Every scan mode is automatable. Submit jobs, poll status, retrieve findings — same engine as the dashboard, no UI required. Wire it into GitHub Actions, GitLab CI, your recon pipeline, or your own hunting tooling. API access is available on the Pro and Elite tiers.
Send your API key in the X-API-Key header on every request. Mint and
rotate keys from your account page — one
key per account, no scopes. Keep it secret; it grants full scan access tied to your tier and
daily quota.
# Required on every authenticated request X-API-Key: pk_live_XXXXXXXXXXXXXXXXXXXX
X-API-Key; cookies expire
and require a browser flow to renew.
Each request is rate-limited to your tier’s daily scan quota. The
/api/me endpoint
returns your current usage so you can throttle client-side. Modes you don’t have entitlement
for return 403.
| TIER | API ACCESS | DAILY SCANS | MODES |
|---|---|---|---|
| Free | No | 3 | reflected |
| Starter | No | 50 | reflected, dom, stored |
| Pro | Yes | 200 | reflected, dom, blind, stored, header, path, csp, clobber, postmessage |
| Elite | Yes | unlimited | all of the above plus raw, upload, json, websocket, prototype, graphql, xml, mxss |
Queue a scan against a target URL or a raw HTTP request. Returns a job_id
immediately; the scan runs in the background. Poll
/api/jobs/{id}
for progress and findings.
| FIELD | TYPE | NOTES |
|---|---|---|
| url | string | Target URL with at least one parameter (e.g. ?q=test). Required unless raw_request is set. |
| modes | string[] | Which scanners to run. Any of:
reflected, dom, stored, blind,
header, path, csp, clobber, postmessage
(Pro+) —
raw, upload, json, websocket,
prototype, graphql, xml, mxss
(Elite).
Defaults to ["reflected", "dom"]. Modes outside your tier are silently filtered out.
|
| extra_params | string[] | Additional parameter names to fuzz beyond what’s already in the URL. Capped by tier. |
| cookies | object | Cookies sent with every request as {name: value} — useful for authenticated targets. |
| headers | object | Extra request headers as {name: value}. |
| raw_request | string | elite Full HTTP request (paste-and-go from Burp). Must contain the {INJECT} marker where you want payloads. When set, url and modes are ignored. |
| raw_use_https | boolean | Treat the raw request as HTTPS (default true). Set to false for plain HTTP. |
| raw_use_tool | boolean | Run context-aware payloads + WAF mutations against the raw request (default true). |
| raw_use_curated | boolean | Fire the extended curated bypass library against the raw request (default true). |
| raw_use_blind | boolean | Plant your blind-XSS stinger payloads on the raw request (default false). |
curl -X POST https://pokexss.com/api/scan \ -H "X-API-Key: pk_live_..." \ -H "Content-Type: application/json" \ -d '{ "url": "https://target.example.com/search?q=test", "modes": ["reflected", "dom", "blind"], "extra_params": ["ref", "lang"], "cookies": {"session": "abc123"} }'
# Save Burp request to req.txt — mark the field to fuzz with {INJECT} curl -X POST https://pokexss.com/api/scan \ -H "X-API-Key: pk_live_..." \ -H "Content-Type: application/json" \ -d "$(jq -n --rawfile r req.txt '{raw_request: $r, raw_use_https: true}')"
{ "job_id": "j_8f2a91c4", "state": "queued", "modes": ["reflected", "dom", "blind"], "tier": "Pro", "raw": false, "quota_remaining": 197 }
Poll the job. While state is queued or
running, keep polling (every 1–3 seconds is reasonable). When it
flips to done, the findings array holds the result.
Jobs are scoped to the calling key — you cannot read another account’s job.
curl https://pokexss.com/api/jobs/j_8f2a91c4 \ -H "X-API-Key: pk_live_..."
{ "id": "j_8f2a91c4", "url": "https://target.example.com/search?q=test", "modes": ["reflected", "dom"], "state": "done", "created_at": "2026-05-28T12:34:56Z", "finished_at": "2026-05-28T12:35:11Z", "findings": [ { "mode": "reflected", "severity": "high", "parameter": "q", "payload": "\"><svg/onload=confirm(1)>", "context": "html_body", "sink": null, "poc_url": "https://target.example.com/search?q=%22%3E%3Csvg%2Fonload%3Dconfirm(1)%3E", "evidence": "alert() fired in headless replay", "poc_html": null } ], "log": ["[12:34:56] crawling...", "..."], "error": null }
| FIELD | TYPE | NOTES |
|---|---|---|
| mode | string | Which scanner produced this finding. |
| severity | string | One of info, low, medium, high, critical. |
| parameter | string? | Parameter name that received the payload (null for non-parameterised vectors). |
| payload | string | The exact payload that landed. |
| context | string? | Reflection context: html_body, attr, js_string, etc. |
| sink | string? | For DOM XSS — which sink fired (innerHTML, document.write, etc.). |
| poc_url | string? | Click-to-reproduce URL for GET-based reflections. |
| poc_html | string? | Self-submitting PoC HTML for POST/multipart/JSON findings. |
| evidence | string? | Why we’re calling this a hit (e.g. "alert() fired in headless replay"). |
Returns a compact list of every scan you’ve queued — useful for surfacing recent activity in your own tooling. Older jobs auto-purge after one hour.
curl https://pokexss.com/api/jobs \ -H "X-API-Key: pk_live_..." # Response [ { "id": "j_8f2a91c4", "url": "https://target.example.com/search?q=test", "state": "done", "findings": 1, "created_at": "2026-05-28T12:34:56Z" } ]
Explicit one-shot wipe — removes the job, all findings, log entries, and any cached request bodies from memory. Privacy-first: this is the same data path the automatic one-hour purge uses.
curl -X DELETE https://pokexss.com/api/jobs/j_8f2a91c4 \ -H "X-API-Key: pk_live_..." # Response {"forgotten": "j_8f2a91c4"}
Identity + tier + quota in one call. Use it to detect quota exhaustion before submitting, or to confirm a key is live.
curl https://pokexss.com/api/me -H "X-API-Key: pk_live_..." # Response { "authenticated": true, "email": "you@example.com", "tier": "pro", "tier_label": "Pro", "is_paid": true, "expires_at": "2026-08-26T12:34:56Z", "quota_used": 3, "quota_daily": 200 }
Errors are JSON with a detail string and the standard HTTP code.
Retries: 429 means slow down (quota); 5xx
is safe to retry after a backoff.
| STATUS | MEANING |
|---|---|
| 400 | Bad request — missing url/raw_request, missing {INJECT} marker, malformed body. |
| 401 | Missing or invalid X-API-Key. |
| 403 | Tier doesn’t include the requested mode, target out of scope, or API access not enabled for your tier. |
| 404 | Job not found (or doesn’t belong to your key — same response either way). |
| 429 | Daily scan quota exhausted. Resets at UTC midnight. |