API REFERENCE

POKEXSS REST API

Every scan mode is automatable. Submit jobs, poll status, retrieve findings — same engine as the dashboard, no UI required. Wire it into GitHub Actions, GitLab CI, your recon pipeline, or your own hunting tooling. API access is available on the Pro and Elite tiers.

Authentication Tiers & quotas POST /api/scan GET /api/jobs/{id} GET /api/jobs DELETE /api/jobs/{id} GET /api/me Errors

Authentication

Send your API key in the X-API-Key header on every request. Mint and rotate keys from your account page — one key per account, no scopes. Keep it secret; it grants full scan access tied to your tier and daily quota.

# Required on every authenticated request
X-API-Key: pk_live_XXXXXXXXXXXXXXXXXXXX
Web sessions also work — if you’re already signed in with a session cookie, the API will accept that too. For automation use X-API-Key; cookies expire and require a browser flow to renew.

Tiers & quotas

Each request is rate-limited to your tier’s daily scan quota. The /api/me endpoint returns your current usage so you can throttle client-side. Modes you don’t have entitlement for return 403.

TIERAPI ACCESSDAILY SCANSMODES
Free No 3 reflected
Starter No 50 reflected, dom, stored
Pro Yes 200 reflected, dom, blind, stored, header, path, csp, clobber, postmessage
Elite Yes unlimited all of the above plus raw, upload, json, websocket, prototype, graphql, xml, mxss

Submit a scan

POST /api/scan PRO / ELITE

Queue a scan against a target URL or a raw HTTP request. Returns a job_id immediately; the scan runs in the background. Poll /api/jobs/{id} for progress and findings.

REQUEST BODY (application/json)
FIELDTYPENOTES
url string Target URL with at least one parameter (e.g. ?q=test). Required unless raw_request is set.
modes string[] Which scanners to run. Any of: reflected, dom, stored, blind, header, path, csp, clobber, postmessage (Pro+)raw, upload, json, websocket, prototype, graphql, xml, mxss (Elite). Defaults to ["reflected", "dom"]. Modes outside your tier are silently filtered out.
extra_params string[] Additional parameter names to fuzz beyond what’s already in the URL. Capped by tier.
cookies object Cookies sent with every request as {name: value} — useful for authenticated targets.
headers object Extra request headers as {name: value}.
raw_request string elite Full HTTP request (paste-and-go from Burp). Must contain the {INJECT} marker where you want payloads. When set, url and modes are ignored.
raw_use_https boolean Treat the raw request as HTTPS (default true). Set to false for plain HTTP.
raw_use_tool boolean Run context-aware payloads + WAF mutations against the raw request (default true).
raw_use_curated boolean Fire the extended curated bypass library against the raw request (default true).
raw_use_blind boolean Plant your blind-XSS stinger payloads on the raw request (default false).
EXAMPLE — URL MODE
curl -X POST https://pokexss.com/api/scan \
  -H "X-API-Key: pk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://target.example.com/search?q=test",
    "modes": ["reflected", "dom", "blind"],
    "extra_params": ["ref", "lang"],
    "cookies": {"session": "abc123"}
  }'
EXAMPLE — RAW REQUEST MODE (ELITE)
# Save Burp request to req.txt — mark the field to fuzz with {INJECT}
curl -X POST https://pokexss.com/api/scan \
  -H "X-API-Key: pk_live_..." \
  -H "Content-Type: application/json" \
  -d "$(jq -n --rawfile r req.txt '{raw_request: $r, raw_use_https: true}')"
RESPONSE 200
{
  "job_id": "j_8f2a91c4",
  "state": "queued",
  "modes": ["reflected", "dom", "blind"],
  "tier": "Pro",
  "raw": false,
  "quota_remaining": 197
}

Get scan status & findings

GET /api/jobs/{job_id} PRO / ELITE

Poll the job. While state is queued or running, keep polling (every 1–3 seconds is reasonable). When it flips to done, the findings array holds the result. Jobs are scoped to the calling key — you cannot read another account’s job.

EXAMPLE
curl https://pokexss.com/api/jobs/j_8f2a91c4 \
  -H "X-API-Key: pk_live_..."
RESPONSE 200
{
  "id": "j_8f2a91c4",
  "url": "https://target.example.com/search?q=test",
  "modes": ["reflected", "dom"],
  "state": "done",
  "created_at": "2026-05-28T12:34:56Z",
  "finished_at": "2026-05-28T12:35:11Z",
  "findings": [
    {
      "mode": "reflected",
      "severity": "high",
      "parameter": "q",
      "payload": "\"><svg/onload=confirm(1)>",
      "context": "html_body",
      "sink": null,
      "poc_url": "https://target.example.com/search?q=%22%3E%3Csvg%2Fonload%3Dconfirm(1)%3E",
      "evidence": "alert() fired in headless replay",
      "poc_html": null
    }
  ],
  "log": ["[12:34:56] crawling...", "..."],
  "error": null
}
FINDING SHAPE
FIELDTYPENOTES
modestringWhich scanner produced this finding.
severitystringOne of info, low, medium, high, critical.
parameterstring?Parameter name that received the payload (null for non-parameterised vectors).
payloadstringThe exact payload that landed.
contextstring?Reflection context: html_body, attr, js_string, etc.
sinkstring?For DOM XSS — which sink fired (innerHTML, document.write, etc.).
poc_urlstring?Click-to-reproduce URL for GET-based reflections.
poc_htmlstring?Self-submitting PoC HTML for POST/multipart/JSON findings.
evidencestring?Why we’re calling this a hit (e.g. "alert() fired in headless replay").

List your jobs

GET /api/jobs PRO / ELITE

Returns a compact list of every scan you’ve queued — useful for surfacing recent activity in your own tooling. Older jobs auto-purge after one hour.

curl https://pokexss.com/api/jobs \
  -H "X-API-Key: pk_live_..."

# Response
[
  {
    "id": "j_8f2a91c4",
    "url": "https://target.example.com/search?q=test",
    "state": "done",
    "findings": 1,
    "created_at": "2026-05-28T12:34:56Z"
  }
]

Forget a job

DELETE /api/jobs/{job_id} PRO / ELITE

Explicit one-shot wipe — removes the job, all findings, log entries, and any cached request bodies from memory. Privacy-first: this is the same data path the automatic one-hour purge uses.

curl -X DELETE https://pokexss.com/api/jobs/j_8f2a91c4 \
  -H "X-API-Key: pk_live_..."

# Response
{"forgotten": "j_8f2a91c4"}

Who am I / quota check

GET /api/me ANY (auth optional)

Identity + tier + quota in one call. Use it to detect quota exhaustion before submitting, or to confirm a key is live.

curl https://pokexss.com/api/me -H "X-API-Key: pk_live_..."

# Response
{
  "authenticated": true,
  "email": "you@example.com",
  "tier": "pro",
  "tier_label": "Pro",
  "is_paid": true,
  "expires_at": "2026-08-26T12:34:56Z",
  "quota_used": 3,
  "quota_daily": 200
}

Errors

Errors are JSON with a detail string and the standard HTTP code. Retries: 429 means slow down (quota); 5xx is safe to retry after a backoff.

STATUSMEANING
400Bad request — missing url/raw_request, missing {INJECT} marker, malformed body.
401Missing or invalid X-API-Key.
403Tier doesn’t include the requested mode, target out of scope, or API access not enabled for your tier.
404Job not found (or doesn’t belong to your key — same response either way).
429Daily scan quota exhausted. Resets at UTC midnight.
Get API access (Pro) Need help? Contact support