Overview
npm + WordPress vulnerability intelligence with nested response shape and cursor pagination.
Patchstack Threat Intelligence API — Beta (beta)
Section titled “Patchstack Threat Intelligence API — Beta (beta)”The Beta endpoints live alongside the v2 API and add npm coverage, an optional full advisory body, a consistent nested response shape, and cursor pagination. They are the recommended endpoints for new integrations; v2 remains available for backwards compatibility.
Authentication
Every request must include your API key in the PSKey HTTP request header.
Request a key via https://patchstack.com/for-hosts/.
Platforms
Pass ?platform=npm (or ?platform=wordpress — the default) on list
endpoints. Platform names are case-insensitive.
Pagination
/all and /latest support two independent strategies, selected by which
query parameter you pass:
- Offset (
?page=&per_page=) — returns totals; easy to jump to a specific page; susceptible to row-shift when new rows land while paging. - Cursor (
?cursor=) — stable under concurrent inserts, faster at depth, nototalcount. Bootstrap with an empty value:?cursor=.
cursor and page are mutually exclusive; passing both returns 422.
Including full advisory bodies
Pass ?include=details on any list endpoint to add an advisory_details
markdown field to each item.
Scoped npm packages
npm package slugs that include a / (e.g. @scope/pkg) conflict with the
route separator. URL-encode the / as %2F.
Rate limiting
Same policy as the Extended Threat Intelligence API. Contact https://patchstack.com/for-hosts/ if you need an elevated quota.
Errors
| Status | Meaning |
|---|---|
401 | Missing or invalid PSKey header. |
403 | API key not authorised for the requested endpoint. |
422 | Invalid parameter combination or value (e.g. cursor + page, invalid platform, per_page > 500). |
429 | Rate limit exceeded. |
500 | Server error — include the request id in any bug report. |
A malformed cursor returns 200 with an empty page rather than an error:
{ "vulnerabilities": [], "cursor": { "next_cursor": null, "has_more": false, "per_page": 100 } }Related pages
- Narrative guide with code samples: Beta tier API
- OpenAPI spec (import into Postman / Insomnia / Bruno / Hoppscotch): https://docs.patchstack.com/schemas/threat-intel-beta.yaml
- Postman collection (pre-imported): https://docs.patchstack.com/schemas/threat-intel-beta.postman_collection.json
Integration questions: dave.jong@patchstack.com.
- Patchstack: https://patchstack.com/for-hosts/ - dave.jong@patchstack.com
- OpenAPI version: 3.1.0
Authentication
Section titled “ Authentication ”PSKey
Section titled “PSKey ”API key issued by Patchstack. Request one via https://patchstack.com/for-hosts/.
Security scheme type: apiKey
Header parameter name: PSKey