API Reference
The Nano EASM REST API lets you manage assets, trigger scans, pull findings, run discovery, manage monitoring alerts, and generate reports — all the things you'd wire into CI/CD, a SOAR, or a SIEM.
Authentication
All API endpoints require an API key. Send it on every request as the X-API-Key header.
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/findingsYou can also pass the key as a Bearer token if you prefer:
curl -H "Authorization: Bearer ag_sk_..." https://nanoeasm.com/api/findingsPermissions
An API key inherits the role of the user who created it. A viewer's key is read-only; an analyst's key can create assets and trigger scans. Plan limits (asset count, scans per month, etc.) apply exactly as they do in the UI.
What API keys can't do
For safety, account-credential and billing-state actions are not callable with API keys: changing your password, inviting members, changing roles, switching plans, or deleting your organization. These return 403 API_KEY_NOT_ALLOWED.
Errors
Errors are returned as JSON with an error field and the appropriate HTTP status code.
{
"error": "invalid or expired API key"
}400Bad request — missing or invalid fields401Missing or invalid API key403Permission denied (role or API_KEY_NOT_ALLOWED)402Plan limit reached404Resource not found429Rate-limited500Internal server errorPagination
List endpoints accept page (1-indexed) and perPage (max 100). Responses include the total count.
curl -H "X-API-Key: ag_sk_..." "https://nanoeasm.com/api/findings?page=2&perPage=50"{
"items": [ ... ],
"total": 247,
"page": 2,
"perPage": 50
}Assets
Manage the domains, IPs, and cloud resources you monitor. Assets are scoped to your organization and grouped by AssetGroup.
/assetsList all assets in your organization.
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/assetsSample response →
[
{
"id": "42",
"value": "example.com",
"type": "domain",
"groupId": "1",
"createdAt": "2026-04-12T08:21:33"
}
]/groups/<group_id>/assetsAdd an asset to a group. Subject to plan asset limit.
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"value":"api.example.com","type":"domain"}' \
https://nanoeasm.com/api/groups/1/assets/groups/<group_id>/assets/bulkBulk-import assets to a group (CSV-style array payload).
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"assets":[{"value":"a.com","type":"domain"},{"value":"b.com","type":"domain"}]}' \
https://nanoeasm.com/api/groups/1/assets/bulk/assets/<asset_id>Fetch a single asset by ID.
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/assets/42/assets/<asset_id>Update asset attributes (group, tags, criticality).
/assets/<asset_id>Remove an asset. Findings tied to it are kept for history.
/assets/<asset_id>/riskComposite risk score and severity breakdown for an asset.
/assets/<asset_id>/coverageWhich scan profiles have run against the asset and when.
/assets/<asset_id>/healthReachability + service status snapshot.
/assets/<asset_id>/timelineEvent timeline (scans, findings, status changes).
/groups/<group_id>/assetsList assets within a specific group.
Scans
Trigger and inspect vulnerability scans. Scans run asynchronously — POST returns immediately with a job ID you can poll.
/scan-jobsStart a scan job for an asset. Profile: quick | standard | deep.
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"asset_id":42,"profile":"standard"}' \
https://nanoeasm.com/api/scan-jobsSample response →
{
"id": "917",
"status": "queued",
"asset_id": "42",
"profile": "standard",
"createdAt": "2026-04-30T11:02:14"
}/scan-jobsList recent scan jobs (paginated).
curl -H "X-API-Key: ag_sk_..." "https://nanoeasm.com/api/scan-jobs?status=running&limit=20"/scan-jobs/<job_id>/runRe-run a finished scan job (creates a new job, same config).
/scan-jobs/<job_id>Delete a scan job and its findings (irreversible).
/scan-jobs/<job_id>/findingsFindings produced by a specific scan job.
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/scan-jobs/917/findingsFindings
Read and triage vulnerability findings. Each finding has a status (open, acknowledged, resolved, ignored) and a severity (info, low, medium, high, critical).
/findingsList findings. Filter with severity, status, asset_id, since, q.
curl -H "X-API-Key: ag_sk_..." "https://nanoeasm.com/api/findings?severity=critical&status=open&since=2026-04-01"Sample response →
{
"items": [
{
"id": "5510",
"templateId": "tls.expired-cert",
"severity": "high",
"status": "open",
"assetId": "42",
"createdAt": "2026-04-29T17:08:21"
}
],
"total": 47,
"page": 1,
"perPage": 50
}/findings/<finding_id>Full detail for a single finding incl. evidence + remediation.
/findings/<finding_id>Update a finding's status, notes, or assignee.
curl -X PATCH -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"status":"resolved","notes":"Patched in PR #1234"}' \
https://nanoeasm.com/api/findings/5510/findings/bulk-statusSet status on multiple findings in one request.
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"ids":[5510,5511,5512],"status":"acknowledged"}' \
https://nanoeasm.com/api/findings/bulk-status/findings/exportCSV export of findings matching the filter query.
curl -H "X-API-Key: ag_sk_..." "https://nanoeasm.com/api/findings/export?severity=high" -o findings.csvDiscovery
Run subdomain and asset discovery against root domains. Discovery jobs surface unknown subdomains, IPs, and services that you can promote into your asset inventory.
/discovery/runLaunch a discovery job against one or more domains.
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"domains":["example.com"],"deep":false}' \
https://nanoeasm.com/api/discovery/run/discovery/jobsList discovery jobs (paginated).
/discovery/jobs/<job_id>Job detail incl. discovered subdomains, IPs, and modules used.
/discovery/jobs/<job_id>/cancelCancel a running discovery job.
/discovery/jobs/<job_id>/add-assetsPromote discovered items into your asset inventory (subject to asset limit).
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"values":["api.example.com","www.example.com"]}' \
https://nanoeasm.com/api/discovery/jobs/123/add-assetsMonitoring
Continuous monitors watch assets for change events (new ports, cert changes, DNS drift) and emit alerts. Use the alerts endpoints to ack/resolve from your SIEM or SOAR.
/monitorsList monitors configured for your organization.
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/monitors/monitorsCreate a monitor for an asset or asset group.
/monitors/<monitor_id>Update monitor frequency, scope, or enabled state.
/monitors/<monitor_id>Remove a monitor.
/monitors/alertsList alerts. Filter by status, severity, monitor_id.
curl -H "X-API-Key: ag_sk_..." "https://nanoeasm.com/api/monitors/alerts?status=open"/monitors/alerts/<alert_id>/acknowledgeAcknowledge an alert (tracks who/when).
/monitors/alerts/<alert_id>/resolveMark an alert as resolved.
Reports
Generate and download PDF/Excel reports. Generation is async — the response returns a report ID you can poll until status='ready', then download.
/reports/generateStart report generation. Type: executive | technical.
curl -X POST -H "X-API-Key: ag_sk_..." -H "Content-Type: application/json" \
-d '{"type":"executive","scope":"org"}' \
https://nanoeasm.com/api/reports/generateSample response →
{
"id": "204",
"status": "queued",
"type": "executive",
"createdAt": "2026-04-30T12:11:01"
}/reportsList reports (paginated).
/reports/<report_id>Report metadata (status, type, scope).
/reports/<report_id>/downloadDownload the rendered report (PDF or Excel binary).
curl -H "X-API-Key: ag_sk_..." https://nanoeasm.com/api/reports/204/download -o report.pdf