API for MythX (v1.3)

Download OpenAPI specification:Download

MythX is a security analysis API for Ethereum smart contracts. It powers tools that bring security into the smart contract SDLC.

Join the MythX community at MythX Discord for more information.

This document describes the API interface to MythX. It is entended for Dapp developers who wish to bring the power MythX to their Dapps.

Contents:

Note that the interface is still evolving.

Authentication

JWT

HTTP requests to protected API endpoints must be signed by JWT access token. Use POST /auth/login to generate JWT access and refresh tokens, POST /auth/refresh to refresh the tokens, and POST /auth/logout to close the session. The access token must be passed in the header format Authorization: Bearer <access token>.

Security scheme type: HTTP
HTTP Authorization Scheme Bearer

MetaMask

Authentication scheme for MetaMask.

  • Get authentication challenge with GET /auth/challenge;
  • Sign it with MetaMask;
  • Pass the signed message via the Authorization HTTP header of the next request to a protected API endpoint. The header value must follow the format MetaMask <SIGNED MESSAGE>.
Security scheme type: HTTP
HTTP Authorization Scheme Digest

Authentication

Auth challenge

Generates authentication challenge.

At least one of query parameters must be provided, and it will determine the type of challenge to generate. Currently, only challenges based on Ethereum address of the user are supported, for MetaMask authentication scheme. Additional challenge types might be added in future.

Challenge Types

  • Challenge based on Ethereum address. Generated when ethAddress query parameter is provided.
query Parameters
ethAddress
string <Ethereum address>

A valid Ethereum address.

type
string
Default: "one_time"
Enum:"one_time" "short_lived"

Type of the challenge to generate.

  • one_time allows just a single use of challenge response for authentication of a subsequent API call, within 24 hours after generation of the challenge. After the first use the challenge is revoked. It is also revoked if not used within the 24 hours.

  • short_lived allows to use the challenge response unlimited number of times within 10 minutes after the challenge generation.

Responses

200

Returns two objects describing the banner to be shown in the MetaMask dialog and the challenge hash.

400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /auth/challenge
https://api.mythx.io/v1/auth/challenge

Response samples

application/json
Copy
Expand all Collapse all
[
  • {
    },
  • {
    }
]

API login

Generates a pair of access and refresh JWT tokens for JWT authentication scheme.

Supports the following modes of operation:

  • MetaMask login - use MetaMask authentication to get JWT tokens. Does not require any body parameters.

  • User credentials login - provide a pair of user credentials in the request body (ethAddress + password).

Authorizations:
Request Body schema: application/json
One of
  • Login with MetaMask
  • Login with User Credentials
Empty (Login with MetaMask)

Responses

200

Login successful

400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

post /auth/login
https://api.mythx.io/v1/auth/login

Request samples

application/json
Copy
Expand all Collapse all
null

Response samples

application/json
Copy
Expand all Collapse all
{
  • "jwtTokens":
    {
    },
  • "access": "string",
  • "refresh": "string"
}

API logout

Closes the current API session, revoking JWT access token that signs this request, and the corresponding refresh token. Optional global parameter allows to close all user's sessions.

Authorizations:
Request Body schema: application/json
global
boolean
Default: false

If true all JWT tokens associated with the user will be revoked.

Responses

200

Logged out successfully

400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

post /auth/logout
https://api.mythx.io/v1/auth/logout

Request samples

application/json
Copy
Expand all Collapse all
{
  • "global": false
}

Response samples

application/json
Copy
Expand all Collapse all
{ }

Refresh Auth Tokens

Generates a new pair of JWT authentication tokens (access and refresh), and revokes the current one.

Request Body schema: application/json
jwtTokens
object (JWT Tokens)

Holds a pair of JWT authentication tokens.

accessToken
string
Deprecated

JWT access token.

refreshToken
string
Deprecated

JWT refresh token.

Responses

200

Tokens refreshed successfully

400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

post /auth/refresh
https://api.mythx.io/v1/auth/refresh

Request samples

application/json
Copy
Expand all Collapse all
{
  • "jwtTokens":
    {
    },
  • "accessToken": "string",
  • "refreshToken": "string"
}

Response samples

application/json
Copy
Expand all Collapse all
{
  • "jwtTokens":
    {
    },
  • "access": "string",
  • "refresh": "string"
}

Analyses

List of analyses

Lists analyses visible to the user, at most 20 records a time, sorted by submission time from the most recent to the oldest ones. Use offset query parameter for results pagination. Use dateFrom and dateTo query parameters to filter by analysis submission timestamps.

Dates are specified using ann ISO 8601 Date string

Example Date Strings

  • 2018-11-20,
  • 2018-11-20T23:13:12,
  • 2018-11-20T23:13:12+00:00
  • 2018-11-20T23:13:12.177Z
Authorizations:
query Parameters
offset
integer <int32>
Default: 0

Pagination offset. Number of records to skip.

dateFrom
string <date-time>
Default: null

Submission time filter. Restricts results to analyses submitted after this time.

dateTo
string <date-time>
Default: null

Submission time filter. Restricts results to analyses submitted before this time.

Responses

200

Success

400

Bad Request — Likely invalid schema in analysis-request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /analyses
https://api.mythx.io/v1/analyses

Response samples

application/json
Copy
Expand all Collapse all
{
  • "total": 2,
  • "analyses":
    [
    ]
}

Submit Smart Contract for analysis

Submits Solidity contract(s) for vulnerability analysis and returns created analysis record. It is possible to conduct a partial analysis on a contract by only submitting its creation bytecode or its source code in their respective schema fields. Fill out both fields to conduct a complete analysis. The uuid field of the response should be used in subsequent calls to:

check analysis status, metadata, and the list of detected issues.

In addition to the JSON fields listed below, we allow additional fields. For example, truffle artfics will have an additional abi attribute.

The request format is equivalent to the output of:

$ solc --pretty-json --combined-json ast,bin,bin-runtime,srcmap,srcmap-runtime

with the exception of the following field name changes which follow Truffe conventions:

  • binbytecode
  • bin-runtimedeployedBytecode
  • srcmapsourceMap
  • srcmap-runtimedeployedSourceMap
Authorizations:
Request Body schema: application/json
One of
  • Complete analysis
  • Request with only bytecode
  • Request with only source code
clientToolName
string

Optional. Name of the client tool sending the request.

noCacheLookup
boolean

Optional. If true API will not look into the cache of past analyses, and always will run a new analysis for this request. Note that using the cache has no side effect beside saving the runtime, thus this option MUST NOT be used in any case beside API testing (e.g. to benchmark current queue time for a previously done analysis).

data
required
object

Responses

200

Analysis request received. Check the status field for request status. It can be one of:

  • Queued: The analysis request is in a backlog queue of analysis requests to be processed.
  • Finished: Analysis has finished. This can happen if the analysis is exactly the same as a prior run, so results come the cached reports. Using the uuid field in the response, issue a request to the get the issue results using another call to get Analysis results.
400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

413

JSON data sent too large — Your request's body was larger than the maximum 5MB limit allowed by the server. Try to split your request into serveral ones.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

post /analyses
https://api.mythx.io/v1/analyses

Request samples

application/json
Copy
Expand all Collapse all
{
  • "bytecode": "0x6080604052602060405190810160405280600060010260001916600019168152506000906001610030929190610043565b5034801561003d57600080fd5b506100bb565b828054828255906000526020600020908101928215610085579160200282015b82811115610084578251829060001916905591602001919060010190610063565b5b5090506100929190610096565b5090565b6100b891905b808211156100b457600081600090555060010161009c565b5090565b90565b60d8806100c96000396000f300608060405260043610603f576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063017a9105146044575b600080fd5b348015604f57600080fd5b50606c60048036038101908080359060200190929190505050608a565b60405180826000191660001916815260200191505060405180910390f35b600081815481101515609857fe5b9060005260206000200160009150905054815600a165627a7a72305820d1c4ab8874b5f3cc139613c225a5908ed916e813f5ccdf9a9de97ce28420ca090029",
  • "sources":
    {
    }
}

Response samples

application/json
Copy
Expand all Collapse all
{
  • "apiVersion": "v1.3.0",
  • "harveyVersion": "v0.1.0",
  • "maestroVersion": "v1.1.4",
  • "maruVersion": "v0.2.0",
  • "mythrilVersion": "0.19.11",
  • "queueTime": 0,
  • "status": "Queued",
  • "submittedAt": "2019-01-10T01:29:38.410Z",
  • "submittedBy": "000008544b0aa00010a91111",
  • "uuid": "0680a1e2-b908-4c9a-a15b-636ef9b61486"
}

Get analysis status

Gets status and metadata of for a prior submit Smart Contract analysis request. In the submission, a uuid was returned, which should be used in the url for this request. When analysis status is Finished, GET /analyses/{uuid}/issues may be used to list detected vulnerabilities.

Authorizations:
path Parameters
uuid
required
string <uuid>

analysis id

Responses

200

Analysis status request processed. Check the status field for request status. It can be one of:

  • Queued: The analysis request is in a backlog queue of analysis requests to be processed.
  • Running: The analysis request is currently running MythX analysis.
  • Error: There was some error that terminated analysis processing. Check the error field for details about the problem.
  • Finished: Analysis has finished. Using the uuid field in the response issue a request to the get the issue results using another call to get Analysis results.
400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /analyses/{uuid}
https://api.mythx.io/v1/analyses/{uuid}

Response samples

application/json
Copy
Expand all Collapse all
{
  • "apiVersion": "string",
  • "error": "string",
  • "harveyVersion": "string",
  • "maestroVersion": "string",
  • "maruVersion": "string",
  • "mythrilVersion": "string",
  • "queueTime": 0,
  • "runTime": 0,
  • "status": "Queued",
  • "submittedAt": "2019-05-03T13:05:18Z",
  • "submittedBy": "string",
  • "uuid": "string"
}

Detected issues

Lists issues detected during the analysis specified by UUID. Request will fail for unfinished analyses, use GET /analyses/{uuid} to verify the current analysis status.

Authorizations:
path Parameters
uuid
required
string <uuid>

analysis id

Responses

200

Success

400

Bad Request — Probably an ill-formed request. See error message for details.

401

Unauthorized — Probably an empty or invalid authorization header sent with the request.

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /analyses/{uuid}/issues
https://api.mythx.io/v1/analyses/{uuid}/issues

Response samples

application/json
Copy
Expand all Collapse all
[
  • {
    }
]

Miscellaneous

OpenAPI specs (HTML)

Gets OpenAPI specification of Mythril API, in HTML format.

Responses

200

Success

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /openapi
https://api.mythx.io/v1/openapi

Response samples

application/html
Copy
HTML document with OpenAPI specification for Mythril API

OpenAPI specs (YAML)

Gets OpenAPI specification of Mythril API, in YAML format.

Responses

200

Success

404

Not Found — A non-existing endpoint hit.

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

500

Internal server error — An unexpected error happened at the server side when trying to fulfil your request.

get /openapi.yaml
https://api.mythx.io/v1/openapi.yaml

Response samples

application/yaml
Copy
YAML document with OpenAPI specification for Mythril API

API version

Gets current versions of Mythril API and its core sub-modules.

Responses

200

Success

429

Too many requests — You have either reached the API usage limit allowed to your user and subscription types or the maximum request allowed per client and second.

get /version
https://api.mythx.io/v1/version

Response samples

application/json
Copy
Expand all Collapse all
{
  • "api": "v1.2.5",
  • "hash": "c0d8ccbf9ba2623cc147da2860f20093",
  • "harvey": "v0.1.0",
  • "maestro": "1.1.4",
  • "maru": "0.1.0",
  • "mythril": "v1.2.3"
}