 60 requests/min per user (SaaS)
  • 30 concurrent scans per org on the Pro plan

Hit X-RateLimit-Remaining in the response headers to see how close you are.