Docs

API reference

Read-only package intelligence. Four endpoints, one auth header.

Everything is GET, returns JSON, requires x-nipcode-api-key. Rate limit: 60 requests per minute per key.

GET /api/decision

Search plus LLM-ranked recommendation. One call gives an agent everything it needs to ask the user for approval.

Parameters are the same as /api/search. Returns a best object with decision_score, trust_score, risk_level, recommended, a proof id, and 11 structured blocks (recommendation, why, risk, advisory, license, source_evidence, dependency_risk, malware_patterns, publisher, install_boundary, alternative).

{
  "best": {
    "source": "npm",
    "name": "fast-xml-parser",
    "version": "5.8.0",
    "decision_score": 90,
    "trust_score": 85,
    "risk_level": "low",
    "recommended": true,
    "proof": "c191e6c5ab30",
    "blocks": {
      "recommendation": "fast-xml-parser (npm) is the best starting point for this task.",
      "why": "trust 85/100.",
      "risk": "low. The selected source did not return readable license metadata.",
      "license": "MIT (verified).",
      "install_boundary": "npm install fast-xml-parser. Do not run it until the plan and local approval/sandbox check are accepted.",
      "alternative": "date-format (npm, 80/100)."
    }
  },
  "candidates": [...],
  "note": "nipcode never installs, clones, or runs."
}

GET /api/inspect

Refresh one exact source-owned record. Returns full license, maintainers, deprecation status, age, dependency tree depth, install-script presence, and a list of trust flags.

Parameters

nametyperequired
sourcestringyes. One of npm, pypi, crates, github
namestringyes
curl -H "x-nipcode-api-key: $KEY" \
  "https://nipcode.xyz/api/inspect?source=npm&name=undici"

GET /api/install-plan

Lighter than decision. Returns the install command for a specific package, with warnings about install-script execution and unpinned versions.

curl -H "x-nipcode-api-key: $KEY" \
  "https://nipcode.xyz/api/install-plan?source=npm&name=undici&version=8.3.0"

Account & key management

These endpoints use the session cookie set by the email-OTP login (not the x-nipcode-api-key header). Sign in at nipcode.xyz first.

GET /api/keys

List active keys for the signed-in account. Returns key value masked (nip_8chars…last4). Pass ?project=<name> to filter.

POST /api/keys

Body: {"label": "production-cli", "project": "production"}. project is normalized to lowercase slug (a-z, 0-9, -, _, max 30 chars), defaults to default. Returns the new key in plaintext. Copy now, you won't see it unmasked again.

Hard limit: 25 active keys per account across all projects. Revoke unused keys first if you hit it.

DELETE /api/keys?id=<uuid>

Soft-revoke: sets revoked_at = now(). The key stops working immediately on subsequent requests.

GET /api/projects

Aggregate view of all your project namespaces: name, key_count, latest_created_at, latest_used_at. default always appears, even if empty. Projects are organizational only; keys in any project have identical permissions and the same rate limit.

Errors

HTTPCodeMeaning
400missing parameterRequired parameter missing
401missing_api_key / invalid_api_keySend key in x-nipcode-api-key
429rate_limit_exceeded60 req/min/key; retry after window
502upstream search failedSource registry temporarily down
503supabase_not_configuredServer-side env missing