Authentication

Public Endpoints

Most Vulnpatch API endpoints are publicly accessible and don't require authentication:

Endpoint	Auth Required
`GET /api/v1/stats`	No
`GET /api/v1/issues`	No
`GET /api/v1/repology/:package`	No
`GET /api/v1/osv/:package`	No
`GET /api/v1/vulns/:package`	No
`GET /api/v1/osv-details/:id`	No

Authenticated Endpoints

Some endpoints require authentication via GitHub OAuth:

Endpoint	Auth Required
`POST /api/v1/request-access`	GitHub OAuth

GitHub OAuth Flow

Vulnpatch uses GitHub's Device Flow for authentication:

Initiate Flow: Call the GitHub device authorization endpoint
User Verification: User visits GitHub and enters the provided code
Token Exchange: Exchange the device code for an access token
API Calls: Include the token in authenticated requests

Example: Request Access

javascript

// After obtaining a GitHub token via device flow
const response = await fetch('https://api.vulnpatch.dev/api/v1/request-access', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    token: 'gho_xxxxxxxxxxxx',
  }),
});

Security Best Practices

Never expose your GitHub tokens in client-side code
Use environment variables for token storage
Rotate tokens regularly
Only request the minimum required OAuth scopes

Authentication ​

Public Endpoints ​

Authenticated Endpoints ​

GitHub OAuth Flow ​

Example: Request Access ​

Security Best Practices ​