{ "openapi": "3.0.1", "info": { "title": "ZAST.AI API", "version": "v1.0.0", "description": "# ZAST.AI API Documentation\n\nWelcome to the ZAST.AI API documentation. This API allows you to interact with our security scanning and analysis services programmatically.\n\n## Features\n\n- **Task Management**: Create, manage, and track security scan tasks.\n- **Vulnerability Analysis**: Retrieve detailed vulnerability reports and exploit chains.\n- **SCA**: Software Composition Analysis for dependency security.\n- **Network Diagnostics**: Tools for network connectivity and security checks.\n\n## Getting Started\n\nThis section describes how third-party applications can integrate with the Zast Global Authentication System through the standard OAuth 2.0 Authorization Code Flow.\n\n### 0. Preparation\n\nBefore you begin, you must submit an application to **support@zast.ai** and provide the necessary information, including your `redirect_uri`.\n\n### 1. Endpoints\n\n| Configuration | Value |\n| :--- | :--- |\n| **Auth URL** | `https://clerk.zast.ai/oauth/authorize` |\n| **Token URL** | `https://clerk.zast.ai/oauth/token` |\n| **User Info URL** | `https://clerk.zast.ai/oauth/userinfo` |\n\n### 2. Authorization Flow\n\n#### Step 1: Obtain User Authorization\n\nRedirect users to: `GET https://clerk.zast.ai/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_CALLBACK_URI&scope=profile%20email&state=12345678`\n\n#### Step 2: Authorization Callback\n\nReceive code: `YOUR_CALLBACK_URI?code=AUTHORIZATION_CODE&state=12345678`\n\n#### Step 3: Exchange Code for Token\n\n`POST https://clerk.zast.ai/oauth/token` with `application/x-www-form-urlencoded` body: `grant_type=authorization_code`, `code`, `client_id`, `client_secret`, `redirect_uri`.\n\n#### Step 4: Refresh Token\n\n`POST https://clerk.zast.ai/oauth/token` with `grant_type=refresh_token`, `refresh_token`, `client_id`, `client_secret`.\n\n### 3. API Usage\n\nHeader: `Authorization: Bearer `\n\n## Workflow: Creating a Code Scan Task\n\nFollow these steps to programmatically create and run a security scan, mirroring the process in the ZAST.AI User Manual.\n\n### Step 1: Upload Artifacts\nFirst, upload your application's build artifact (e.g., `.jar`, `.war`) and optional source code.\n- **Endpoint**: `POST /oxpecker/api/v1/files/upload`\n- **Action**: Upload your file.\n- **Result**: Save the returned `sha256` hash. You will need this as the `primarySourceCode` when creating the task.\n\n### Step 2: Network Diagnostics (Recommended)\nEnsure that ZAST.AI can access your deployed service URL.\n- **Endpoint**: `POST /oxpecker/api/v1/network-diagnostics`\n- **Action**: Initiate a diagnostic check for your `sandboxHomePageUrl`.\n- **Poll Status**: Use `GET /oxpecker/api/v1/network-diagnostics/{id}/next-stage` to check if the connection is successful.\n\n### Step 3: Domain Ownership Verification\nVerify that you own the domain you intend to scan.\n1. **Get Token**: Call `GET /oxpecker/api/v1/domain-ownership/random-content` to get a verification token.\n2. **Host Token**: Create a file named `zast.txt` with the token content and host it at `https://your-domain.com/.well-known/zast.txt`.\n3. **Verify**: Call `POST /oxpecker/api/v1/domain-ownership/verify` to confirm ownership.\n\n### Step 3.5 (Optional): Configure Authentication using Embedded Browser\nIf your target service requires login, you can use the embedded browser API to capture session information.\n1. **Create Browser**: Call `POST /oxpecker/api/v1/browsers` to initialize a remote browser session.\n2. **Embed**: Use the returned `url` in an `