Skip to main content

API

This section provides additional instructions for usage of Phylum's Artifact Repository API. The full API is documented on Swagger.

Authentication​

The Artifact Repository API expects authentication in the basic auth format. The username is optional and provides context for which group should be used for the request. The group must either be the group name itself, for standalone groups, or the organization and group name combined using a /.

The following script will create a valid authorization token for the org phylum, group demo, and with the token stored in $PHYLUM_API_KEY:

echo "Basic $(printf \"phylum/demo:$PHYLUM_API_KEY\" | base64)"

Webhooks​

Webhooks will send out notifications whenever a package that was accessed through a repository proxy fails analysis.

Once a webhook is registered, policy violations will be sent to it in the same format as the package check endpoint.

Since these reports contain security advisories, it's important to make sure that they were generated by Phylum and the endpoint wasn't called by a third party. To make this possible, all official webhook notification calls will include a sha256 query parameter which contains a hexadecimal representation of the SHA256-HMAC of the response body, generated with the shared secret provided when registering the webhook. This checksum must be validated before accepting the authority of new webhook events.