Skip to main content
GET /v1/report/:id

Get Report.

Retrieve the full scan report once the scan has completed. Returns detailed scores, per-check findings, and actionable fix recommendations.

Authentication

Requires a valid API key. You can only access reports for scans created with your API key or within your organization.

Path parameters

Parameter Type Description
id string The scan ID returned from POST /v1/scan.

Response

Returns 200 OK with the full report JSON:

{
  "id": "scan_abc123",
  "type": "security",
  "url": "https://example.com",
  "score": 72,
  "grade": "C",
  "created_at": "2026-03-30T12:00:00Z",
  "completed_at": "2026-03-30T12:01:15Z",
  "categories": [
    {
      "name": "Headers & TLS Config",
      "score": 65,
      "checks": [
        {
          "name": "HSTS",
          "status": "pass",
          "severity": null,
          "message": "Strict-Transport-Security header present with max-age >= 31536000."
        },
        {
          "name": "CSP",
          "status": "fail",
          "severity": "high",
          "message": "No Content-Security-Policy header found.",
          "fix": "Add a Content-Security-Policy header. Start with: default-src 'self'; script-src 'self'"
        }
      ]
    },
    {
      "name": "Sensitive File Exposure",
      "score": 90,
      "checks": [ ... ]
    }
  ],
  "summary": {
    "total_checks": 27,
    "passed": 20,
    "failed": 5,
    "warnings": 2,
    "critical": 0,
    "high": 2,
    "medium": 3,
    "low": 2
  }
}

Report schema

Field Type Description
id string Scan ID.
type string Scan type (security, performance, accessibility, seo).
url string Target URL that was scanned.
score number Overall score from 0-100.
grade string Letter grade: A+, A, B, C, D, or F.
created_at string When the scan was created (ISO 8601).
completed_at string When the scan finished (ISO 8601).
categories array List of check categories, each with a name, score, and checks array.
categories[].checks[] object Individual check result with name, status (pass / fail / warn), severity, message, and optional fix.
summary object Aggregate counts: total_checks, passed, failed, warnings, and counts by severity level.

Caching

Reports are immutable once generated. The response includes caching headers to allow CDN and browser caching: 

Cache-Control: public, max-age=86400
ETag: "scan_abc123_v1"

Reports are retained for 30 days from the scan date. After that, the endpoint returns 404.

Code example

curl https://appvet.dev/v1/report/scan_abc123 \
  -H "Authorization: Bearer avk_live_your_key_here"

Error responses

Status Code Description
401 UNAUTHORIZED Missing or invalid API key.
404 SCAN_NOT_FOUND No scan with this ID, it belongs to another org, or the report has expired.
409 SCAN_NOT_COMPLETE The scan is still running. Poll GET /v1/scan/:id until it completes.