api reference

API Documentation

Integrate FixMerge into your CI/CD pipeline, build custom dashboards, or automate your code review workflow.

Overview

FixMerge is a PR quality gate that automatically analyzes code changes for bugs, security vulnerabilities, complexity issues, and code quality problems. It combines fast regex-based static analysis with AI-powered semantic review to catch issues that traditional linters miss.

base url

https://your-domain.com

format

JSON

auth

Bearer token

Authentication

API requests are authenticated using your API key, found in your dashboard after registration. Pass it as a Bearer token in the Authorization header:

request header

Authorization: Bearer YOUR_API_KEY

Keep your API key secret. Never expose it in client-side code or public repositories. Use environment variables in your CI/CD.

Webhook Setup

FixMerge receives PR events via GitHub webhooks. When a pull request is opened, updated, or merged, GitHub sends a payload to your webhook URL and FixMerge automatically runs the analysis.

Configuration

Payload URL	`https://your-domain.com/api/webhook/github`
Content type	`application/json`
Secret	Your project webhook secret (from dashboard)
Events	Pull requests only

Supported events

pull_request.openedpull_request.synchronizepull_request.reopenedpull_request.closed (merged)

POST/api/webhook/github

Receives GitHub webhook payloads. Returns immediately with a queued status while analysis runs in the background.

Response

200 OK

{
  "status": "queued",
  "analysisId": 42,
  "trigger": "opened"
}

REST API

GET/api/analysesapi key

Returns a list of PR analyses for your project, sorted by most recent.

Query parameters

Param	Type	Description
repo	string	Filter by repository (e.g. `owner/repo`)
limit	number	Max results to return (default: 50)

Example request

curl

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://your-domain.com/api/analyses?repo=owner/repo&limit=10

Response

200 OK

[
  {
    "id": 42,
    "repo": "owner/repo",
    "prNumber": 15,
    "prTitle": "Add user authentication",
    "author": "dev-name",
    "status": "completed",
    "score": 82,
    "grade": "B",
    "totalIssues": 4,
    "critical": 0,
    "high": 1,
    "medium": 2,
    "low": 1,
    "createdAt": "2026-04-04T12:00:00.000Z"
  }
]

GET/api/analyses/:idapi key

Returns full details of a specific analysis, including all issues found.

Example request

curl

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://your-domain.com/api/analyses/42

Response

200 OK

{
  "id": 42,
  "repo": "owner/repo",
  "prNumber": 15,
  "prTitle": "Add user authentication",
  "score": 82,
  "grade": "B",
  "totalIssues": 4,
  "issues": [
    {
      "id": 1,
      "category": "bug",
      "severity": "high",
      "title": "Async callback inside .forEach()",
      "description": "Array.forEach() ignores the return value...",
      "filePath": "src/services/user.ts",
      "lineNumber": 45,
      "codeSnippet": "items.forEach(async (item) => {...})",
      "suggestion": "Use for...of with await instead"
    }
  ]
}

GET/api/health

Returns the API health status. No authentication required.

200 OK

{
  "status": "ok",
  "timestamp": "2026-04-04T12:00:00.000Z"
}

POST/api/auth/register

Create a new company account with a project. Returns a session cookie and API credentials.

Request body

application/json

{
  "name": "Acme Inc.",
  "email": "dev@acme.com",
  "password": "min-8-characters",
  "repoFullName": "acme/web-app"
}

Response

200 OK

{
  "ok": true,
  "company": {
    "id": 1,
    "name": "Acme Inc.",
    "email": "dev@acme.com",
    "apiKey": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  },
  "project": {
    "id": 1,
    "name": "web-app",
    "repoFullName": "acme/web-app",
    "webhookSecret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  }
}

POST/api/auth/login

Authenticate with email and password. Returns a session cookie.

Request body

application/json

{
  "email": "dev@acme.com",
  "password": "your-password"
}

GET/api/auth/mesession

Returns the authenticated company profile including projects and API key.

200 OK

{
  "id": 1,
  "name": "Acme Inc.",
  "email": "dev@acme.com",
  "apiKey": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "projects": [
    {
      "id": 1,
      "name": "web-app",
      "repoFullName": "acme/web-app",
      "webhookSecret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "active": true
    }
  ]
}

Issue Categories

bug

Logic errors, wrong operators, off-by-one, async mistakes, null handling, type coercion issues.

security

Hardcoded secrets, SQL injection, XSS, path traversal, unsafe deserialization, weak crypto.

complexity

Functions too long, deeply nested logic, too many parameters, excessive cyclomatic complexity.

quality

Linter suppressions, magic numbers, any types, console statements, untracked TODOs.

Severity Levels

Level	Score impact	Description
critical	-15	Must fix before merge — data loss, security breach, crash
high	-8	Likely to cause issues in production — logic errors, race conditions
medium	-3	Should be addressed — maintainability, potential edge cases
low	-1	Nice to fix — code hygiene, best practices

Grading Scale

Every PR starts at 100 points. Each issue deducts points based on severity. The final score maps to a letter grade:

A90-100

B80-89

C70-79

D60-69

F0-59