API Reference

Base URL: https://api.access-proof.com

Authentication

Two methods are supported. Bearer JWT is what the dashboard uses (15-minute access token, refreshable). API keys are for long-lived integrations (CI/CD, scripts) and are available on Pro and Business plans.

JWT (login flow)

curl -X POST https://api.access-proof.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "..."}'

# Response
# { "access_token": "eyJhbGciOi...", "token_type": "bearer" }

Send the token in the Authorization: Bearer <token> header.

API key

Generate from Settings → API keys (Pro/Business). Use it in the same Authorization: Bearer <key> header. Keys are rate-limited per plan.

Endpoints

`POST /auth/register`

Create an account. Rate-limited 5 req/min per IP.

curl -X POST https://api.access-proof.com/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "min-8-chars"}'

`POST /auth/login`

Returns a JWT. Rate-limited 10 req/min per IP.

`GET /auth/me`

Returns the current user.

curl https://api.access-proof.com/auth/me \
  -H "Authorization: Bearer $TOKEN"

`GET /sites`

List your sites.

`POST /sites`

Add a site.

curl -X POST https://api.access-proof.com/sites \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com", "name": "Marketing site"}'

`POST /scans`

Trigger a scan. Returns 202 with the scan id; poll status to know when it's done.

curl -X POST https://api.access-proof.com/scans \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"site_id": "01HXXX..."}'

# Response
# { "id": "01HZZZ...", "status": "pending", "site_id": "01HXXX..." }

`GET /scans/<id>`

Returns the scan with current status, score, and (when complete) the issue list.

# Status values: pending → running → completed | failed
{
  "id": "01HZZZ...",
  "status": "completed",
  "score": 92,
  "issues": [
    { "id": "color-contrast", "impact": "serious", "wcag": ["1.4.3"], "nodes": 4 }
  ],
  "completed_at": "2026-05-08T10:12:34Z"
}

`GET /scans/<id>/report.pdf`

Returns the rendered PDF report (binary).

Rate limits

Endpoint	Free	Starter	Pro	Business
`/auth/*`	5/min	10/min	10/min	20/min
`POST /scans`	1/month	20/month	750/month	99,999/month
`GET /*` (read)	60/min	120/min	300/min	600/min

Errors

Standard HTTP codes. Body shape: {"detail": "..."}.

400 — bad request (invalid payload)
401 — missing or invalid token
403 — forbidden (you don't own this resource)
404 — not found
429 — rate limited (see Retry-After)
500 — server error (we're alerted; please retry)

Versioning

The API is currently unversioned (v1 implied). Breaking changes will be announced 30 days in advance via email and on this page.

Support

Email [email protected] with your request ID (header X-Request-ID) for faster triage.