Partner API · v0.1 · OpenAPI 3.1

QorBOM™ Partner API reference

One endpoint per concept. Bearer auth. CycloneDX 1.6 and SPDX 3.0.1 output. Five minutes from signup to your first scan.

Open interactive API reference Download OpenAPI 3.1 Get an API key

New: the interactive API reference is auto-generated from the live OpenAPI 3.1 spec — always reflects the deployed surface, with copy-pasteable samples in 8 languages.

Live demo · No signup

Try it now

Paste any public GitHub repo URL. We'll run a real QorBOM™ scan and show you the post-quantum readiness summary. One scan per 24 hours, no key needed.

Authentication

Every QorBOM™ Partner API request requires a Bearer API key issued to your partner-tenant account. Apply via the partner application form — we'll mint and email you a sandbox key within two business days.

Key format

qb_live_xxxxxxxxxxxxxxxx_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

live or test · 16-char lookup · 32-char secret

Header

Authorization: Bearer qb_live_…

Same scheme Stripe, OpenAI, and Anthropic use. Drop into any standard HTTP client.

Storage · The plaintext secret is shown to you exactly once during key creation. Store it in your secrets manager (1Password, HashiCorp Vault, AWS Secrets Manager) immediately. Lost keys can be revoked + reissued; the secret bytes cannot be recovered.

Quickstart

Submit a scan, poll for completion, download the BOM. Five lines of code.

# 1. Submit a scan
curl -X POST "https://qorbom.com/api/v1/cbom/scans" \
  -H "Authorization: Bearer $QORBOM_KEY" \
  -H "Content-Type: application/json" \
  -d '{"repo_url": "https://github.com/octocat/Hello-World"}'

# 2. Poll (response includes "status": "queued" → "scanning" → "completed")
curl "https://qorbom.com/api/v1/cbom/scans/cbom_xxxxxxxxxxxxxxxx" \
  -H "Authorization: Bearer $QORBOM_KEY"

# 3. Download CycloneDX BOM (or ?format=spdx)
curl "https://qorbom.com/api/v1/cbom/scans/cbom_xxxxxxxxxxxxxxxx/bom.json" \
  -H "Authorization: Bearer $QORBOM_KEY" > bom.json

Endpoints

Five endpoints. Health is public; everything else requires Authorization: Bearer qb_….

GET/api/v1/cbom/healthPublic

Service health + spec versions advertised

Public endpoint — handy for sanity-checking your network reach before adding the API key.

POST/api/v1/cbom/scansAuth required

Enqueue a CBOM scan for a public GitHub repo

Request body

{
  "repo_url":        "https://github.com/owner/repo",
  "project_name":    "my-project",        // optional
  "project_version": "1.2.3"              // optional, defaults to "1.0.0"
}

201 response

{
  "id":                  "cbom_a1b2c3d4e5f6g7h8",
  "status":              "queued",
  "tenant_id":           "tnt_...",
  "tenant_kind":         "partner",
  "methodology_version": "qortrace-cbom-method-v0.1"
}

GET/api/v1/cbom/scans?limit=50Auth required

List your tenant's recent scans (most recent first)

200 response

{
  "scans": [ { "id": "cbom_...", "status": "completed", "score": 78, ... } ],
  "count": 4
}

GET/api/v1/cbom/scans/{scan_id}Auth required

Retrieve a scan's status, findings summary, and metadata

Status progresses queued → downloading → scanning → completed (or failed). Findings + components arrays are included; BOMs are NOT (use bom.json for those).

GET/api/v1/cbom/scans/{scan_id}/bom.json?format=cyclonedxAuth required

Download the CycloneDX 1.6 or SPDX 3.0.1 BOM

Pass ?format=spdx for SPDX 3.0.1 output. Returns 409 if status is not completed.

Error catalog

Every error response is JSON with a single detail field describing the cause in human-readable form.

Status	Reason	When
400	Bad request	Validation error in body — see detail.
401	Unauthorized	Missing/malformed/unknown/revoked API key.
403	Forbidden	API key lacks required scope.
404	Not found	Scan does not exist or belongs to a different tenant.
409	Conflict	BOM requested before scan reached `completed`.
429	Rate limited	Per-tenant ceiling exceeded — retry after `Retry-After` seconds.
500	Internal	Unexpected error — please report to partners@qortrace.com with the response `x-trace-id`.

BOM schemas

Both outputs are produced from a single scan. Use whichever format your downstream tooling consumes — many compliance systems accept either, some require both.

CycloneDX 1.6

OWASP standard. Native cryptographic-asset components withcryptoProperties + NIST Quantum Security Level (0-7).

Spec

SPDX 3.0.1

Linux Foundation standard. JSON-LD with security_CryptographicAssetelements and explicit Relationships from root to dependencies.

Spec

Methodology pin · Every BOM emitted carries qortrace_methodology_version + a SHA-256 over the canonical-sorted JSON. Reproducible by your peer-review process; no drift between scans.

Why developers can trust this surface

The platform's compliance posture.

Every QorBOM™ scan output maps to a verifiable spec or regulation. Procurement-ready from day one.