Docs / reports-api

Reports API

← All docs

Reports bundle findings + framework mappings into a downloadable artifact (PDF or JSON) suitable for auditor consumption.

Create a report

curl -sS https://penaxtra.com/api/v2/reports \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Q2 2026 AI security evidence pack",
    "frameworks": ["OWASP_LLM","NIST_AI_600_1","EU_AI_ACT","ISO_42001"],
    "scope": {
      "endpoint_ids": ["ep_2026_abc123"],
      "from": "2026-04-01",
      "to": "2026-06-30",
      "include_severities": ["critical","high","medium"]
    },
    "format": "pdf"
  }'

Response:

{
  "id": "rpt_2026_def456",
  "status": "queued",
  "format": "pdf",
  "queued_at": "2026-05-22T10:35:00Z"
}

List reports

curl -sS "https://penaxtra.com/api/v2/reports?limit=20" \
  -H "Authorization: Bearer $TOKEN"

Pagination is cursor-based (next_cursor field; pass as ?cursor=...).

Get a single report

curl -sS https://penaxtra.com/api/v2/reports/rpt_2026_def456 \
  -H "Authorization: Bearer $TOKEN"

Statuses: queued, running, ready, failed, expired.

Download artifact

curl -fOJL \
  -H "Authorization: Bearer $TOKEN" \
  https://penaxtra.com/api/v2/reports/rpt_2026_def456/download

The response is a stream with Content-Disposition: attachment and a filename of the form <report-id>.pdf or <report-id>.json.

JSON schema (excerpt)

{
  "schema_version": "v1",
  "report_id": "rpt_2026_def456",
  "generated_at": "2026-05-22T10:36:42Z",
  "tenant_slug": "acme",
  "scope": { "from": "2026-04-01", "to": "2026-06-30", "endpoint_ids": ["ep_2026_abc123"] },
  "frameworks": ["OWASP_LLM","NIST_AI_600_1","EU_AI_ACT","ISO_42001"],
  "summary": { "critical": 0, "high": 4, "medium": 11, "total_open": 15 },
  "findings": [
    {
      "id": "fnd_2026_xxxxxx",
      "severity": "high",
      "title": "Indirect prompt injection via RAG corpus",
      "framework_refs": ["OWASP_LLM01","MITRE_ATLAS_AML_T0051","EU_AI_ACT_Art15"],
      "evidence_excerpt_sha256": "abc123...",
      "url": "https://penaxtra.com/app/findings/fnd_2026_xxxxxx"
    }
  ],
  "cross_framework_overlaps": [
    {
      "ref_a": "OWASP_LLM01",
      "ref_b": "EU_AI_ACT_Art15",
      "finding_count": 4
    }
  ]
}

Common errors

CodeMeaning
400 framework_unknownBad slug in frameworks
400 scope_invalidfrom after to, or scope dimensions all empty
403 missing_scopeToken lacks reports:generate or reports:read
404 report_not_foundId does not belong to caller's tenant
410 report_expiredDownload artifact pruned per audit retention; regenerate the report

Security notes

  • PDF metadata is signed at generation time; tampering invalidates the signature.
  • JSON exports are schema-versioned; the schema_version field stays stable per major release.
  • Download URLs require the bearer token + an unguessable report id; signed URL params expire in 60 seconds.

Related

Last reviewed: 2026-06-13. Reviewed by: Engineering. Content type: Developer documentation. Reach the maintainers: [email protected] .