The complyeah API
Trigger external penetration tests and pull scans, findings, and reports straight into your own tools. A small, predictable REST API over HTTPS, with JSON responses and bearer-token auth.
Authenticate
Create a key on the API page in your account, then send it as a bearer token on every request. The secret is shown once — store it safely.
Read for free
Listing scans, findings, reports, and domains costs nothing. Reads are unlimited.
Pay per pentest
Starting a comprehensive scan spends one $50 scan credit — the same credit you buy in the app. Nothing new to learn.
Base URL & authentication
All requests go to https://api.complyeah.com over HTTPS. Authenticate with the Authorization header:
curl https://api.complyeah.com/v1/scans \ -H "Authorization: Bearer cmply_live_..."
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /v1/me | Confirm your key and identity. |
| GET | /v1/domains | List your domains and their verification status. |
| GET | /v1/scans | List your scans. |
| POST | /v1/scans | Start a scan on a verified domain. A comprehensive scan spends one credit. |
| GET | /v1/scans/{id} | Retrieve one scan and its status. |
| GET | /v1/scans/{id}/findings | List a scan's findings, each with a stable id for de-duplication. |
Start a scan
Pass a verified domain_id (from GET /v1/domains) and a tier. Omit the tier for a free shallow posture scan.
curl -X POST https://api.complyeah.com/v1/scans \
-H "Authorization: Bearer cmply_live_..." \
-H "Content-Type: application/json" \
-d '{ "domain_id": "<your-domain-id>", "tier": "comprehensive" }'Responses
Responses are JSON. Collections are wrapped in a data array so pagination can grow without breaking your integration.
{
"data": [
{ "id": "…", "status": "complete", "tier": "comprehensive", "created_at": "…" }
]
}Errors
Standard HTTP status codes; the body carries an error message.
| 401 | Missing or invalid API key. |
| 402 | A comprehensive scan needs a scan credit. |
| 403 | The domain has no current authorization on file. |
| 404 | No such scan (or it isn't yours). |
| 422 | The domain's ownership isn't verified yet. |
| 429 | Rate limit or free-scan limit reached. |
Use complyeah from your AI assistant
complyeah-mcp is an open-source Model Context Protocol server — so Claude Desktop, IDE assistants, and any MCP-compatible client can list your scans, read findings, and start a pentest, using the same API key. Add it to your client config:
{
"mcpServers": {
"complyeah": {
"command": "npx",
"args": ["-y", "complyeah-mcp"],
"env": { "COMPLYEAH_API_KEY": "cmply_live_..." }
}
}
}Tools: whoami, list_domains, list_scans, get_scan, get_findings, and trigger_scan. The key is read from the environment, never passed through the model. View on npm.
Get your API key
Create a key in your account, verify a domain, and run your first pentest from the command line.