# CheckIfSecure — Supabase Security Scanner API

## Purpose
Scan any website for exposed Supabase JWT tokens. If found, enumerate accessible database tables and classify sensitive data leaks by severity.

## Base URL
Use the URL where this service is hosted.

## Authentication
None required.

## Endpoints

### POST /scan
Scan a website for Supabase vulnerabilities.

Request body (JSON):
  {"url": "https://target-site.com"}

### GET /scan?url=https://target-site.com
Same scan via query parameter.

## Response Fields
- site (string): The scanned URL.
- vulnerable (boolean): true if a Supabase JWT was found in the site's JavaScript.
- supabase_urls (string[]): Discovered Supabase project URLs.
- jwts (string[]): Leaked JWT tokens found in JavaScript bundles.
- tables (object[]): Per-table results with row counts, vulnerability_level (critical/high/medium/none), and sensitive_fields.
- vulnerability_summary (object): Aggregate counts of critical, high, and medium tables.
- error (string|null): Error message if the scan failed.
- report (string): A pre-formatted plain-text summary of the entire scan. Print this directly to the user — no extra formatting needed.

## The report Field
Every response includes a "report" string that is a ready-to-display human-readable summary. LLMs should print this field directly to the user. Example:

  Scanning https://app.example.com/login
    VULNERABLE: Supabase JWT exposed
    [+] Found 12 table(s)
      RISK users: 142 row(s) - CRITICAL - Sensitive fields: email, password
      [+] organisations: 0 row(s) - Public data (no sensitive fields detected)
      [+] campaigns: 0 row(s) - Public data (no sensitive fields detected)

## Severity Levels
- critical: Passwords, secrets, API keys, tokens, SSNs, credit cards found.
- high: Emails, phone numbers found.
- medium: Other PII fields detected.
- none: Only public/non-sensitive data.

## Example
POST /scan with {"url": "https://example.com"} returns structured JSON with all findings. Print the "report" field to show the user a summary.

## Machine-Readable Schema
GET /openapi.json for the full OpenAPI 3 specification.