API Overview
Interactive API Documentation
The full list of available API endpoints, request/response schemas, and parameter details is available in the interactive OpenAPI (Swagger) documentation at:
You can browse all endpoints, inspect request and response schemas, and try out API calls directly from the browser. Authentication is required — sign in to CVEFeed.io first, then visit the docs page.
Base URL
https://cvefeed.io/api/v1/Authentication
All API requests require authentication via a project-scoped API token:
curl -H "Authorization: Bearer cvf_your_token_here" \ https://cvefeed.io/api/v1/projects/{project_id}/vulnerabilities/See API Tokens for how to create and manage tokens.
Rate Limits
Rate limits are based on the project owner’s subscription tier:
| Tier | Requests per Minute |
|---|---|
| Free | 30 |
| Starter | 90 |
| Pro | 180 |
| Enterprise | 720 |
The rate limit is determined by the project owner’s subscription tier — not the individual member’s or token’s. All requests to the same project (from any token or member) share one rate limit bucket.
Response Format
All responses are JSON. Successful responses return the data directly or wrapped in a pagination envelope:
{ "count": 42, "next": "https://cvefeed.io/api/v1/.../vulnerabilities/?page=2", "previous": null, "results": [...]}Error Responses
Errors return appropriate HTTP status codes with a detail message:
{ "detail": "Authentication credentials were not provided."}| Status | Meaning |
|---|---|
| 401 | Missing or invalid token |
| 403 | Token lacks required scope |
| 404 | Resource not found |
| 429 | Rate limit exceeded |
Token Scopes
API tokens use resource-based scoping. Each endpoint requires a specific scope:
| Scope | Endpoints |
|---|---|
vulnerabilities | /vulnerabilities/ |
subscriptions | /subscriptions/ |
alerts | /alerts/ |
integrations | /webhooks/, /slack/ |
activity_log | /activity-log/ |
project | /project/ settings |
A token without the required scope receives a 403 Forbidden response.
Agent & MCP Discovery
CVEFeed publishes machine-readable discovery documents for AI agents and MCP clients:
| Resource | Path |
|---|---|
| API catalog (RFC 9727) | /.well-known/api-catalog |
| Agent Skills index (Cloudflare RFC v0.2.0) | /.well-known/agent-skills/index.json |
| OAuth Protected Resource Metadata (RFC 9728) | /.well-known/oauth-protected-resource |
| MCP Server Card (SEP-1649) | /.well-known/mcp/server-card.json |
Each skill is also served individually at /.well-known/agent-skills/<slug>/SKILL.md with a SHA-256 digest for integrity verification. For the full natural-language experience via Claude Desktop / Cursor / Cline, see the MCP integration guide.