Skip to main content
OWASP Nest exposes two APIs from the backend:

REST API v0

Public API for programmatic integrations and client SDK generation. Built with Django Ninja.

GraphQL API

Internal API used by the Next.js frontend. Built with Strawberry GraphQL.

REST API

PropertyValue
Base URL/api/v0/
FrameworkDjango Ninja
OpenAPI schema/api/v0/openapi.json
Interactive docs/api/v0/docs
AuthenticationAPI key (header)
Rate limit10 requests/second per key
The auto-generated OpenAPI schema is used to produce official client SDKs in multiple languages.

Go SDK

github.com/owasp/nest-sdk

Python SDK

owasp-nest-sdk on PyPI

TypeScript SDK

@owasp/nest-sdk on npm

GraphQL API

PropertyValue
Endpoint/graphql/
FrameworkStrawberry GraphQL
Playground/graphql/ (development only)
AuthenticationSession cookie (frontend)
IntrospectionDisabled in production

Authentication

REST API key

REST API requests must include a valid API key. Pass your key using the X-API-Key header: 
curl https://nest.owasp.org/api/v0/projects/ \
  -H "X-API-Key: your-api-key"
In Local and E2e environments, authentication is disabled so you can call the API without a key.

GraphQL (frontend)

The GraphQL API uses Django session authentication. The Next.js frontend sends requests with the session cookie established at login. Direct use outside the frontend is possible in development when the GraphiQL playground is available at /graphql/.

SDK compatibility requirements

When contributing to the REST API, follow these rules to avoid breaking SDK generation:
  • Each endpoint must have a unique operationId in the OpenAPI schema. Duplicate operationIds cause method name conflicts in generated SDKs.
  • The authentication class in apps/api/rest/v0/__init__.py must remain named ApiKey. The api_key parameter name in SDKs is derived from this class name. Do not rename it.
See REST API for the full endpoint reference.

Build docs developers (and LLMs) love

Get started for freeTalk to us