stillrunning API Docs Pricing GitHub

stillrunning API Reference

Everything you need to integrate with stillrunning

Authentication

All authenticated endpoints require a Bearer token:

Authorization: Bearer YOUR_TOKEN

Get your token at stillrunning.io/dashboard → Account → API Keys

Agent Endpoints

These endpoints are used by the stillrunning agent running on your machines.

POST/api/status/{subdomain}
Push live status every 30 seconds. Body: {processes: [...], hostname: "..."}
GET/api/threats/rules
Get current threat blocklist. Returns known-bad packages with severity and source. Agents call this every 60 minutes to stay protected. Supports ETag caching.
POST/api/threats/report
Crowd-report suspicious package. If 3+ machines report same package, it's auto-added to blocklist within minutes.
POST/api/register-machine
Register machine with central dashboard. Team tier only. Body: {customer_id, machine_name, os, processes, guard_running}
POST/api/machine-heartbeat
Keep-alive ping for registered machines. Team tier only.
GET/api/validate-token
Validate token and get tier info. Returns {valid: bool, tier: "...", trial_days_remaining: N}

Threat Intelligence

Live threat data endpoints. Agents automatically sync the blocklist every 60 minutes. New threats deploy to all protected machines within 60 minutes of publication.

GET/api/threats-data
Live threat dashboard stats: intercepts, blocked counts, recent threats, guard status. Used by /threats page.
GET/api/security-threats
Full security advisory feed. Returns all tracked threats with severity, source, IOCs. Supports ETag caching (304 if unchanged).
GET/api/blocklist/{package}?ecosystem={pip|npm}
Look up a single package in the blocklist. Returns {blocked, versions, sources, advisory_ids, reason}.

Get live threat stats

curl https://stillrunning.io/api/threats-data

# Response:
{
  "stats": {
    "intercepted_today": 12,
    "blocked_today": 1,
    "blocked_alltime": 3,
    "threat_feed_updated": "2026-06-11T00:15:00Z"
  },
  "intercepts": [...],
  "threats": [...],
  "guard": {"running": true, "threats_blocked": 3}
}

Get full threat feed

curl https://stillrunning.io/api/security-threats \
  -H "If-None-Match: \"1712970123\""

# Returns 304 if unchanged, or full JSON array of threats

Dashboard Endpoints

These endpoints are used by the web dashboard and Chrome extension.

GET/api/status/{subdomain}
Get machine status JSON. Returns {processes: [...], last_seen: timestamp, hostname: "..."}
GET/api/audit-log
Query compliance event log. Query params: ?limit=100&offset=0&type=SECURITY. Team tier only.
GET/api/audit-summary
Get audit statistics. Returns {total_events, events_by_type, last_24h}. Team tier only.
GET/api/machines
List all registered machines. Team tier only.
GET/api/alert-config
Get alert channel configuration.
POST/api/alert-config
Update alert channel configuration. Body: {telegram: {enabled, chat_id}, slack: {enabled, webhook_url}, ...}

Example Requests

Push status (agent)

curl -X POST https://stillrunning.io/api/status/yourname \
  -H "Authorization: Bearer sr_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"processes": [{"name": "nginx", "status": "UP", "pid": 1234}], "hostname": "web-1"}'

Get threat rules

curl https://stillrunning.io/api/threats/rules \
  -H "Authorization: Bearer sr_abc123..."

# Response:
{
  "version": "20260412-001",
  "packages": {
    "logutilkit": {"versions": ["==1.0.1"], "severity": "CRITICAL", "source": "CISA", "ecosystem": "pip"},
    "axios": {"versions": ["==0.30.4", "==1.14.1"], "severity": "CRITICAL", "source": "npm-advisory", "ecosystem": "npm"}
  },
  "total_rules": 224540,
  "updated_at": "2026-06-11T05:00:00Z"
}

Report threat

curl -X POST https://stillrunning.io/api/threats/report \
  -H "Authorization: Bearer sr_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"package": "sus-pkg", "version": "1.0.0", "hash": "abc...", "trigger": "entropy_check", "machine_id": "web-1"}'

Scanning Endpoints

AI-powered package security analysis. Requires AI tier or higher for full analysis.

POST/api/scan
Server-side AI package security review. Runs Claude Haiku analysis on package source code. Requires AI tier or higher.

Request

curl -X POST https://stillrunning.io/api/scan \
  -H "Content-Type: application/json" \
  -d '{"token": "sr_abc123...", "package": "requests", "ecosystem": "pip"}'

Response

{
  "package": "requests",
  "verdict": "CLEAN",
  "score": 5,
  "reasons": []
}

Verdicts: CLEAN (0-49), SUSPICIOUS (50-79), DANGEROUS (80-100)

POST/api/pip-plugin/scan
Batch package scan for pip plugin. Free tier: 10 cached scans/day per IP. With token: AI scanning based on tier.

Request

curl -X POST https://stillrunning.io/api/pip-plugin/scan \
  -H "Content-Type: application/json" \
  -d '{"packages": [{"name": "requests", "version": "2.31.0"}], "token": "sr_abc123..."}'

Response

{
  "results": [{"name": "requests", "version": "2.31.0", "verdict": "CLEAN", "score": 5}],
  "allow_install": true,
  "message": "All packages passed security check"
}

Rate Limits

Free10 package scans/day (per IP)
Personal100 package scans/day
BasicUnlimited package scans
AIUnlimited package scans + 100 AI scans/day
EnterpriseUnlimited package scans + 10,000 AI scans/day

CLI Commands

Setup wizard

stillrunning --setup

Interactive setup: detects processes, configures monitoring, connects to threat feed.

Health diagnostics

stillrunning --doctor

Runs 6 diagnostic checks: configuration, agent process, token validation, Telegram alerts, disk space, and memory. Use when troubleshooting.

Reconfigure

stillrunning --reconfigure

Change alert method (Telegram/Slack/Email) without full re-setup.

Public Endpoints

These endpoints do not require authentication.

GET/api/check-package?name={name}&ecosystem={ecosystem}&version={version}
Public package security lookup. Returns known threats for a package. Free tier: 10 scans/day per IP.

Check if a package is safe

curl "https://stillrunning.io/api/check-package?name=requests&ecosystem=pip"

# Response (clean):
{
  "package": "requests",
  "version": "latest",
  "ecosystem": "pip",
  "status": "pending",
  "message": "Package not in cache. Check back in 1 minute.",
  "cached": false
}

# Response (cached/scanned):
{
  "package": "requests",
  "version": "2.31.0",
  "ecosystem": "pip",
  "score": 5,
  "verdict": "CLEAN",
  "cached": true
}

# Response (blocked):
curl "https://stillrunning.io/api/check-package?name=axios&ecosystem=npm"

{
  "package": "axios",
  "version": "latest",
  "ecosystem": "npm",
  "verdict": "BLOCKED",
  "reason": "Known malicious — sources: osv-bulk",
  "sources": ["osv-bulk"],
  "advisory_ids": ["MAL-2026-2307"]
}
GET/status
Live system status page. Shows API health, threat feed freshness, guard status. Auto-refreshes every 30 seconds.
GET/api/system-status
JSON system status. Returns {api: "UP", threat_feed_age_hours: N, guard_running: bool, packages_blocked: N}

Badge Endpoint

Show your protection status in GitHub READMEs:

GET/badge/protected
Returns SVG badge showing "stillrunning | protected". Add to your README to show your project is protected.

Markdown usage

![Protected by stillrunning](https://stillrunning.io/badge/protected)

HTML usage

<img src="https://stillrunning.io/badge/protected" alt="Protected by stillrunning">

Badge links to stillrunning.io when clicked.

Referral Program

Earn 20% recurring commission on referred customers.

How it works

  1. Get your referral code from your dashboard
  2. Share your link: stillrunning.io/ref/YOUR_CODE
  3. Earn 20% of every payment from customers you refer
GET/ref/{code}
Referral tracking. Sets 30-day cookie and redirects to pricing page.
GET/api/referral-stats
Get your referral statistics. Requires auth. Returns {referral_code, total_referrals, active_referrals, commission_earned}

Pricing

Monthly and annual plans available. Annual = 10x monthly (2 months free).

Personal$9/mo or $90/year
Basic$29/mo or $290/year
AI$49/mo or $490/year
Enterprise$499/mo (custom annual)

See full feature comparison at stillrunning.io/pricing

SDKs

pip install stillrunning

Source: github.com/johhnyg/stillrunning