# API overview

## Conventions
- JSON payloads use camelCase and RFC 7807 for problem details.
- Streaming endpoints support SSE or NDJSON.
- Timestamps are UTC ISO 8601.

## Major API groups
- Scanner: scan submission, status, SBOM retrieval, diffs, reports.
- Policy: policy import/export, validation, preview, and simulation.
- Scheduler: schedules, runs, and impact selection.
- Notify: rules, channels, deliveries, and test sends.
- VEX and consensus: consensus evaluation and exports.
- Signals: reachability, runtime facts, unknowns.
- Export Center: export runs and offline bundles.
- Authority: token issuance and administrative endpoints.

## Contracts and schemas
- OpenAPI specs live under docs/api/.
- JSON schemas live under docs/schemas/ and docs/contracts/.