Skip to main content
GET
/
api
/
scans
/
{id}
/
threat-model
curl -X GET "https://api.heimdall.dev/api/scans/550e8400-e29b-41d4-a716-446655440000/threat-model" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

{
  "success": true,
  "data": {
    "id": "8a9b0c1d-2e3f-4a5b-6c7d-8e9f0a1b2c3d",
    "scan_id": "550e8400-e29b-41d4-a716-446655440000",
    "repo_id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
    "summary": "Web application with REST API, PostgreSQL database, and OAuth2 authentication. Critical attack surfaces include user authentication, file uploads, and database queries.",
    "boundaries_json": {
      "internal": [
        "Database connection pool",
        "Internal service mesh"
      ],
      "external": [
        "OAuth2 providers (GitHub, Google)",
        "S3 storage for file uploads",
        "Email service (SendGrid)"
      ],
      "user_facing": [
        "REST API endpoints",
        "WebSocket connections"
      ]
    },
    "surfaces_json": {
      "api_endpoints": [
        {
          "path": "/api/auth/login",
          "method": "POST",
          "authentication": "none",
          "risk": "high"
        },
        {
          "path": "/api/files/upload",
          "method": "POST",
          "authentication": "required",
          "risk": "medium"
        }
      ],
      "authentication": [
        "JWT tokens",
        "OAuth2 integration",
        "Session cookies"
      ]
    },
    "data_flows_json": {
      "flows": [
        {
          "source": "User input",
          "destination": "Database",
          "data_type": "Credentials",
          "encryption": "in_transit",
          "validation": "required"
        }
      ],
      "sensitive_data": [
        "Passwords (hashed)",
        "API tokens",
        "User PII"
      ],
      "data_stores": [
        "PostgreSQL database (encrypted at rest)",
        "S3 buckets (server-side encryption)"
      ]
    },
    "model_version": 2,
    "edited_by": null,
    "created_at": "2026-03-12T10:02:15Z",
    "updated_at": "2026-03-12T10:02:15Z"
  }
}

Path Parameters

id
string
required
The unique identifier (UUID) of the scan

Response

Returns a threat model object containing security boundaries, attack surfaces, and data flows:
id
string
Unique identifier (UUID) of the threat model
scan_id
string
ID of the scan this threat model belongs to
repo_id
string
ID of the repository
summary
string
High-level summary of the application’s security posture
boundaries_json
object
Trust boundaries and security zones within the application
surfaces_json
object
Attack surfaces and entry points
data_flows_json
object
Data flow diagrams showing how sensitive data moves through the system
model_version
integer
Version number of the threat modeling algorithm used
edited_by
string
User ID who last manually edited the threat model
created_at
string
ISO 8601 timestamp when the threat model was created
updated_at
string
ISO 8601 timestamp when the threat model was last updated
curl -X GET "https://api.heimdall.dev/api/scans/550e8400-e29b-41d4-a716-446655440000/threat-model" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

{
  "success": true,
  "data": {
    "id": "8a9b0c1d-2e3f-4a5b-6c7d-8e9f0a1b2c3d",
    "scan_id": "550e8400-e29b-41d4-a716-446655440000",
    "repo_id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
    "summary": "Web application with REST API, PostgreSQL database, and OAuth2 authentication. Critical attack surfaces include user authentication, file uploads, and database queries.",
    "boundaries_json": {
      "internal": [
        "Database connection pool",
        "Internal service mesh"
      ],
      "external": [
        "OAuth2 providers (GitHub, Google)",
        "S3 storage for file uploads",
        "Email service (SendGrid)"
      ],
      "user_facing": [
        "REST API endpoints",
        "WebSocket connections"
      ]
    },
    "surfaces_json": {
      "api_endpoints": [
        {
          "path": "/api/auth/login",
          "method": "POST",
          "authentication": "none",
          "risk": "high"
        },
        {
          "path": "/api/files/upload",
          "method": "POST",
          "authentication": "required",
          "risk": "medium"
        }
      ],
      "authentication": [
        "JWT tokens",
        "OAuth2 integration",
        "Session cookies"
      ]
    },
    "data_flows_json": {
      "flows": [
        {
          "source": "User input",
          "destination": "Database",
          "data_type": "Credentials",
          "encryption": "in_transit",
          "validation": "required"
        }
      ],
      "sensitive_data": [
        "Passwords (hashed)",
        "API tokens",
        "User PII"
      ],
      "data_stores": [
        "PostgreSQL database (encrypted at rest)",
        "S3 buckets (server-side encryption)"
      ]
    },
    "model_version": 2,
    "edited_by": null,
    "created_at": "2026-03-12T10:02:15Z",
    "updated_at": "2026-03-12T10:02:15Z"
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us