Developers
The programmatic surface of squirrelscan â REST API, CI/CD, webhooks, auth, and agents
Everything squirrelscan does from a terminal it can also do from your code, your pipeline, and your agent. This hub is the map of that programmatic surface: the stable REST API, CI/CD integration, outbound webhooks, headless authentication, and the agent/MCP workflow.
Pick your surface
The stable /v1 surface â create audits, read reports, check credits.
OpenAPI-described, agent- and MCP-friendly.
Gate builds on audits with --fail-on exit codes. GitHub Actions, GitLab,
and any shell runner.
Push audit events to any HTTPS endpoint. Signed, versioned, retried â react without polling.
API keys, scopes, and SQUIRREL_API_TOKEN for headless and CI auth.
Wire squirrelscan into Claude Code, Cursor, and autonomous agent workflows.
How it fits together
The CLI (squirrel) and the REST API are two front doors to the same engine.
Local, deterministic audits are free and need no login. Anything that talks
to the cloud â publishing reports, browser rendering, AI summaries, the API â
authenticates with a credential and is metered in credits.
| You want to⦠| Reach for |
|---|---|
| Run an audit locally or in a script | squirrel audit |
| Fail a build on a regression | CI/CD + --fail-on |
| Drive audits/reports from your own backend | REST API |
| Get notified when an audit finishes | Webhooks |
| Authenticate without a browser | SQUIRREL_API_TOKEN |
| Let an agent run audits autonomously | Agents & MCP |
A 60-second tour
# 1. Local, free, no login â exits non-zero if the gate trips.
squirrel audit https://example.com --fail-on 'score<90'
# 2. Headless cloud auth â an org API key from the dashboard.
export SQUIRREL_API_TOKEN=sq_xxxxxxxxxxxx
# 3. Or skip the CLI entirely and hit the API.
curl https://api.squirrelscan.com/v1/credits \
-H "Authorization: Bearer $SQUIRREL_API_TOKEN"