whackAPI — every endpoint is a curl endpoint
Your API key is your login. Send it as a Bearer token. Datacenter scans are free; egress=residential|mobile draws credits.
Submit a scan
curl -X POST https://whack.sh/api/scan \ -H "Authorization: Bearer $WHACK_KEY" \ -d url=https://example.com \ -d egress=datacenter
→ {"ok":true,"scan_id":123,"status":"queued","egress":["datacenter"]}
Check status & list artifacts
curl https://whack.sh/api/scan/123 \ -H "Authorization: Bearer $WHACK_KEY"
→ the scan with status, cloaking_score, and artifacts[] (HAR + screenshots, each with an id).
Download an artifact
curl -OJ https://whack.sh/api/scan/123/artifact/456 \ -H "Authorization: Bearer $WHACK_KEY"
Auth
The key is the credential — there's no separate login step. Paste it once in the web app for an httpOnly session, or send Authorization: Bearer … from a shell. The raw key is never stored server-side; only a hash.