Audit API
Synchronous code-snippet security audit. POST a small set of files, get structured findings.
The audit API runs Sebastion, our autonomous security auditor, against a small set of code snippets and returns structured JSON findings. It is designed for fast, in-IDE and in-CI usage where you want a hardened security review of one or two files without standing up a full repo-clone pipeline.
Heavyweight audits over an entire repository will land on a separate
/v1/audit/jobs async queue endpoint in a later phase.
Endpoint
POST https://api.foundationmachines.ai/v1/auditAuthentication
Same scheme as the rest of the gateway: a personal API key minted from the dashboard, passed as a bearer token.
Authorization: Bearer fm_<tenant>_<random>Audit calls are subject to the same per-plan RPM and daily-token limits as chat completions, see rate limits.
Request body
{
"snippets": [
{
"filename": "src/auth.ts",
"content": "const AWS_SECRET = \"AKIAIOSFODNN7EXAMPLE\";\n",
"language": "typescript"
}
],
"ruleset": "security"
}| Field | Type | Required | Notes |
|---|---|---|---|
snippets | AuditSnippet[] | yes | One entry per file. |
snippets[].filename | string | yes | 1–256 chars. Echoed back in findings[].file. |
snippets[].content | string | yes | Raw source. UTF-8. |
snippets[].language | string | no | Hint for the model (e.g. typescript, python). |
ruleset | enum | no | One of security (default), supply-chain, all. |
Limits
| Limit | Value |
|---|---|
| Snippets per request | 10 |
| Chars per snippet | 8,000 |
| Total chars per request | 40,000 |
Requests that exceed any of these return 400 bad_request with a message
identifying the cap that was hit. Keep payloads under these limits by
trimming to the function or module under review, the audit is most accurate
on focused snippets.
Response
{
"version": "audit/v1",
"model": "claude-sonnet-4.6",
"scanned_files": 1,
"findings": [
{
"rule": "hardcoded-secret",
"severity": "high",
"file": "src/auth.ts",
"line": 1,
"message": "AWS access key id committed to source",
"fix": "Move to environment variable; rotate the key immediately."
}
],
"duration_ms": 4123
}| Field | Type | Notes |
|---|---|---|
version | string | Stable contract version. Today: "audit/v1". |
model | string | Upstream model that produced the findings. Selected by your plan, see Models by plan below. |
scanned_files | number | Always equal to snippets.length. |
findings | AuditFinding[] | May be empty, [] means no issues found. |
duration_ms | number | Wall-clock time spent in the audit. |
error | string | Present only when the upstream call failed; the response code will be 502. |
Models by plan
Sebastion picks the model based on your plan. You don't pass a model parameter, you upgrade your plan and Sebastion routes you to a stronger model automatically.
| Plan | Model |
|---|---|
| Free | claude-sonnet-4.6 |
| Pro | claude-opus-4.7 |
| Team | claude-opus-4.7 (with multi-model cross-check coming) |
| Enterprise | Best frontier model + on-prem option |
AuditFinding
| Field | Type | Notes |
|---|---|---|
rule | string | Kebab-case identifier (e.g. hardcoded-secret, sql-injection). |
severity | enum | One of info, low, medium, high, critical. |
file | string | Always one of the filenames you submitted. |
line | number | 1-based line in the original snippet. May be omitted. |
message | string | Concrete description of the issue. |
fix | string | Concrete remediation. May be omitted. |
Severity scale
| Severity | Meaning |
|---|---|
info | Informational. No exploitable risk; consider as guidance. |
low | Minor weakness. Defence-in-depth fix recommended. |
medium | Real issue, but limited blast radius or requires unusual conditions. |
high | Exploitable bug or leaked credential. Fix in this iteration. |
critical | Trivially exploitable; fix immediately. |
Example
curl -X POST https://api.foundationmachines.ai/v1/audit \
-H "Authorization: Bearer fm_acme_xxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"snippets": [
{
"filename": "src/auth.ts",
"language": "typescript",
"content": "const AWS_SECRET = \"AKIAIOSFODNN7EXAMPLE\";\nexport function sign(req) { /* ... */ }\n"
}
],
"ruleset": "security"
}'A successful call returns the JSON shape shown above with HTTP 200.
Errors
The audit endpoint uses the same error envelope as the rest of the gateway:
{ "error": { "type": "bad_request", "message": "snippets must be a non-empty array" } }| HTTP | type | Meaning |
|---|---|---|
| 401 | unauthorized | Missing or invalid bearer token. |
| 400 | bad_request | Validation failed, see message for which limit. |
| 400 | bad_json | Body did not parse as JSON. |
| 405 | method_not_allowed | Only POST is supported on this route. |
| 429 | rate_limit | Per-minute request rate exceeded for your plan. |
| 429 | quota_exceeded | Daily token cap hit; resets at 00:00 UTC. |
| 502 | upstream | The audit ran but the upstream model returned an error or non-JSON; response body still matches AuditResponse and includes an error field. |
See billing for plan limits and rate limits for the throttle behaviour in detail.