// api reference
API Reference
SDK methods, REST endpoints, and webhook events. Everything is versioned under v1.
pk_live_…Used in the SDK — safe to include in client-side code
sk_live_…Used for REST API calls — never expose in client code
JavaScript SDK
Works in any web app or React Native project. Auto-captures all uncaught errors once initialized.
Installation
<script src="https://cdn.eazipost.com/v1/sdk.js" data-key="pk_live_YOUR_KEY" async> </script>
npm install @vybesec/sdk # React Native / Expo npm install @vybesec/react-native
Need a full setup guide with platform-specific instructions? See the Documentation page.
Quick start
Call init() once at the very root of your app — before anything renders. All error capture is automatic from that point.
import { init } from "@vybesec/sdk"
init({
key: "pk_live_YOUR_KEY",
platform: "cursor", // personalizes your fix prompts
environment: "production",
})init(config)
Call once at app rootInitializes the SDK and begins automatic error capture. Must be called before your app renders.
init({
key: "pk_live_YOUR_KEY", // required
platform: "cursor", // optional — tailors fix prompts
environment: "production", // optional — default: "production"
sampleRate: 1.0, // optional — default: 1.0 (capture all)
})| Parameter | Type | Required | Description |
|---|---|---|---|
| key | string | Yes | Your public SDK key from the dashboard. Starts with pk_live_. |
| platform | 'lovable' | 'bolt' | 'replit' | 'v0' | 'base44' | 'emergent' | 'tempo' | 'webdraw' | 'wix-vibe' | 'hostinger-ai' | 'databutton' | 'firebase-studio' | 'youware' | 'heyboss' | 'rork' | 'rapidnative' | 'create-expo' | 'cursor' | 'windsurf' | 'trae' | 'kiro' | 'antigravity' | 'jetbrains-ai' | 'github-copilot' | 'augment-code' | 'amazon-q' | 'claude-code' | 'cline' | 'codex' | 'aider' | 'devin' | 'openhands' | 'continue' | 'roocode' | 'goose' | 'open-interpreter' | 'tabby' | 'cody' | 'junie' | 'jules' | 'ampcode' | 'nextjs' | 'react' | 'vue' | 'svelte' | 'sveltekit' | 'nuxt' | 'angular' | 'remix' | 'astro' | 'solid' | 'qwik' | 'gatsby' | 'vanilla' | 'react-native' | 'expo' | 'other' | No | Your tool or framework. Personalizes fix prompt format. Defaults to "other". |
| environment | string | No | Defaults to "production". Set to "development" locally to avoid polluting your dashboard. |
| sampleRate | number | No | 0–1. Default 1.0 (capture 100%). Use 0.5 to sample 50% at high event volume. |
captureError(error, context?)
Manual captureManually send an error with optional key-value context. Use inside try/catch blocks when you want to attach extra information — like an order ID or user state — to the captured error.
try {
await submitOrder(cart)
} catch (err) {
captureError(err, {
userId: currentUser.id,
orderId: cart.id,
total: cart.total.toString(),
})
}| Parameter | Type | Required | Description |
|---|---|---|---|
| error | Error | unknown | Yes | The error object to capture. Pass the raw error from your catch block. |
| context | Record<string, string> | No | Key-value pairs attached to this event. Values must be strings. |
captureMessage(message, level?)
Custom eventsTrack meaningful events that aren't errors — a payment declining, a user hitting a limit, or a slow operation completing. These appear in your issues feed alongside errors.
import { captureMessage } from "@vybesec/sdk"
// Warn when something degrades but doesn't crash
captureMessage("Stripe webhook timeout — retrying", "warning")
// Track unusual but non-critical paths
captureMessage("User exported 10,000+ rows", "info")| Parameter | Type | Required | Description |
|---|---|---|---|
| message | string | Yes | The message to record. |
| level | 'error' | 'warning' | 'info' | No | Severity level. Defaults to "info". |
setUser(user)
User contextLink all subsequent errors to a specific user. Call this after login so your dashboard shows who was affected — not just how many users.
import { setUser } from "@vybesec/sdk"
// After login
setUser({ id: user.id, username: user.displayName })
// After logout — clears user context
setUser(null)| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Your internal user ID. Never use email addresses or other PII — just your database ID. |
| username | string | No | Optional display name shown in the VybeSec dashboard. |
REST API
Server-side API for reading your project data, managing issues, and configuring alerts programmatically.
Base URL
All endpoints are versioned. The current version is v1. Breaking changes will be introduced under a new version, not in-place.
Authentication
All REST API requests require your secret API key as a Bearer token. Get yours from Dashboard → Settings → API keys.
Your sk_live_ key has full read/write access to your account. Never include it in client-side code, public repos, or environment variables that ship to the browser.
# Every request needs this header Authorization: Bearer sk_live_YOUR_SECRET_KEY Content-Type: application/json
curl https://api.vybesec.io/v1/projects \ -H "Authorization: Bearer sk_live_YOUR_SECRET_KEY"
Projects
/v1/projectsList all projects in your account/v1/projectsCreate a new projectReturns the new project and its public SDK key/v1/projects/:idGet a single project by IDIssues
/v1/projects/:id/issuesList issues for a project — paginated, sortable by impactSupports ?status=open|resolved|ignored&limit=50&cursor=/v1/projects/:id/issues/:fpGet a single issue with full AI analysis and fix prompt:fp is the error fingerprint hash/v1/projects/:id/issues/:fpUpdate issue statusBody: { "status": "resolved" | "ignored" | "open" }Analytics
/v1/projects/:id/analyticsError counts, affected users, and trend data for a time rangeSupports ?from=&to= as ISO timestamps/v1/projects/:id/vitalsWeb Vitals (LCP, INP, CLS, FCP, TTFB) — Pro+ onlySecurity
/v1/projects/:id/securitySecurity health score (0–100) and active findingsStarter+ plans. Includes finding type, severity, and fix prompt.Alerts
/v1/projects/:id/alertsList all alert rules for a project/v1/projects/:id/alertsCreate a new alert rule/v1/projects/:id/alerts/:alertIdUpdate an alert rule/v1/projects/:id/alerts/:alertIdDelete an alert ruleWebhooks
Get notified in your own systems the moment something happens in VybeSec.
Events
Subscribe to any of these events in Dashboard → Project → Settings → Webhooks. VybeSec will POST a signed JSON payload to your URL within seconds of the event firing.
issue.newhighissue.resolvedlowissue.regressedhighalert.firedhighsecurity.findinghighdigest.sentlowVerifying signatures
Every webhook request includes an X-VybeSec-Signature header — an HMAC-SHA256 signature of the raw request body, signed with your webhook secret. Always verify it before processing.
// Node.js / Next.js API route example
import crypto from "crypto"
export async function POST(req: Request) {
const rawBody = await req.text()
const signature = req.headers.get("x-vybesec-signature") ?? ""
const secret = process.env.VYBESEC_WEBHOOK_SECRET!
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex")
if (signature !== `sha256=${expected}`) {
return new Response("Unauthorized", { status: 401 })
}
const event = JSON.parse(rawBody)
// handle event.type …
return new Response("OK", { status: 200 })
}Payload shape
All webhook payloads share the same envelope. The data field contains event-specific details.
{
"id": "evt_01J…", // unique event ID — use for deduplication
"type": "issue.new", // one of the event types above
"projectId": "proj_01J…",
"orgId": "org_01J…",
"createdAt": "2025-03-18T09:41:00Z",
"data": {
// event-specific payload
// issue.new → { fingerprint, message, severity, affectedUsers }
// alert.fired → { ruleName, threshold, count, windowMs }
// security.finding → { type, severity, fixPrompt }
}
}Webhook deliveries are retried up to 3 times with exponential backoff (30s, 5min, 30min) if your endpoint returns a non-2xx status. After 3 failures the delivery is abandoned and logged in your dashboard.