API Quickstart

This guide walks you through the complete SaaS onboarding flow: creating an account, getting your API key, running your first scan, polling for status, viewing results, exporting reports, and checking your usage — all via the NAT REST API.

If you prefer the CLI, see the Quickstart guide. This page covers the API-first / SaaS flow.

Base URL

https://api.nat-testing.io/api/v1

All examples below use this base URL. Replace nat_pk_your_api_key_here with your actual API key wherever it appears.

Sign up for free

Navigate to app.nat-testing.io/signup (opens in a new tab) to create your account. The Free plan is available immediately — no credit card required.

Once your account is created, NAT provisions your tenant and you can grab your API key right away.

Need higher quotas or security scans? See Pricing & Plans for a full plan comparison. You can upgrade at any time from the dashboard.

Get your API key

Your API key (nat_pk_...) is available in two places:

Dashboard — log in at app.nat-testing.io/dashboard (opens in a new tab) and go to Settings → API Keys
sync-tenant response — if you provisioned your tenant via the sync-tenant endpoint, the key is included in the response body

⚠️

Store your API key securely. Treat it like a password — do not commit it to source control. Use environment variables or a secrets manager.

Export it for use in all examples below:

export NAT_API_KEY="nat_pk_your_api_key_here"

Start your first scan

Send a POST /api/v1/scan request with the target URL. The X-API-Key header authenticates you and automatically identifies your tenant.

curl -X POST https://api.nat-testing.io/api/v1/scan \
  -H "X-API-Key: $NAT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.example.com",
    "spec_url": "https://api.example.com/openapi.json",
    "options": {
      "concurrency": 5,
      "timeout": 30
    }
  }'

Response 202 Accepted:

{
  "scan_id": "scan_abc123xyz",
  "status": "running",
  "created_at": "2025-01-15T10:30:00Z"
}

Save the scan_id — you will need it for the next steps.

Poll for scan status

Use GET /api/v1/scan/{id} to check whether the scan is still running. Poll until status is completed, failed, or cancelled.

SCAN_ID="scan_abc123xyz"
 
while true; do
  STATUS=$(curl -s "https://api.nat-testing.io/api/v1/scan/$SCAN_ID" \
    -H "X-API-Key: $NAT_API_KEY" | jq -r '.status')
  echo "Status: $STATUS"
  case "$STATUS" in
    completed|failed|cancelled) break ;;
    *) sleep 5 ;;
  esac
done

Example status response:

{
  "scan_id": "scan_abc123xyz",
  "status": "completed",
  "created_at": "2025-01-15T10:30:00Z",
  "updated_at": "2025-01-15T10:31:30Z"
}

Fetch results

Once the scan is completed, call GET /api/v1/scan/{id}/results to retrieve the full results object.

curl https://api.nat-testing.io/api/v1/scan/$SCAN_ID/results \
  -H "X-API-Key: $NAT_API_KEY"

Example completed response:

{
  "status": "completed",
  "passed": 10,
  "failed": 2,
  "total": 12,
  "elapsed_seconds": 45.32,
  "agent_count": 3,
  "tasks": [...],
  "accessibility": {
    "pages_scanned": 12,
    "violations": [...],
    "compliance_score": 87.5
  },
  "performance": {
    "pages_tested": 12,
    "metrics": [...],
    "performance_score": 72.1
  },
  "visual_regression": {
    "comparisons": [...],
    "diffs_detected": 1
  }
}

Export results

Download a formatted report using GET /api/v1/scan/{id}/export. Supported formats: html, json, csv.

# HTML report
curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=html" \
  -H "X-API-Key: $NAT_API_KEY" \
  -o report.html
 
# CSV export
curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=csv" \
  -H "X-API-Key: $NAT_API_KEY" \
  -o results.csv

Check your usage

Monitor how many scans you have used this billing period with GET /api/v1/usage.

curl https://api.nat-testing.io/api/v1/usage \
  -H "X-API-Key: $NAT_API_KEY"

{
  "plan": "pro",
  "scans_used": 47,
  "scans_limit": 500,
  "security_scan_count": 8,
  "monthly_security_scan_quota": 100,
  "approaching_limit": false,
  "quota_reset_date": "2025-02-01T00:00:00Z"
}

When approaching_limit is true, you are within 20% of your monthly quota. Consider upgrading your plan or waiting for the reset date.

Upgrade your plan

If you need higher quotas or additional features (security scans, webhooks, more API specs), upgrade from the dashboard (opens in a new tab) under Settings → Billing, or via the API:

curl -X POST https://api.nat-testing.io/api/v1/billing/checkout \
  -H "X-API-Key: $NAT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "plan": "pro",
    "success_url": "https://app.nat-testing.io/dashboard?upgraded=true",
    "cancel_url": "https://app.nat-testing.io/dashboard"
  }'

The response contains a checkout_url to redirect your user through the Stripe checkout flow. See Pricing & Plans for a full plan comparison.

Rate limits

Each plan includes a per-minute request rate limit. When you exceed it, the API returns 429 Too Many Requests with a Retry-After header.

Rate limits by plan:

Plan	Requests / minute
Free	10
Pro	60
Team	200
Enterprise	1,000

Check the X-RateLimit-Remaining response header to monitor your remaining capacity, and honour the Retry-After header value (in seconds) when you receive a 429.

Common errors & troubleshooting

Status	Code	Meaning	Fix
`401 Unauthorized`	`UNAUTHORIZED`	Missing or invalid API key	Ensure `X-API-Key` header is set and the key starts with `nat_pk_`
`402 Payment Required`	`QUOTA_EXCEEDED`	Monthly scan quota exhausted	Upgrade your plan or wait for `quota_reset_date`
`429 Too Many Requests`	`RATE_LIMITED`	API request rate limit exceeded	Back off and retry after the `Retry-After` header value (seconds)
`503 Service Unavailable`	`STRIPE_NOT_CONFIGURED`	Stripe not set up (self-hosted only)	Set `STRIPE_SECRET_KEY` and `STRIPE_WEBHOOK_SECRET` env vars

⚠️

401 Unauthorized — Always use the X-API-Key header (not Authorization: Bearer). Your key must start with nat_pk_. Verify it in the dashboard under Settings → API Keys.

⚠️

402 Payment Required — Quota is exhausted for this billing period. Either upgrade your plan (opens in a new tab) or wait for quota_reset_date. The response body includes the exact reset timestamp.

⚠️

429 Too Many Requests — You have exceeded your plan's request rate limit. Respect the Retry-After header returned in the response. Free plan: 10 req/min; Pro: 60 req/min; Team: 200 req/min; Enterprise: 1,000 req/min.

Next steps

Scan API reference — full request/response schemas for all scan endpoints
OpenAPI / Swagger Reference — interactive docs, spec download, and client generation
Code Examples — copy-paste-ready examples with polling helpers
Billing API reference — manage subscriptions and plans programmatically
Usage & Quotas API — monitor usage and receive alerts
Pricing & Plans — compare plans, quotas, and rate limits
CI/CD Integration — run scans automatically in your pipeline
Your First Scan — CLI-based walkthrough with detailed output explanation

Having trouble? Check the onboarding troubleshooting guide for solutions to common setup issues.

Add functional testing

Security scanning is just one side of NAT. You can also run visual regression, accessibility, and performance tests by passing "mode": "functional" (or "mode": "full" for both security and functional) in the same POST /api/v1/scan request:

curl -X POST https://api.nat-testing.io/api/v1/scan \
  -H "X-API-Key: $NAT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://app.example.com",
    "mode": "functional"
  }'

Ready to run your first functional test? Follow the Functional Testing Quickstart for a step-by-step walkthrough covering visual regression, accessibility, and Core Web Vitals. See the Functional Testing API reference for full endpoint documentation.

Was this helpful?

Setup Wizard Functional Testing Quickstart