Skip to main content
Root exposes a REST API for programmatic access to patch status, SBOM and VEX data, vulnerability reports, and registry management.

Authentication

All API requests require a Bearer token: 
curl -H "Authorization: Bearer $ROOT_TOKEN" https://api.root.io/v1/...
Alternatively, use an API key with Basic Auth (API key as username, empty password): 
curl -u "apik_yourkey:" https://api.root.io/v1/...
To generate an API key, navigate to Settings → API Keys in the Root platform.

Base URL

https://api.root.io/v1

Endpoints

Account

MethodPathDescription
GET/meGet the current authenticated account
GET/orgs/Get your organization

API Keys

MethodPathDescription
POST/api_keys/Create a new API key
GET/api_keys/List API keys
GET/api_keys/{apiKeyID}/Get a specific API key
DELETE/api_keys/{apiKeyID}/Delete an API key

Subscriptions

MethodPathDescription
POST/subscriptions/Subscribe to an image or package
GET/subscriptions/List your subscriptions
GET/subscriptions/{subscriptionID}/Get a specific subscription
DELETE/subscriptions/Remove a subscription

Patches

MethodPathDescription
GET/patchesList CVE patches with filtering
Query parameters for /patches:
ParameterTypeDescription
cve_idstringFilter by CVE ID (e.g., CVE-2024-1234)
package_src_namestringFilter by source package name
ecosystemstringFilter by ecosystem (alpine, debian, ubuntu, pypi, npm, maven)
severitiesstringComma-separated severities (critical, high, medium, low)
ticket_statusesstringComma-separated statuses (open, in_progress, done, deferred)
orderstringSort order (e.g., created_at:desc)
limitintegerPage size (default: 100, max: 1000)
afterstringCursor for pagination
Example: 
# Get all patched critical CVEs in PyPI packages
curl -H "Authorization: Bearer $ROOT_TOKEN" \
  "https://api.root.io/v1/patches?ecosystem=pypi&severities=critical&ticket_statuses=done"

Image Catalog

MethodPathDescription
GET/images/List images in Root Image Catalog
GET/images/{rriID}Get image details
GET/images/{imageRepo}/tagsList tags for an image
GET/tags/List all tags
GET/tags/{rrtID}Get details for a specific tag
GET/tags/{rrtID}/sbomGet SBOM download URL for a tag
GET/tags/{rrtID}/vexGet VEX download URL for a tag
GET/tags/{rrtID}/provenanceGet provenance attestation for a tag
Example: 
# Get SBOM for an image tag
curl -H "Authorization: Bearer $ROOT_TOKEN" \
  "https://api.root.io/v1/images/tags/{rrtID}/sbom"

# Response includes a presigned URL - fetch the SBOM:
# curl -o sbom.json "https://presigned-url..."

Packages

MethodPathDescription
GET/packages/List packages
GET/packages/{pkgID}/Get package details
GET/packages/{pkgID}/artifacts/patchesGet patches applied to a package
GET/packages/{pkgID}/artifacts/provenanceGet provenance for a package
Package Catalog (pkg.root.io): 
GET https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions
GET https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions/{version}/cves
GET https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions/{version}/details
GET https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions/{version}/provenance/{arch}

AVR Artifacts

AVR (Artifact Vulnerability Remediation) endpoints provide access to artifacts from Root’s remediation pipeline:
MethodPathDescription
GET/avrs/{avrID}/artifacts/sbomGet SBOM for a remediated artifact
GET/avrs/{avrID}/artifacts/vexGet VEX for a remediated artifact
GET/avrs/{avrID}/artifacts/provenanceGet SLSA provenance

Public Feeds (No Auth Required)

MethodPathDescription
GET/external/patch_feedPublic patch feed (filterable by ecosystem)
GET/external/cve_feedPublic CVE feed
GET/external/osv/{id}.jsonOSV-format record for a specific CVE
GET/external/globals/sys_matrixSupported ecosystems and distros
Patch feed query parameters:
ParameterDescription
ecosystemFilter by ecosystem (alpine, debian, ubuntu, pypi, npm, maven)
os_distro_majorFilter by OS distro version (e.g., 22.04)
package_src_nameFilter by package source name

Rate Limits

API requests are rate-limited. If you exceed the limit, you’ll receive a 429 Too Many Requests response. The response headers include:
  • X-RateLimit-Limit - requests allowed per window
  • X-RateLimit-Remaining - requests remaining in the current window
  • Retry-After - seconds to wait before retrying
For high-volume use cases, use pagination (limit + after cursor) rather than making many small requests.

SDKs

Official Python and JavaScript SDKs are in development. In the meantime, any HTTP client works with the REST API. For Python: 
import requests

headers = {"Authorization": f"Bearer {ROOT_TOKEN}"}
response = requests.get("https://api.root.io/v1/patches", headers=headers, params={
    "ecosystem": "pypi",
    "severities": "critical,high",
    "ticket_statuses": "done",
    "limit": 100
})
patches = response.json()