Authentication
All API requests require a Bearer token:Base URL
Endpoints
Account
API Keys
Subscriptions
Patches
Query parameters for
/patches:
Example:
Image Catalog
Example:
Packages
Package Catalog (pkg.root.io):
AVR Artifacts
AVR (Artifact Vulnerability Remediation) endpoints provide access to artifacts from Root’s remediation pipeline:Public Feeds (No Auth Required)
These endpoints are served at the root ofapi.root.io (no /v1 prefix).
Fetching a single OSV record:
Rate Limits
API requests are rate-limited. If you exceed the limit, you’ll receive a429 Too Many Requests response. The response headers include:
X-RateLimit-Limit- requests allowed per windowX-RateLimit-Remaining- requests remaining in the current windowRetry-After- seconds to wait before retrying
limit + after cursor) rather than making many small requests.