Krafter AI Audit

AI-powered security scanning for your web applications. Krafter Audit detects vulnerabilities, scores them by severity, and guides you through remediation with task management, verification workflows, and policy-based automation.

Features

AI-driven scanning -- Automated security analysis that detects vulnerabilities across your web applications
Severity scoring -- Every finding is classified as critical, high, medium, or low based on real-world impact
Four audit domains -- Security, performance, accessibility, and SEO findings in a single scan
Remediation tasks -- Create and track tasks linked to findings, with assignees and due dates
Verification pipeline -- Verify that fixes actually resolve the issue before closing findings
Regression tracking -- Automatically detect when previously fixed findings reappear
Policy automation -- Define rules that automatically set severity levels and trigger actions
Integrations -- Connect GA4, Google Search Console, Sentry, GitHub, GitLab, Jira, Linear, and Cloudflare to your audit workflow
Reports and sharing -- Export findings as PDF, CSV, or JSON, and share reports via link

Quick links

Quickstart -- Run your first scan and triage a finding in 5 minutes
Findings Guide -- Severity levels, statuses, filtering, bulk operations, and regression tracking
Remediation Guide -- Tasks, verifications, policies, integrations, and reports
Scan Pipeline -- How a scan executes end-to-end across the four scanners and the AI analyzer
LLM Operations -- Provider routing, models, quotas, and fallback behaviour

Base URL

https://app.krafter.dev/api/v1

Authentication

All Audit API endpoints use your team API key:

Authorization: Bearer kr_live_abc123def456

Endpoints that read data require the audit:read scope. Endpoints that create or modify data require the audit:write scope. Requests are subject to platform rate limits — POST /audit/scans/run uses the stricter strict bucket.

Path parameters

Every audit endpoint is scoped to an organisation and a project:

:org_id — your organisation's UUID (visible in the dashboard URL)
:project_id — your project identifier (visible in the dashboard URL)

Every endpoint URL in this section starts with /api/v1/orgs/:org_id/projects/:project_id/audit/.... Substitute your real org/project IDs.

Response envelope

Different response format

The Audit API uses a response envelope that differs from other Krafter services. Every response includes data, meta, and error fields:

json

{
  "data": { ... },
  "meta": { "request_id": "uuid", "total": 100, "next_cursor": "cursor_string" },
  "error": null
}

Other Krafter services return a simple {"data": {...}} wrapper. Make sure your integration code handles the full envelope.

Identifiers

Resource IDs (scans, findings, tasks, verifications, policies, rules, regressions, exports, share links) are UUID v4 strings, e.g. a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d. They are not prefixed.
meta.request_id is a Phoenix-format request identifier (a short alphanumeric token, e.g. F-mxbAQk6m9lXeQAAATj). Include it when reporting issues.
:project_id in the URL is the project identifier you chose when creating the project, not a UUID.

Pagination

List endpoints use cursor-based pagination. Pass cursor and limit query parameters, and read meta.next_cursor from the response to fetch the next page:

GET /orgs/:org_id/projects/:project_id/audit/findings?limit=25&cursor=eyJpZCI6MTAwfQ

When meta.next_cursor is null, you have reached the last page.

Error format

Errors set data to null and populate the error field:

json

{
  "data": null,
  "meta": { "request_id": "F-mxbAQk6m9lXeQAAATj" },
  "error": { "code": "not_found" }
}

Error codes

The Audit API uses a small, stable set of error.code values. Branch on the code rather than parsing message strings.

Code	HTTP	Meaning
`not_found`	404	The resource does not exist or is not visible to your team.
`unauthorized`	401	API key missing or invalid.
`invalid_params`	422	Request body or query parameters failed validation. Most malformed requests use this code.
`invalid_status`	422	Provided `status` is not in the allowed enum for the resource.
`invalid_severity`	422	Provided `severity` is not one of `critical`, `high`, `medium`, `low`.
`invalid_provider`	422	Path `:provider` is not one of the supported integration providers.
`invalid_trigger`	422	Provided `trigger` value is not in the scan trigger enum.
`invalid_channel`	422	Provided report `channel` is not one of `email`, `slack`, `link`.
`quota_exceeded`	429	The team has used its monthly `:ai_audit_actions_monthly` allowance. Returned by `POST /audit/scans/run`, `POST /audit/verifications/run`, and `POST /audit/reports/export` when the next charge would exceed the cap. The cap resets on the calendar-month boundary in UTC. Wait for the window to roll over or upgrade your plan. See LLM Operations → Quotas for details.
`request_failed`	422	Generic catch-all for an Ecto changeset failure or a worker-enqueue failure. The `request_id` in `meta` will help on follow-up.

Strict-rate-limit responses are not enveloped

POST /audit/scans/run is throttled by the :strict_rate_limit plug (30 requests / 60 s per team). When that limit fires, the response is not the audit error envelope — it is the global rate-limit body {"error": "Rate limit exceeded", "retry_after": N} with Retry-After and x-ratelimit-* headers. See Scans → Rate limit.

Krafter AI Audit ​

Features ​

Quick links ​

Base URL ​

Authentication ​

Path parameters ​

Response envelope ​

Identifiers ​

Pagination ​

Error format ​

Error codes ​