HackerSavannaWelcome to the HackerSavanna API. This reference documents every public, authenticated, security, and internal endpoint available on our platform, alongside a complete overview of platform features, data models, and account types. All endpoints return JSON (unless otherwise specified) and use standard HTTP response codes.
https://hackersavanna.com/apiapplication/jsonHackerSavanna is a comprehensive bug bounty and vulnerability disclosure platform connecting security researchers with organizations. The platform supports three primary user roles, each with distinct capabilities, workflows, and data access patterns.
Individual security researchers who discover and report vulnerabilities. Each researcher has a public profile, reputation score, rank, trust level, skills, specializations, and verification badges.
Features: program browsing, report submission, bounty tracking, reputation history, KYC verification, profile privacy controls, researcher following, out-of-office mode, VPN access requests, retest participation, achievement unlocking, referral system.
Organizations that run bug bounty programs. Companies create programs, define scope and bounty matrices, triage submissions, manage team roles, and process payouts from a platform wallet.
Features: program creation/management, asset inventory & verification, team invitations (admin/triage/read-only), SLA configuration, safe harbor policies, researcher restrictions (allowlist/denylist/geographic), NDA workflows, bug bashes, analytics & industry benchmarks, integrations (Slack, Jira, GitHub, PagerDuty, etc.), wallet top-ups via Paystack, disclosure coordination.
Platform operators with full system access. Admins oversee user management, KYC review, program approval, security monitoring, mediation of disputes, and platform configuration.
Features: user suspension/banning, KYC approval, program approval/rejection, security audit logs, canary token management, honeypot event monitoring, mediation resolution, backup orchestration, scheduled job monitoring, email delivery tracking, legal hold management, data retention policy enforcement.
Vulnerability reports are the central unit of work. A report flows through a lifecycle from Draft to Open to Triaged to Resolved or Closed. Reports include CVSS vectors, CWE IDs, impact assessments, attack chain visualizations, environment info, HTTP captures, and quality assessments.
Companies can request retests, invite external consultants, configure approval workflows, manage duplicates, assign to team members, and escalate critical issues. Researchers receive bounty payouts and reputation changes upon resolution.
Bug bounty programs define the rules of engagement. Each program has a scope (in-scope and out-of-scope assets), bounty matrix by asset type, visibility (public/private), seasonal windows, and optional NDA requirements.
Programs support researcher restriction modes (open, allowlist_only, denylist_only), geographic restrictions, auto-acknowledgment, custom SLA configurations, safe harbor templates, and program versioning with full audit history.
Companies top up a platform wallet via Paystack integration. Bounties are awarded to researchers from this wallet. All transactions are tracked with idempotency keys and audit logging.
Webhook endpoints process charge.success events from Paystack with HMAC signature verification, replay protection via nonce reservation, and idempotent wallet crediting.
Multi-channel notification system supports in-app, email, push, Slack, Teams, Discord, webhooks, and PagerDuty. Users configure per-type preferences, quiet hours, timezone offsets, and digest modes (daily/weekly).
Scheduled digest jobs aggregate unread notifications and deliver them based on user preferences. One-click unsubscribe links support per-category opt-outs.
The platform implements multiple defensive layers: CSP violation reporting, canary tokens for URL leak detection, honeypot endpoints for scanner detection, signed API requests with HMAC-SHA256, replay protection via nonce/timestamp validation, idempotency keys for critical operations, session cookie sealing, rate limiting, and comprehensive security audit logging.
Account security features include two-factor authentication (2FA), passkey support, email verification, account suspension with expiry, legal holds, and configurable data retention policies (minimum/standard/extended). All legal documents (terms, privacy, disclosure guidelines, cookies) are versioned with explicit acceptance tracking.
The platform supports three primary account roles, each with distinct capabilities and data access patterns. All roles share common features such as notification preferences, 2FA, passkeys, and session management.
Individual security researchers who discover and report vulnerabilities. Researchers build reputation through valid submissions, receive bounty payouts, and can unlock achievements and leaderboard rankings.
Permissions: submit reports, manage profile, browse programs, track payments, request VPN access, participate in retests, publish writeups, collaborate in groups.
Organizations that run bug bounty programs. Companies manage program scope, triage submissions, coordinate payouts from a platform wallet, and configure integrations.
Permissions: create/manage programs, manage assets & verification, team invitations, SLA config, safe harbor, researcher restrictions, wallet top-ups, analytics, knowledge base.
Platform operators with full system access. Admins oversee user management, KYC review, program approval, security monitoring, mediation, and platform configuration.
Permissions: all user/company operations, KYC approval, program oversight, report admin, payment admin, security ops, content moderation, platform config, eDiscovery, collections.
HackerSavanna uses Google Cloud Firestore as its primary database. Below are the core collections and their key fields. Timestamps are stored as Firestore Timestamp or ISO 8601 strings depending on the context.
Core user accounts for researchers, companies, and admins. Role field distinguishes account type.
| Field | Type | Description |
|---|---|---|
| uid | string | Firebase Auth UID (primary key) |
| string | Verified email address | |
| name | string | Display name |
| role | string | researcher | company | admin |
| reputation | number | Researcher reputation score |
| rank | string | Researcher rank title |
| trustLevel | string | Trust tier (e.g., trusted, verified) |
| companySize | string | Company account size category |
| industry | string | Company industry vertical |
| walletBalance | number | Company wallet balance (cents) |
| isProfilePrivate | boolean | Researcher profile privacy toggle |
| kycStatus | string | none | pending | approved | rejected |
| createdAt | timestamp | Account creation timestamp |
| updatedAt | timestamp | Last update timestamp |
Bug bounty program definitions including scope, bounty matrix, policies, and restrictions.
| Field | Type | Description |
|---|---|---|
| id | string | Unique program identifier |
| companyId | string | Owning company UID |
| name | string | Program name |
| slug | string | URL-safe program slug |
| description | string | Program description |
| visibility | string | public | private | invite_only |
| status | string | active | paused | archived | pending_approval |
| scope | array | In-scope asset definitions |
| outOfScope | array | Out-of-scope asset definitions |
| bountyMatrix | map | Bounty amounts by severity and asset type |
| safeHarborTemplate | string | Selected safe harbor policy template |
| ndaRequired | boolean | Whether NDA is required |
| restrictionMode | string | open | allowlist_only | denylist_only |
| createdAt | timestamp | Creation timestamp |
| updatedAt | timestamp | Last update timestamp |
Vulnerability reports with full lifecycle metadata, CVSS scoring, bounty data, and disclosure status.
| Field | Type | Description |
|---|---|---|
| id | string | Unique report identifier |
| programId | string | Target program ID |
| submittedById | string | Researcher UID |
| title | string | Report title |
| description | string | Vulnerability description (rich text) |
| severity | string | Critical | High | Medium | Low | Informational |
| cvssVector | string | CVSS v3 vector string |
| cvssScore | number | Calculated CVSS base score |
| cweId | string | CWE identifier |
| weakness | string | Weakness name |
| status | string | Draft | Open | Triaged | Resolved | Closed |
| bountyAmount | number | Awarded bounty in cents |
| isDisclosed | boolean | Whether report is publicly disclosed |
| disclosure | map | Disclosure metadata and scheduling |
| attachments | array | File attachment metadata |
| messages | array | Triage discussion messages |
| submittedAt | timestamp | Submission timestamp |
| updatedAt | timestamp | Last update timestamp |
Company asset inventory with verification status, asset type, and ownership proofs.
| Field | Type | Description |
|---|---|---|
| id | string | Asset identifier |
| companyId | string | Owning company UID |
| name | string | Asset display name |
| type | string | domain | url | api | mobile | ip_range | source_code |
| value | string | Asset value (URL, domain, etc.) |
| verificationStatus | string | pending | verified | failed |
| verifiedAt | timestamp | Verification completion timestamp |
| createdAt | timestamp | Creation timestamp |
Financial transactions for wallet top-ups and bounty payouts with idempotency tracking.
| Field | Type | Description |
|---|---|---|
| id | string | Transaction identifier |
| companyId | string | Company UID (for top-ups) |
| researcherId | string | Researcher UID (for payouts) |
| type | string | topup | bounty | refund | adjustment |
| amount | number | Amount in cents |
| currency | string | ISO currency code (default ZAR) |
| status | string | pending | completed | failed |
| reference | string | External payment processor reference |
| createdAt | timestamp | Transaction timestamp |
In-app notifications stored per-user as a subcollection of users.
| Field | Type | Description |
|---|---|---|
| id | string | Notification document ID |
| userId | string | Recipient UID |
| type | string | Notification category type |
| title | string | Notification title |
| description | string | Notification body |
| link | string | Deep link target path |
| isRead | boolean | Read status |
| createdAt | timestamp | Creation timestamp |
Blog posts with publishing workflow, scheduling, and content moderation.
| Field | Type | Description |
|---|---|---|
| id | string | Post identifier |
| title | string | Post title |
| slug | string | URL-safe slug |
| content | string | Markdown/HTML content |
| excerpt | string | Short excerpt for listings |
| status | string | draft | scheduled | published | archived |
| authorId | string | Author user ID |
| categories | array | Category tags |
| featuredImage | string | Featured image URL |
| publishedAt | timestamp | Publication timestamp |
| scheduledAt | timestamp | Scheduled publication time |
| createdAt | timestamp | Creation timestamp |
Immutable version snapshots of program definitions for audit and rollback.
| Field | Type | Description |
|---|---|---|
| id | string | Version document ID |
| programId | string | Parent program ID |
| companyId | string | Owning company UID |
| actorUserId | string | User who made the change |
| version | number | Sequential version number |
| reason | string | created | updated |
| snapshot | map | Full program and policy snapshot |
| createdAt | timestamp | Snapshot timestamp |
Platform API endpoints use multiple authentication mechanisms depending on the endpoint type and sensitivity.
Authenticated endpoints (such as /api/v1/analytics/program/:programId) expect a sealed session cookie named session passed automatically by the browser after login. The session is verified server-side against a session registry in Firestore.
Used by: Analytics, internal dashboard requests, researcher/company actions.
Future v1 endpoints will accept an Authorization: Bearer <token> header using HMAC-SHA256 request signatures with a nonce and timestamp for replay protection.
curl "/api/v1/reports" \
-H "Authorization: Bearer YOUR_API_KEY"
Note: API key support is planned but not yet active. The /api/v1/reports endpoint currently returns 501.
Internal automation endpoints (scheduled publish, backup, analytics email, notification digest) require a shared secret passed via Authorization: Bearer <secret> or X-Cron-Secret header. Secrets are compared using constant-time equality to prevent timing attacks.
Used by: Cloud Scheduler, backup jobs, disclosure publication.
Third-party webhooks (e.g., Paystack) are authenticated via provider-specific signature headers. Paystack uses HMAC-SHA512 with the secret key. Payloads are verified before processing, with timestamp freshness checks and replay detection.
Used by: Paystack payment webhooks.
Public endpoints are subject to reasonable rate limits to ensure platform stability. Authenticated endpoints may have stricter limits based on your account tier.
If you exceed the rate limit, you will receive a 429 Too Many Requests response.
X-RateLimit-Limit The max requests per window.X-RateLimit-Remaining Requests remaining in the window.X-RateLimit-Reset Time (UTC epoch seconds) of reset.HackerSavanna uses conventional HTTP response codes. Error responses include a JSON body with an error field.
400 Bad Request: The request was malformed or parameters were invalid.
401 Unauthorized: Authentication is required but was missing or invalid.
403 Forbidden: You do not have permission to access this resource (e.g., private researcher profile).
404 Not Found: The requested resource could not be found (e.g., researcher ID does not exist or user is not a researcher).
405 Method Not Allowed: The HTTP method is not supported for this endpoint (e.g., GET on a POST-only route).
409 Conflict: A replay or duplicate was detected (e.g., reused nonce or idempotency key).
429 Too Many Requests: You are being rate limited.
500 Internal Server Error: We encountered an unexpected error. Try again later.
501 Not Implemented: This endpoint is not yet available (e.g., /api/v1/reports).
502 Bad Gateway: An upstream service (e.g., Firestore export API) returned an error.
503 Service Unavailable: The service is temporarily unavailable for maintenance or a dependency (e.g., Firestore) is unreachable.
These endpoints require no authentication and are accessible to everyone.
Public health check endpoint. Probes backend database connectivity by performing a lightweight read. Returns the current platform status ('ok' or 'degraded'), ISO timestamp, and response time in milliseconds. If the database is unreachable, returns 503 Service Unavailable.
nullSimple public greeting endpoint. Returns a welcome message with CORS and security headers applied. Useful for verifying that the API layer is responding.
nullPublic RSS 2.0 feed of published blog posts. Returns XML with channel metadata, article items (title, link, guid, description, author, pubDate, categories, enclosure for featured images), and Atom self-link. Content-Type is application/rss+xml.
nullPublic XML sitemap for blog posts. Returns a sitemap.org XML document with the /blog index page and individual post URLs including lastmod dates, changefreq, and priority. Content-Type is application/xml.
nullReturns the HackerSavanna bug bounty program definition as a JSON download with Content-Disposition attachment. Includes program name, description, scope (in-scope and out-of-scope domains), bounty matrix by asset type (URL/API/Mobile), policy overview, qualifying vulnerabilities, out-of-scope items, disclosure policy, and contact details.
nullOne-click unsubscribe link for blog newsletter emails. Accepts a token query parameter and validates it server-side. Redirects on success or returns 400 on invalid/missing token.
The unsubscribe token from the newsletter email.
nullOne-click unsubscribe endpoint for per-category email opt-outs. Verifies an HMAC token server-side and records the opt-out. Redirects on success. Valid categories: reports, payments, invitations, digest, marketing, billing.
HMAC-signed unsubscribe token for the user.
Email category to opt out of (reports, payments, invitations, digest, marketing, billing).
nullFeatures accessible without authentication, including the vulnerability disclosure hub, blog, and platform discovery tools.
Public vulnerability disclosure hub. Browse publicly disclosed vulnerability reports across all programs, filter by severity and program, and view the Hall of Fame featuring top community discoveries.
Public blog platform with published articles, RSS feed, XML sitemap, scheduled publishing, comments moderation, and newsletter subscription management.
Public-facing pages for platform discovery, program browsing, researcher leaderboards, vulnerability taxonomy reference, and API documentation.
Unauthenticated flows for account creation, email verification, password reset, and role-based onboarding (researcher, company, admin).
Public search index across programs, researchers, and published content with AI-powered query interpretation.
These endpoints relate to researcher profiles, reports, and program analytics.
Retrieve public profile information for a researcher by their unique Firebase UID. Validates ID format and verifies the user exists and has role='researcher'; otherwise returns 404. Respects the isProfilePrivate setting — private profiles return 403 Forbidden. Returns only public fields: id, name, username, avatarUrl, bio, country, reputation, rank, trustLevel, specializations, skills (name, category, endorsements), verificationBadges, website, github, twitter, linkedin, and joinedAt.
The researcher's unique Firebase UID (1-128 alphanumeric characters, underscores, or hyphens).
nullFetch vulnerability reports. This endpoint is protected and requires API key authentication. Since API key support is not yet active, it currently returns 501 Not Implemented with a message indicating users should contact support for access. Supports CORS preflight via OPTIONS.
nullRetrieve analytics and industry benchmark data for a specific bug bounty program. Requires an authenticated session cookie. Validates programId format. Returns submission metrics (submissionsThisMonth, payoutsThisMonth, validSubmissionRate, averageBountyByScore), average response times (avgTimeToFirstResponse, avgTimeToTriage, avgTimeToResolution), and an optional industry benchmark comparison if the associated company has industry and companySize fields. The benchmark comparison includes deviation analysis and AI-generated recommendations. Returns 401 if no session cookie, 404 if program not found.
The unique program identifier (1-128 alphanumeric characters, underscores, or hyphens).
nullComprehensive feature set for security researchers participating in bug bounty programs.
Researcher profiles include public and private fields, reputation scores, trust levels, skill endorsements, verification badges, KYC status, and social links.
Browse, search, and save bug bounty programs. Filter by asset type, bounty range, visibility, and researcher restrictions.
End-to-end vulnerability report lifecycle from draft submission through triage, resolution, bounty payout, and disclosure.
Track bounty awards, payment history, wallet balance, and payout preferences.
Reputation system based on valid submissions, bounty amounts, report quality, community participation, and peer endorsements.
Community features for researcher collaboration, group formation, mentorship, and shared workspaces.
AI-powered tools for report writing, severity prediction, triage assistance, code analysis, and knowledge assistance.
Request and manage VPN access to private bug bounty environments and credential vaults.
Multi-channel notification system with granular preferences for in-app, email, push, Slack, Teams, Discord, and webhooks.
Publish security writeups, browse educational resources, and access the vulnerability taxonomy reference.
Personalized activity feed showing program updates, bounty announcements, community activity, and followed researcher actions.
Full capability overview for organizations running bug bounty programs on HackerSavanna.
Company dashboard with program performance metrics, submission analytics, bounty spend tracking, and industry benchmark comparisons.
Create, configure, version, and manage bug bounty programs with full scope definition, bounty matrices, and policy generation.
Comprehensive report triage workbench with AI assistance, team assignment, duplicate management, retest coordination, and bounty workflows.
Manage company team members with role-based access (admin, triage, read-only), invitations, and activity tracking.
Company wallet management with Paystack integration for top-ups, bounty payouts, transaction history, and budget controls.
Manage company assets, VPN servers, credential vaults, and researcher whitelist management.
Third-party integrations with Slack, Jira, GitHub, PagerDuty, Teams, Discord, and custom webhooks for notification and workflow automation.
Internal knowledge base for company-specific documentation, FAQs, and AI-powered knowledge assistant.
AI-powered tools for policy generation, scope language improvement, bounty suggestion, researcher matching, and anomaly detection.
Company profile, notification preferences, security settings, legal document acceptance tracking, and data retention policies.
Platform administration capabilities for operators managing the entire HackerSavanna ecosystem.
Platform-wide dashboard with user statistics, program counts, submission metrics, revenue tracking, and system health monitoring.
Comprehensive user administration with search, filtering, role management, suspension, banning, impersonation, and KYC oversight.
Know Your Customer review pipeline for researcher identity verification and company approval workflows.
Admin-level program management including approval, rejection, version history, audit logs, and compliance review.
Cross-platform report administration with mediation, deleted report recovery, redaction controls, and disclosure management.
Platform payment oversight including wallet audits, transaction reconciliation, revenue reporting, and payout monitoring.
Security monitoring and defensive tooling including audit logs, canary tokens, honeypot events, blocked IPs, and incident response.
Blog management, email campaigns, announcements, content moderation, and platform broadcast messaging.
System-level configuration including feature flags, platform settings, legal document versions, data retention, and superpower controls.
Legal hold management, electronic discovery search, data export, and compliance reporting for legal and regulatory requirements.
Centralized admin inbox for support tickets, user messages, mediation communications, and platform alerts.
Direct Firestore collection browsing and management for administrative data inspection and correction.
HackerSavanna integrates a comprehensive suite of AI-powered flows built on the Genkit framework. These models assist with triage, report quality, policy generation, anomaly detection, and user assistance.
smartTriageAssistance
AI-powered triage recommendations for vulnerability reports.
suggestTriageResponse
Generate suggested response messages for triage discussions.
classifyVulnerability
Classify reports with CWE taxonomy categories.
suggestCvssScore
Suggest CVSS v3 vector and score from report description.
scoreFraud
Fraud risk scoring for suspicious submissions.
validateReport
Validate report quality, completeness, and policy compliance.
analyzeCodeSnippet
Security analysis of uploaded code snippets.
improveWriting
Grammar, clarity, and tone improvements for report text.
analyzeSentiment
Sentiment analysis of triage discussion threads.
suggestBountyAmount
Recommend bounty amounts based on severity and program history.
analyzeReportIntelligence
Deep intelligence extraction from report content.
autofillReport
Auto-populate report fields from a brief description.
predictSeverity
Predict severity class from vulnerability details.
detectDuplicates
Detect potential duplicate reports from description matching.
scoreReport
Overall report quality scoring.
prioritizeTriageQueue
AI triage queue prioritization by business impact.
predictProgramPerformance
Forecast program engagement and submission rates.
detectSubmissionAnomalies
Statistical anomaly detection in submission patterns.
modelResearcherBehavior
Researcher behavior modeling for trust scoring.
rankNotifications
Intelligent notification priority ranking.
analyzeScreenshot
Extract and analyze vulnerability evidence from screenshots.
scoreProgramHealth
Holistic program health scoring.
scoreResearcherMatch
Match researchers to programs by skills and history.
rankSearchResults
AI-powered search result relevance ranking.
generateBugBountyPolicyFlow
Generate complete bug bounty policy documents from program details.
generateProgramTemplate
Generate program template drafts from minimal inputs.
translateText
Multi-language text translation for reports and communications.
summarizeText
Text summarization for long reports and discussions.
askKnowledgeAssistant
Knowledge base Q&A assistant for researchers.
interpretSearchQuery
Natural language search query interpretation.
chatWithAssistant
General-purpose AI chatbot for platform assistance.
generateScopeLanguage
Improve and clarify program scope language.
conductReportInterview
Interactive AI interview mode for report detail gathering.
verifyPatchDescription
Verify patch/fix description completeness and accuracy.
HackerSavanna connects with payment processors, communication platforms, development tools, and cloud infrastructure to provide a seamless operational experience.
Paystack
Payment processing for company wallet top-ups with webhook verification.
Slack
Real-time notifications to Slack channels for reports, bounties, and program events.
Jira
Bug tracking integration for report-to-issue creation and status sync.
GitHub
Repository issue linking and security advisory coordination.
PagerDuty
Critical vulnerability escalation to on-call incident response teams.
Microsoft Teams
Notification delivery to Teams channels and chat.
Discord
Webhook-based notifications to Discord servers.
Resend
SMTP email delivery for transactional and marketing emails.
Firebase Admin SDK
Firestore, Auth, Storage, and Cloud Functions administration.
Google Cloud Storage
Backup storage for automated Firestore exports.
Cloud Scheduler
Cron job orchestration for scheduled publications, digests, and backups.
Security endpoints and platform defensive features. These are documented for operational transparency and compliance.
Content Security Policy (CSP) with violation reporting endpoint
Canary token system for URL leak detection
Honeypot endpoint for automated scanner detection
HMAC-SHA256 request signing for critical API operations
Replay protection via nonce/timestamp validation
Idempotency keys for wallet and payment operations
Session cookie sealing with server-side registry validation
Rate limiting with tiered limits by endpoint sensitivity
CSRF protection for server actions with origin validation
Input sanitization for plain text, rich text, and file uploads
File upload validation with policy enforcement
ReDoS-safe regex validation for program names
JSON parsing with depth and size limits
Security audit logging for all sensitive operations
Two-factor authentication (TOTP)
Passkey / WebAuthn support
Account suspension with configurable expiry
Legal hold and data retention policy enforcement
Content moderation for user-generated content
Anti-fraud velocity checking
Email verification with secure token links
Password reset with time-limited tokens
Constant-time comparison for secret validation
These endpoints are used for security monitoring and are not intended for general API consumption.
Receives Content Security Policy violation reports from browsers. Accepts POST requests with Content-Type application/json or application/csp-report. Enforces a 64 KB body size limit and a 5-second body read timeout. Parses the csp-report object and writes a security audit log. Always returns 204 No Content regardless of parsing success to avoid leaking information. Also supports OPTIONS for CORS preflight.
The CSP report object sent by the browser (document-uri, violated-directive, blocked-uri, effective-directive, original-policy).
nullThese endpoints are intended for internal platform automation, cron jobs, and third-party webhooks. They are documented for operational transparency. Most require cron secrets or webhook signatures.
Internal endpoint for recording API usage metrics. Accepts a JSON body with route, method, ipHash, userAgent, and statusCode. Returns { success: true } on success or { success: false } with 500 on error. This is called by client-side middleware to track anonymous and authenticated API usage.
nullCron-protected endpoint that publishes due analytics email reports to companies. Requires a cron secret via Authorization: Bearer or X-Cron-Secret header. Validates the secret with constant-time comparison. Accepts an optional limit query parameter. Generates and sends analytics report emails to companies with configured subscriptions. Returns processed count, skipped count, and company IDs.
Maximum number of companies to process (default 100, max 500).
nullCron-protected endpoint that triggers a managed database export to a cloud storage bucket via the admin REST API. Requires a cron secret via Authorization: Bearer or X-Cron-Secret header. Creates a dated output path, records a pending job document, obtains an access token from the admin credential, calls the export API, and updates the job record with the operation name or failure status. Returns jobId and operationName on success, or 502 if the export API fails.
nullCron-protected endpoint that publishes scheduled blog posts. Requires a cron secret via Authorization: Bearer or X-Cron-Secret header. Queries scheduled posts and updates each to published status with timestamps. Returns the list of published post IDs. Invoke via Cloud Scheduler.
nullCron-protected endpoint that publishes due vulnerability disclosures. Requires a cron secret via Authorization: Bearer or X-Cron-Secret header. Accepts an optional limit query parameter. Transitions eligible reports from pending disclosure to publicly disclosed status. Returns processed count, skipped count, and report IDs.
Maximum number of disclosures to process (default 100, max 500).
nullCron-protected endpoint that publishes notification digests to users. Requires a cron secret via Authorization: Bearer or X-Cron-Secret header. Accepts an optional limit query parameter. Aggregates unread notifications and delivers them via the user's preferred channels (email, push, Slack, etc.). Returns processed counts and user IDs.
Maximum number of users to process (default 200, max 500).
nullReceives payment webhooks from Paystack. Enforces POST-only, 256 KB body limit, 5-second body timeout, and application/json content type. Validates HMAC-SHA256 request signatures, checks timestamp freshness, and prevents replay attacks via nonce reservation. Then validates the Paystack signature using HMAC-SHA512. Acknowledges non-charge events immediately. For charge.success events, verifies reference, companyId (from metadata), and amount. Prevents duplicate processing via idempotency keys and event nonce reservation. Credits the company wallet via a database transaction and records the transaction reference. Writes security audit logs for signature rejections, replays, and processing outcomes. Returns 200 { received: true } on success, or 500 on processing failure.
null