YOUR TENANT · LIVE

Spend & usage this cycle

Paste a sandbox or live API key to see this tenant's current-cycle scan count, spend, and remaining monthly cap. The key stays in your browser's localStorage and is sent only to the QorBOM™ backend.

v0.1.0
OAS 3.1.0

QorBOM™ is the white-label platform that powers Cryptographic Bill of Materials (CBOM) scans for audit firms, MSSPs, and consultancies. Every endpoint requires a Bearer API key issued to your partner-tenant account. Apply for early access at https://qorbom.com/become-a-partner. QorBOM™ is a trademark of QorTrace.

Sandbox (preview)

Client Libraries

cbom-platform-api (Collapsed)

Cbom Api Health

Responses
  • application/json
Request Example for get/api/v1/cbom/health
curl https://api.qorbom.com/api/v1/cbom/health \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Create Partner Scan

Enqueue a CBOM scan for a partner-tenant via API key.

Headers
  • authorization
    Type: Authorization nullable
Body
required
application/json
  • repo_url
    Type: Repo Url
    min length:  
    8
    max length:  
    400
    required

    Public GitHub repo URL

  • project_name
    Type: Project Name
    max length:  
    120
    nullable
  • project_version
    Type: Project Version
    max length:  
    60
    default:  
    "1.0.0"
    nullable
Responses
  • application/json
  • application/json
Request Example for post/api/v1/cbom/scans
curl https://api.qorbom.com/api/v1/cbom/scans \
  --request POST \
  --header 'authorization: ' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  --data '{
  "repo_url": "",
  "project_name": "",
  "project_version": "1.0.0"
}'
{
  "id": "string",
  "status": "string",
  "tenant_id": "string",
  "tenant_kind": "string",
  "methodology_version": "string"
}

List Partner Scans

Query Parameters
  • limit
    Type: Limit
    min:  
    1
    max:  
    200
    default:  
    50

    Integer numbers.

Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/scans
curl 'https://api.qorbom.com/api/v1/cbom/scans?limit=50' \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Get Partner Scan

Path Parameters
  • scan_id
    Type: Scan Id
    required
Query Parameters
  • include_bom
    Type: Include Bom
    default:  
    false
Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/scans/{scan_id}
curl 'https://api.qorbom.com/api/v1/cbom/scans/{scan_id}?include_bom=false' \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Download Partner Bom

Path Parameters
  • scan_id
    Type: Scan Id
    required
Query Parameters
  • format
    Type: FormatPattern: ^(cyclonedx|spdx)$
    default:  
    "cyclonedx"
Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/scans/{scan_id}/bom.json
curl 'https://api.qorbom.com/api/v1/cbom/scans/{scan_id}/bom.json?format=cyclonedx' \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Get Partner Usage

Return the calling tenant's billing-cycle + all-time usage and spend, sized for the inline API-reference dashboard panel.

Auth: same Bearer key the partner uses for /scans — keeps the "paste your key to see your spend" UX in one place. No new key scope required; every active key can read its own tenant's usage.

Query Parameters
  • recent_limit
    Type: Recent Limit
    min:  
    0
    max:  
    50
    default:  
    5

    Integer numbers.

Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/usage
curl 'https://api.qorbom.com/api/v1/cbom/usage?recent_limit=5' \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

List Partner Keys

List every key on the calling tenant. Returns redacted shape — key_lookup + key_prefix + name + env + status + audit timestamps. The full secret is NEVER returned (we don't store it — only the hash).

Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/keys
curl https://api.qorbom.com/api/v1/cbom/keys \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Create Partner Test Key

Mint a NEW sandbox (qb_test_...) key for the calling tenant.

Body: { "name": "my-laptop", "env": "test" }. env MUST be test — live keys are admin-only. Hard cap: MAX_TEST_KEYS_PER_TENANT active test keys per tenant.

Returns the FULL plaintext key EXACTLY ONCE. Callers must save it immediately — we only store the hash.

Headers
  • authorization
    Type: Authorization nullable
Body
required
application/json
  • propertyName*
    Type: anything
Responses
  • application/json
  • application/json
Request Example for post/api/v1/cbom/keys
curl https://api.qorbom.com/api/v1/cbom/keys \
  --request POST \
  --header 'authorization: ' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  --data '{
  "propertyName*": "anything"
}'
{
  "propertyName*": "anything"
}

Revoke Partner Key

Revoke a key on the calling tenant. Subsequent requests with that key fail immediately with 401.

Anti-foot-gun: callers can revoke the key they're currently holding — it works, and they'll lose access on the NEXT request.

Path Parameters
  • key_id
    Type: Key Id
    required
Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for post/api/v1/cbom/keys/{key_id}/revoke
curl 'https://api.qorbom.com/api/v1/cbom/keys/{key_id}/revoke' \
  --request POST \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Get Partner Branding

Return the calling tenant's branding config + the live URL where their white-labeled landing would render.

Headers
  • authorization
    Type: Authorization nullable
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/branding
curl https://api.qorbom.com/api/v1/cbom/branding \
  --header 'authorization: ' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Update Partner Branding

Update the calling tenant's white-label config. All fields optional — caller sends only what they want to change.

Subdomain uniqueness is enforced at write time. URLs validated for scheme + length. Accent color must match #RRGGBB.

Headers
  • authorization
    Type: Authorization nullable
Body
required
application/json
  • propertyName*
    Type: anything
Responses
  • application/json
  • application/json
Request Example for put/api/v1/cbom/branding
curl https://api.qorbom.com/api/v1/cbom/branding \
  --request PUT \
  --header 'authorization: ' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  --data '{
  "propertyName*": "anything"
}'
{
  "propertyName*": "anything"
}

Get Branding By Subdomain

Path Parameters
  • slug
    Type: Slug
    required
Responses
  • application/json
  • application/json
Request Example for get/api/v1/cbom/branding/by-subdomain/{slug}
curl 'https://api.qorbom.com/api/v1/cbom/branding/by-subdomain/{slug}' \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Get Qorbom Openapi

Return the OpenAPI 3.1 spec for the QorBOM™ partner API only.

Responses
  • application/json
Request Example for get/api/v1/cbom/openapi.json
curl https://api.qorbom.com/api/v1/cbom/openapi.json \
  --header 'Authorization: Bearer YOUR_SECRET_TOKEN'
{
  "propertyName*": "anything"
}

Models