complyeah
Developers

The complyeah API

Trigger external penetration tests and pull scans, findings, and reports straight into your own tools. A small, predictable REST API over HTTPS, with JSON responses and bearer-token auth.

Authenticate

Create a key on the API page in your account, then send it as a bearer token on every request. The secret is shown once — store it safely.

Read for free

Listing scans, findings, reports, and domains costs nothing. Reads are unlimited.

Pay per pentest

Starting a comprehensive scan spends one $50 scan credit — the same credit you buy in the app. Nothing new to learn.

Base URL & authentication

All requests go to https://api.complyeah.com over HTTPS. Authenticate with the Authorization header:

curl https://api.complyeah.com/v1/scans \
  -H "Authorization: Bearer cmply_live_..."

Endpoints

MethodPathDescription
GET/v1/meConfirm your key and identity.
GET/v1/domainsList your domains and their verification status.
GET/v1/scansList your scans.
POST/v1/scansStart a scan on a verified domain. A comprehensive scan spends one credit.
GET/v1/scans/{id}Retrieve one scan and its status.
GET/v1/scans/{id}/findingsList a scan's findings, each with a stable id for de-duplication.

Start a scan

Pass a verified domain_id (from GET /v1/domains) and a tier. Omit the tier for a free shallow posture scan.

curl -X POST https://api.complyeah.com/v1/scans \
  -H "Authorization: Bearer cmply_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "domain_id": "<your-domain-id>", "tier": "comprehensive" }'

Responses

Responses are JSON. Collections are wrapped in a data array so pagination can grow without breaking your integration.

{
  "data": [
    { "id": "…", "status": "complete", "tier": "comprehensive", "created_at": "…" }
  ]
}

Errors

Standard HTTP status codes; the body carries an error message.

401Missing or invalid API key.
402A comprehensive scan needs a scan credit.
403The domain has no current authorization on file.
404No such scan (or it isn't yours).
422The domain's ownership isn't verified yet.
429Rate limit or free-scan limit reached.
Model Context Protocol

Use complyeah from your AI assistant

complyeah-mcp is an open-source Model Context Protocol server — so Claude Desktop, IDE assistants, and any MCP-compatible client can list your scans, read findings, and start a pentest, using the same API key. Add it to your client config:

{
  "mcpServers": {
    "complyeah": {
      "command": "npx",
      "args": ["-y", "complyeah-mcp"],
      "env": { "COMPLYEAH_API_KEY": "cmply_live_..." }
    }
  }
}

Tools: whoami, list_domains, list_scans, get_scan, get_findings, and trigger_scan. The key is read from the environment, never passed through the model. View on npm.

Get your API key

Create a key in your account, verify a domain, and run your first pentest from the command line.