Documentation
API & CLI Docs
Scan your AI agent system prompts from the terminal, CI pipelines, or directly via API.
API Reference
Base URL: https://breakmyagent.ai/api/v1
Authentication
All requests require a Bearer token. Get your API key from the dashboard.
Authorization: Bearer bma_your_api_key_herePOST /api/v1/scan
Scan a system prompt for vulnerabilities.
Request
curl -X POST https://breakmyagent.ai/api/v1/scan \
-H "Content-Type: application/json" \
-H "Authorization: Bearer bma_your_key" \
-d '{
"prompt": "You are a helpful assistant...",
"attacks": ["missing-identity", "no-injection-defense"]
}'Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| prompt | string | Yes | System prompt to scan (10-50,000 chars) |
| attacks | string[] | No | Filter to specific attack IDs |
Response
{
"trustScore": 42,
"grade": "F",
"label": "Weak",
"vulnerabilities": [
{
"id": "missing-identity",
"name": "No Identity Anchoring",
"severity": "high",
"category": "Identity",
"description": "The system prompt does not establish...",
"passed": false
}
],
"passed": false,
"summary": "Trust Score: 42/100 (Weak). 7 vulnerabilities found.",
"usage": {
"plan": "pro",
"scansUsedToday": 3,
"scansUsedMonth": 15
}
}Error Responses
| Status | Description |
|---|---|
| 401 | Missing or invalid API key |
| 400 | Invalid request body |
| 429 | Rate limit or scan quota exceeded |
| 403 | User profile not found |
GET /api/v1/scan
Health check. No auth required.
{
"status": "ok",
"version": "v1",
"docs": "https://breakmyagent.ai/docs"
}CLI
Authentication
# Interactive login
breakmyagent auth login
# Non-interactive
breakmyagent auth login --key bma_your_key_here
# Check status
breakmyagent auth statusKey is saved to ~/.breakmyagent/config.json. Set BREAKMYAGENT_API_KEY env var as an alternative (takes precedence).
Scanning
# Scan inline prompt
breakmyagent scan --prompt "You are a helpful assistant..."
# Scan from file
breakmyagent scan --file ./system-prompt.txt
# Scan agent config (CLAUDE.md, .cursorrules, etc)
breakmyagent scan --config ./CLAUDE.md
# JSON output
breakmyagent scan --file ./prompt.txt --format json
# SARIF output for CI
breakmyagent scan --file ./prompt.txt --format sarif > results.sarif
# Custom threshold
breakmyagent scan --file ./prompt.txt --threshold 80Exit Codes
| Code | Meaning |
|---|---|
| 0 | Pass (score >= threshold) |
| 1 | Fail (score < threshold) |
| 2 | Error (auth, network, bad input) |
GitHub Action
Basic Setup
name: AI Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Full-Vibe/breakmyagent@v1
id: security
with:
api-key: ${{ secrets.BREAKMYAGENT_API_KEY }}
prompt-file: ./system-prompt.txt
threshold: 70
# Upload to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.security.outputs.sarif }}Inputs
| Input | Required | Default | Description |
|---|---|---|---|
| api-key | Yes | API key | |
| prompt | No* | Inline prompt text | |
| prompt-file | No* | Path to prompt file | |
| threshold | No | 70 | Minimum passing score |
| format | No | sarif | Output format |
* Either prompt or prompt-file is required.
Outputs
| Output | Description |
|---|---|
| score | Trust score (0-100) |
| grade | Grade (A-F) |
| passed | true/false |
| sarif | Path to SARIF results file |
Badges
Static Badge
Embed a trust score badge in your README:
Preview:
Green >= 80, Yellow >= 60, Red < 60
Dynamic Badge
Shows your most recent scan score. Updates automatically.
Note: This exposes your API key in the URL. Use a read-only key if you create one for this purpose.
Rate Limits & Pricing
| Plan | Price | API Scans | Features |
|---|---|---|---|
| Free | $0 | 5/day | Web scanner, attack database |
| Pro | $19/mo | 50/month | CLI, GitHub Action, API access, scan history |
| Lifetime | $199 | Unlimited | Everything, forever |
All plans have a 5-second cooldown between API requests. View pricing.
Questions? hello@breakmyagent.ai