Documentation

API and integrations

This product exposes integration through authenticated workspace features and CLI/MCP tooling—not a broad anonymous public API.

• MCP server

  Run npx @aros/mcp-server for tool-based access. Use this when you need stable workflows in IDEs/agents without manually wiring HTTP calls.

  View @aros/mcp-server on npm

• Organization API keys

  Create and rotate keys under Settings → API keys after sign-in. Keys are organization-scoped and plan-gated on the server.

  • Use separate keys per integration and environment.
  • Rotate keys during offboarding and incident response.
  • Revoke unused keys rather than leaving them dormant.
  Create a workspace

• Reports and audit export (session auth)

  Signed-in users with the right permissions can download findings reports (GET /api/reports), VPAT payloads (GET /api/reports/vpat), and a bounded audit trail (GET /api/org/…/audit-log, requires audit:view). All are paid-gated on the server except where explicitly documented otherwise.

• Webhooks and CI

  Deploy hooks and GitHub Actions integrations are configured in-app per site/repository. Endpoint URLs and secrets are not published publicly because they are deployment-specific.

• Error behavior

  API routes use explicit status codes for auth failures, entitlement gating, and rate limits (for example, 401/403/429) instead of silent degradation. Validate downstream integrations against non-200 flows before launch.

A standalone public OpenAPI browser is not part of this build. If you need machine-readable contracts, use the MCP package source or request a deployment-specific export from your operator. See also Getting started and Plans and limits.