Corridor exposes a REST API that you can use to integrate with CI/CD pipelines, custom dashboards, or other tools. All endpoints are available via API tokens.
Authentication
Include your API token in the Authorization header:
curl -H "Authorization: Bearer cor_your_token_here" \
https://app.corridor.dev/api/teams
cor_ prefix and have the same access as the user who created them.
API tokens cannot perform admin operations. Those require a standard user session.
Base URL
https://app.corridor.dev/api
Findings
Retrieve and manage security findings across your projects.
Search findings
| Parameter | Type | Required | Description |
|---|
teamId | string | Yes | Team ID to search within |
search | string | No | Search term (matches title, file path, or CWE) |
state | string | No | Filter by state: open, closed, or potential |
limit | number | No | Max results (default 10, max 50) |
curl -H "Authorization: Bearer cor_..." \
"https://app.corridor.dev/api/findings/search?teamId=TEAM_ID&state=open&limit=20"
[
{
"id": "finding-uuid",
"title": "SQL Injection in userController.ts",
"affectedFile": "src/controllers/userController.ts",
"cwe": "CWE-89",
"severity": "critical",
"state": "open",
"createdAt": "2025-01-15T10:30:00Z",
"projectId": "project-uuid",
"projectName": "my-app"
}
]
Get finding
Returns the full finding with related project, rule, scan, and PR review data.
curl -H "Authorization: Bearer cor_..." \
https://app.corridor.dev/api/findings/FINDING_ID
Update finding
| Field | Type | Description |
|---|
state | string | open or closed |
closedReason | string | Reason for closing |
closedReasonCategory | string | false_positive, risk_accepted, vulnerability_fixed, or other |
severity | string | critical, high, medium, or low |
title | string | Updated title |
description | string | Updated description |
cwe | string | CWE identifier |
affectedFile | string | File path |
curl -X PUT -H "Authorization: Bearer cor_..." \
-H "Content-Type: application/json" \
-d '{"state": "closed", "closedReasonCategory": "false_positive", "closedReason": "Not exploitable in this context"}' \
https://app.corridor.dev/api/findings/FINDING_ID
Delete finding
Guardrails
Guardrails are security rules that Corridor enforces during code reviews and real-time analysis. They are managed per-project as “reports.”
List guardrails for a project
GET /projects/:id/reports
curl -H "Authorization: Bearer cor_..." \
https://app.corridor.dev/api/projects/PROJECT_ID/reports
{
"reports": [
{
"id": "report-uuid",
"name": "SQL Injection Prevention",
"guardrail": "Never use string concatenation for SQL queries...",
"type": "guardrail",
"createdAt": "2025-01-10T08:00:00Z"
}
],
"ruleset": []
}
Create a guardrail
POST /projects/:id/reports
| Field | Type | Required | Description |
|---|
name | string | Yes | Guardrail name |
guardrail | string | Yes | The guardrail rule text |
type | string | No | guardrail (default) or context |
curl -X POST -H "Authorization: Bearer cor_..." \
-H "Content-Type: application/json" \
-d '{"name": "No hardcoded secrets", "guardrail": "Never commit API keys, passwords, or secrets directly in source code. Use environment variables or a secrets manager."}' \
https://app.corridor.dev/api/projects/PROJECT_ID/reports
Generate a guardrail with AI
POST /projects/:id/guardrails/generate
| Field | Type | Required | Description |
|---|
description | string | Yes | Plain-language description of the guardrail (max 1000 characters) |
taskId you can use to track generation progress.
curl -X POST -H "Authorization: Bearer cor_..." \
-H "Content-Type: application/json" \
-d '{"description": "Prevent use of eval() and similar dynamic code execution functions"}' \
https://app.corridor.dev/api/projects/PROJECT_ID/guardrails/generate
Update a guardrail
PUT /projects/:id/reports/:reportId
| Field | Type | Description |
|---|
name | string | Updated name |
guardrail | string | Updated rule text |
type | string | guardrail or context |
Delete a guardrail
DELETE /projects/:id/reports/:reportId
List guardrail packs
Returns the security packs (curated guardrail collections) attached to a project.
PR Reviews
Access pull request review results and AI analysis.
List PR reviews
GET /teams/:id/pr-reviews
| Parameter | Type | Description |
|---|
limit | number | Max results |
offset | number | Pagination offset |
type | string | Filter by review type |
sortBy | string | Sort field |
sortOrder | string | ASC or DESC |
curl -H "Authorization: Bearer cor_..." \
"https://app.corridor.dev/api/teams/TEAM_ID/pr-reviews?limit=10&sortOrder=DESC"
{
"data": [
{
"id": "pr-review-uuid",
"title": "SQL Injection in userController.ts",
"severity": "high",
"state": "open",
"affectedFile": "src/controllers/userController.ts",
"createdAt": "2025-01-15T10:30:00Z",
"cwe": "CWE-89",
"prReview": { "id": "...", "github_pr_id": 123 },
"project": { "id": "...", "name": "my-app" }
}
],
"pagination": {
"page": 1,
"limit": 10,
"total": 42,
"totalPages": 5,
"hasNext": true,
"hasPrev": false
}
}
Get PR review
GET /teams/:id/pr-reviews/:prReviewId
List PR review findings
GET /teams/:id/pr-review-findings
| Parameter | Type | Description |
|---|
prReviewId | string | Filter by specific PR review |
limit | number | Max results |
offset | number | Pagination offset |
Team Settings
Manage team configuration, members, and preferences.
List teams
Returns all teams the authenticated user belongs to.
Get team
Get team permissions
GET /teams/:id/permissions
Invite a user
| Field | Type | Required | Description |
|---|
email | string | Yes | Email address to invite |
role | string | No | admin or member (default) |
Remove a user
DELETE /teams/:teamId/users/:userId
Dashboard & Analytics
Access dashboard metrics and AI usage data.
Get dashboard data
GET /teams/:id/dashboard-data
curl -H "Authorization: Bearer cor_..." \
https://app.corridor.dev/api/teams/TEAM_ID/dashboard-data
List LLM requests
GET /teams/:id/list-requests
Get guardrail invocations
GET /teams/:id/guardrail-invocations-staging
| Parameter | Type | Required | Description |
|---|
reportId | string | Yes | Guardrail report ID to get invocations for |
period | string | No | Time period (default 7d) |
projectId | string | No | Filter by project |
limit | number | No | Max results (default 15) |
offset | number | No | Pagination offset |
Get stop hook invocations
GET /teams/:id/stop-hook-invocations
Log extension data
The primary endpoint used by IDE extensions to send code analysis data to Corridor. Accepts a request body with a type field that determines processing:
| Type | Description |
|---|
hook-event | Real-time hook events from IDE extensions |
async-security-check | Asynchronous security analysis of code edits |
fetch-security-results | Retrieve cached security analysis results |
mcp-detection | Report detected MCP servers |
compliance-data | Submit compliance telemetry |
This endpoint is primarily used by the Corridor IDE extension. You typically don’t need to call it directly unless you’re building a custom integration.
Projects
List projects
| Parameter | Type | Required | Description |
|---|
teamId | string | Yes | Team ID to list projects for |
Get project
Get project findings
GET /projects/:id/findings
Error handling
All endpoints return standard HTTP status codes:
| Status | Meaning |
|---|
200 | Success |
400 | Bad request — check your parameters |
401 | Unauthorized — invalid or missing token |
403 | Forbidden — insufficient permissions |
404 | Not found |
500 | Server error |
{
"error": "Description of what went wrong"
}
Rate limits
API tokens are subject to rate limiting. If you receive a 429 response, wait before retrying.
Next steps
