API reference
Read-only package intelligence. Four endpoints, one auth header.
Everything is GET, returns JSON, requires x-nipcode-api-key. Rate limit: 60 requests per minute per key.
GET /api/search
Fan-out search across selected source registries. Returns a ranked candidate list with source-owned metadata. Ephemeral by default.
Parameters
| name | type | required | default | notes |
|---|---|---|---|---|
q | string | yes | , | free-text query |
sources | string | no | npm,pypi,crates,github | comma-separated |
limit | integer | no | 5 | 1-20 |
curl -H "x-nipcode-api-key: $KEY" \
"https://nipcode.xyz/api/search?q=http+client&sources=npm,pypi&limit=5"
GET /api/decision
Search plus LLM-ranked recommendation. One call gives an agent everything it needs to ask the user for approval.
Parameters are the same as /api/search. Returns a best object with decision_score, trust_score, risk_level, recommended, a proof id, and 11 structured blocks (recommendation, why, risk, advisory, license, source_evidence, dependency_risk, malware_patterns, publisher, install_boundary, alternative).
{
"best": {
"source": "npm",
"name": "fast-xml-parser",
"version": "5.8.0",
"decision_score": 90,
"trust_score": 85,
"risk_level": "low",
"recommended": true,
"proof": "c191e6c5ab30",
"blocks": {
"recommendation": "fast-xml-parser (npm) is the best starting point for this task.",
"why": "trust 85/100.",
"risk": "low. The selected source did not return readable license metadata.",
"license": "MIT (verified).",
"install_boundary": "npm install fast-xml-parser. Do not run it until the plan and local approval/sandbox check are accepted.",
"alternative": "date-format (npm, 80/100)."
}
},
"candidates": [...],
"note": "nipcode never installs, clones, or runs."
}
GET /api/inspect
Refresh one exact source-owned record. Returns full license, maintainers, deprecation status, age, dependency tree depth, install-script presence, and a list of trust flags.
Parameters
| name | type | required |
|---|---|---|
source | string | yes. One of npm, pypi, crates, github |
name | string | yes |
curl -H "x-nipcode-api-key: $KEY" \
"https://nipcode.xyz/api/inspect?source=npm&name=undici"
GET /api/install-plan
Lighter than decision. Returns the install command for a specific package, with warnings about install-script execution and unpinned versions.
curl -H "x-nipcode-api-key: $KEY" \
"https://nipcode.xyz/api/install-plan?source=npm&name=undici&version=8.3.0"
Account & key management
These endpoints use the session cookie set by the email-OTP login (not the x-nipcode-api-key header). Sign in at nipcode.xyz first.
GET /api/keys
List active keys for the signed-in account. Returns key value masked (nip_8chars…last4). Pass ?project=<name> to filter.
POST /api/keys
Body: {"label": "production-cli", "project": "production"}. project is normalized to lowercase slug (a-z, 0-9, -, _, max 30 chars), defaults to default. Returns the new key in plaintext. Copy now, you won't see it unmasked again.
Hard limit: 25 active keys per account across all projects. Revoke unused keys first if you hit it.
DELETE /api/keys?id=<uuid>
Soft-revoke: sets revoked_at = now(). The key stops working immediately on subsequent requests.
GET /api/projects
Aggregate view of all your project namespaces: name, key_count, latest_created_at, latest_used_at. default always appears, even if empty. Projects are organizational only; keys in any project have identical permissions and the same rate limit.
Errors
| HTTP | Code | Meaning |
|---|---|---|
| 400 | missing parameter | Required parameter missing |
| 401 | missing_api_key / invalid_api_key | Send key in x-nipcode-api-key |
| 429 | rate_limit_exceeded | 60 req/min/key; retry after window |
| 502 | upstream search failed | Source registry temporarily down |
| 503 | supabase_not_configured | Server-side env missing |
