API Overview
Interactive API Documentation
Section titled “Interactive API Documentation”The full list of available API endpoints, request/response schemas, and parameter details is available in the interactive OpenAPI (Swagger) documentation at:
You can browse all endpoints, inspect request and response schemas, and try out API calls directly from the browser. Authentication is required — sign in to CVEFeed.io first, then visit the docs page.
Base URL
Section titled “Base URL”https://cvefeed.io/api/v1/Authentication
Section titled “Authentication”All API requests require authentication via a project-scoped API token:
curl -H "Authorization: Bearer cvf_your_token_here" \ https://cvefeed.io/api/v1/projects/{project_id}/vulnerabilities/See API Tokens for how to create and manage tokens.
Rate Limits
Section titled “Rate Limits”Rate limits are based on the project owner’s subscription tier:
| Tier | Requests per Minute |
|---|---|
| Free | 30 |
| Starter | 90 |
| Pro | 180 |
| Enterprise | 720 |
The rate limit is determined by the project owner’s subscription tier — not the individual member’s or token’s. All requests to the same project (from any token or member) share one rate limit bucket.
Response Format
Section titled “Response Format”All responses are JSON. Successful responses return the data directly or wrapped in a pagination envelope:
{ "count": 42, "next": "https://cvefeed.io/api/v1/.../vulnerabilities/?page=2", "previous": null, "results": [...]}Error Responses
Section titled “Error Responses”Errors return appropriate HTTP status codes with a detail message:
{ "detail": "Authentication credentials were not provided."}| Status | Meaning |
|---|---|
| 401 | Missing or invalid token |
| 403 | Token lacks required scope |
| 404 | Resource not found |
| 429 | Rate limit exceeded |
Token Scopes
Section titled “Token Scopes”API tokens use resource-based scoping. Each endpoint requires a specific scope:
| Scope | Endpoints |
|---|---|
vulnerabilities | /vulnerabilities/ |
subscriptions | /subscriptions/ |
alerts | /alerts/ |
integrations | /webhooks/, /slack/ |
activity_log | /activity-log/ |
project | /project/ settings |
A token without the required scope receives a 403 Forbidden response.
Agent & MCP Discovery
Section titled “Agent & MCP Discovery”CVEFeed publishes machine-readable discovery documents for AI agents and MCP clients:
| Resource | Path |
|---|---|
| API catalog (RFC 9727) | /.well-known/api-catalog |
| Agent Skills index (Cloudflare RFC v0.2.0) | /.well-known/agent-skills/index.json |
| OAuth Protected Resource Metadata (RFC 9728) | /.well-known/oauth-protected-resource |
| MCP Server Card (SEP-1649) | /.well-known/mcp/server-card.json |
Each skill is also served individually at /.well-known/agent-skills/<slug>/SKILL.md with a SHA-256 digest for integrity verification. For the full natural-language experience via Claude Desktop / Cursor / Cline, see the MCP integration guide.