Litmus API

Every request needs your API key as a bearer token (or the x-api-key header):

Authorization: Bearer lit_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keep the key secret — it grants billable audits. Rate limit: 60 requests/minute per key. All endpoints are under /api/v1.

POST /api/v1/audits — asynchronous (an audit takes ~1–2 minutes). Returns immediately; the result arrives by webhook and is also pollable.

Request

{
  "source": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.20;\ncontract Vault { ... }",
  "fileName": "Vault.sol",                 // optional
  "projectName": "My dApp Vault",          // optional
  "callbackUrl": "https://yourapp.com/webhooks/litmus"  // optional
}

Response — 202 Accepted

{
  "auditId": "cmq...",
  "status": "processing",
  "tier": "SMALL",                  // SMALL | MEDIUM | LARGE (by contract size)
  "priceCents": <your agreed rate>, // debited from your prepaid balance
  "balanceCents": 49980,            // remaining balance after this audit
  "lowBalance": false,
  "pollUrl": "https://litmus.app/api/v1/audits/cmq..."
}

GET /api/v1/audits/:auditId — poll until status is completed (or use the webhook).

{
  "auditId": "cmq...",
  "status": "completed",                  // processing | completed | failed | review_required
  "verdict": "READY_FOR_BETA",
  "readinessScore": 82,                   // 0-100 (higher is better)
  "securityScore": 74,                    // 0-100 (higher is worse)
  "summary": "Two high-severity issues...",
  "findings": [
    {
      "title": "Reentrancy in withdraw() allows draining the vault",
      "severity": "CRITICAL",             // CRITICAL | HIGH | MEDIUM | LOW | INFO
      "confidence": "HIGH",
      "affectedFiles": ["Vault.sol:withdraw"],
      "whyItMatters": "...",
      "recommendedFix": "..."
    }
  ],
  "reportUrl": "https://litmus.app/api/v1/audits/cmq.../report",
  "createdAt": "...",
  "completedAt": "..."
}

GET /api/v1/audits/:auditId/report returns the professional PDF.

If you set a callbackUrl, Litmus POSTs the result to it when the audit finishes:

{ "event": "audit.completed", "data": { ...same shape as GET... } }

Verify the signature before trusting the payload. Each webhook includes a header X-Litmus-Signature: sha256=<hex>, which is HMAC-SHA256(rawBody, yourWebhookSecret). We retry on non-2xx responses, so respond 200 quickly and process async.

Pricing is bespoke per partner. We quote a per-audit rate for your project based on volume and integration — get in touch and we'll put a number to it. There's no public price list; your rate is private to your account.

Billing is prepaid. You top up a balance (via a Stripe link we send you); each audit debits your agreed rate. When the balance can't cover an audit, POST /api/v1/audits returns 402 Payment Required — top up to resume. Each POST /api/v1/audits response also returns your current balanceCents and a lowBalance flag so you can prompt a top-up before you run dry. Check your balance any time with GET /api/v1/balance.

• READY_FOR_BETA — no blocking issues; safe for a controlled beta.
• BETA_WITH_FIXES_RECOMMENDED — usable for beta, but fix the listed issues.
• HIGH_RISK_TESTNET_ONLY — significant issues; testnet only until fixed.
• NOT_READY_FOR_USER_FUNDS — critical issues; do not deploy with real funds.

Litmus is an AI-assisted pre-audit, not a formal security audit or a guarantee. It surfaces issues early; a professional audit is still recommended before mainnet or real funds.