API Terms of Use

Access to the Find The Breach API requires a valid API key, issued via the Portal under Settings → API Keys. API keys are prefixed with ftb_ and must be included in requests via the X-API-Key header.

Key Responsibilities:

• You are responsible for keeping your API key secure and confidential
• Do not embed API keys in client-side code, public repositories, or shared environments
• Rotate keys regularly and immediately revoke compromised keys via the Portal
• Each key has scoped permissions (read, write, scan) — use minimum required scope

To ensure platform stability and fair access for all customers, the API enforces the following rate limits:

Rate limit headers are returned with every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. Exceeding limits returns HTTP 429.

You retain full ownership of all scan results generated through the API. Find The Breach does not claim any intellectual property rights over your scan data, reports, or vulnerability findings.

License Grant: You grant Find The Breach a limited license to process, store, and transmit scan data solely for the purpose of providing the scanning service and generating reports as requested.

Data Retention: Scan results are retained per your plan's retention policy (see Privacy Policy). You may export or delete your data at any time via the API or Portal.

API availability targets mirror our general Service Level Agreement:

• API Uptime: 99.5% monthly (excluding scheduled maintenance)
• Scan Completion: Quick scans complete within 90 seconds; full scans within 30 minutes
• Response Time: <500ms for non-scan API endpoints (P95)
• Maintenance Windows: Announced 48 hours in advance via status page

Service credits apply per our SLA for sustained downtime exceeding the monthly uptime target.

In addition to the prohibitions in our Acceptable Use Policy, you must not:

• Use the API to scan targets you do not own or have written authorization to scan
• Build competing vulnerability scanning products primarily powered by our API
• Resell raw API access without an MSSP/reseller agreement
• Deliberately circumvent rate limits through key rotation or distributed requests
• Use API results to harm, extort, or threaten target organizations
• Submit automated requests designed to degrade platform performance

The current API version is v1. When breaking changes are introduced:

• 12 months notice before deprecating any API version
• Migration guides published for every version transition
• Sunset header: Deprecated endpoints include Sunset: <date> header
• Backward-compatible changes (new fields, new endpoints) do not constitute breaking changes

Scan results exported in SARIF (Static Analysis Results Interchange Format) are provided for integration with GitHub Code Scanning, GitLab SAST, and other CI/CD platforms.

Accuracy Disclaimer: Automated scan results may contain false positives or miss certain vulnerability classes. SARIF exports should be reviewed by qualified security personnel before acting on findings. See Section 12 of our Terms of Service for full accuracy disclaimers.

Webhook payloads may contain vulnerability summaries, severity indicators, scan status updates, and asset metadata. You are responsible for:

• Securing webhook endpoints with HTTPS and HMAC signature validation using the webhook signing secret provided
• Data protection — webhook payloads may contain security-sensitive information; treat received data with the same security controls as scan results
• Idempotency — webhook events may be delivered more than once; implement idempotent processing based on the event ID header
• Response requirements — webhook endpoints must respond with HTTP 2xx within 10 seconds; three consecutive failures will pause delivery

FindTheBreach is not responsible for data exposure resulting from improperly secured webhook receivers.

API rate limits are enforced per API key and per account. Current limits are documented in our API Documentation.

• Exceeding published rate limits will result in HTTP 429 Too Many Requests responses with a Retry-After header
• Sustained rate limit violations may result in temporary API access suspension (1-24 hours depending on severity)
• Repeated or intentional violations may result in API key revocation with 7 days’ written notice
• Enterprise customers may request rate limit adjustments by contacting api@findthebreach.com

Scan results submitted or generated through the API are subject to the same retention periods as described in the Privacy Policy (Section 13). Specific API data retention:

• Scan results: Retained per your plan's retention period (Free: 30 days, Starter: 90 days, Professional: 1 year, Enterprise: custom)
• API webhook delivery logs: Retained for thirty (30) days
• API access tokens: Valid for the period specified at issuance and automatically expire. Expired token metadata is retained for audit purposes for ninety (90) days
• API request logs: Retained for sixty (60) days for rate limiting, debugging, and abuse detection

If you integrate FindTheBreach's API into automated workflows (including but not limited to CI/CD pipelines, orchestration tools, or scheduled tasks), you are solely responsible for ensuring that all targets scanned through such automation are properly authorized under Section 5 of the Terms of Service.

FindTheBreach is not liable for any damages, claims, or legal consequences arising from automated scans initiated against unauthorized targets through your API integration. We strongly recommend implementing:

• Target allowlists in your automation configuration to prevent accidental scanning of unauthorized systems
• Scan approval gates in CI/CD pipelines requiring manual approval before scanning production targets
• Environment-specific API keys with limited target scope for staging vs. production environments