Skip to main content
Root exposes a REST API for programmatic access to patch status, SBOM and VEX data, vulnerability reports, and registry management.

Authentication

All API requests require a Bearer token:
Alternatively, use an API key with Basic Auth (API key as username, empty password):
To generate an API key, navigate to Settings → API Keys in the Root platform.

Base URL

Endpoints

Account

API Keys

Subscriptions

Patches

Query parameters for /patches: Example:

Image Catalog

Example:

Packages

Package Catalog (pkg.root.io):

AVR Artifacts

AVR (Artifact Vulnerability Remediation) endpoints provide access to artifacts from Root’s remediation pipeline:

Public Feeds (No Auth Required)

These endpoints are served at the root of api.root.io (no /v1 prefix). Fetching a single OSV record:
Patch feed query parameters:

Rate Limits

API requests are rate-limited. If you exceed the limit, you’ll receive a 429 Too Many Requests response. The response headers include:
  • X-RateLimit-Limit - requests allowed per window
  • X-RateLimit-Remaining - requests remaining in the current window
  • Retry-After - seconds to wait before retrying
For high-volume use cases, use pagination (limit + after cursor) rather than making many small requests.

SDKs

Official Python and JavaScript SDKs are in development. In the meantime, any HTTP client works with the REST API. For Python: