Why Firecracker microVMs instead of Docker?

Each scan runs in a dedicated Firecracker microVM — the same isolation technology AWS Lambda uses. Unlike Docker containers, microVMs provide hardware-level isolation, preventing any cross-scan data leakage. Boot time is ~125ms, so there's no performance penalty.

Why a queue-based architecture?

Scans are CPU and network intensive. A Redis-backed queue (BullMQ) ensures fair scheduling, automatic retries on failure, and the ability to scale scan workers horizontally without touching the API layer. It also enables priority lanes for paid tiers.

Why Claude API for report generation?

Raw vulnerability data from tools like Nuclei and OWASP ZAP is technical noise for SMB decision-makers. Claude API reasons about findings in context — correlating vulnerabilities, mapping to DPDP sections, and generating plain-language remediation that a non-technical founder can act on.

How is scan data retained and secured?

Scan artifacts are encrypted at rest (AES-256) and purged after 90 days by default. Reports are stored in the customer's account with end-to-end encryption. We never share scan data with third parties. SOC 2 Type II certification is on our 2026 roadmap.

Developer Docs

API reference, SDK quickstarts, and integration guides for Bachao.AI's cybersecurity platform.

RASP SDK Quickstart

Install the Node.js SDK in 2 minutes

API Authentication

API keys, setup tokens, and auth flows

Webhook Reference

Event payloads and delivery

CI/CD Integration

GitHub Actions, GitLab CI, Bitbucket Pipelines

RASP SDK Quickstart

Add runtime protection to your Node.js app in under 2 minutes.

Install

npm install @bachao/rasp-node

Express

import express from "express";
import { bachaoRasp } from "@bachao/rasp-node";

const app = express();

app.use(bachaoRasp({
  apiKey: process.env.BACHAO_RASP_KEY!,
  appName: "my-api",
  mode: "monitor", // start in monitor mode, switch to "block" from dashboard
}));

app.listen(3000);

Fastify

import Fastify from "fastify";
import { bachaoRaspFastify } from "@bachao/rasp-node/fastify";

const app = Fastify();
app.register(bachaoRaspFastify, {
  apiKey: process.env.BACHAO_RASP_KEY!,
  appName: "my-api",
});

NestJS

import { Module } from "@nestjs/common";
import { BachaoRaspModule } from "@bachao/rasp-node/nestjs";

@Module({
  imports: [BachaoRaspModule.forRoot({
    apiKey: process.env.BACHAO_RASP_KEY!,
    appName: "my-api",
  })],
})
export class AppModule {}

API Authentication

How authentication works between the dashboard, SDK, and API.

Auth Flow

Dashboard generates a setup token via POST /api/rasp/setup/generate-key
SDK uses the setup token during agent registration
Agent receives a permanent API key (sent via x-rasp-key header)
All subsequent SDK → API calls use the x-rasp-key header
Dashboard calls use a session cookie (from OTP login)

Generate setup token from dashboard

# Generate setup token from dashboard
curl -X POST https://www.bachao.ai/api/rasp/setup/generate-key \
  -H "Cookie: bachao-session=YOUR_SESSION" \
  -H "Content-Type: application/json"

# Response:
# { "success": true, "setupToken": "eyJ..." }

API Endpoints Reference

All public API endpoints available for integration.

Method	Endpoint	Auth	Description
POST	/api/rasp/register	Setup token	Register new RASP agent
POST	/api/rasp/heartbeat	API key	Agent health check + rule sync
POST	/api/rasp/events	API key	Report security events (batch)
GET	/api/rasp/rules	API key	Fetch protection rules
POST	/api/rasp/rules	Session	Create protection rule
GET	/api/rasp/agents	Session	List registered agents
GET	/api/rasp/stats	Session	Dashboard statistics
POST	/api/scans/book	Session	Book a VAPT scan
GET	/api/scans	Session	List your scans
GET	/api/reports/{id}	Session	Fetch scan report

Webhook Reference

Receive real-time notifications when events occur in your account.

scan.completed event payload

{
  "event": "scan.completed",
  "scanId": "clx...",
  "scanUrl": "https://example.com",
  "scanType": "pentest",
  "riskScore": 72,
  "findingsCount": 23,
  "criticalCount": 2,
  "timestamp": "2026-03-23T10:00:00Z"
}

CI/CD Integration

Trigger security scans automatically from your deployment pipeline.

.github/workflows/security-scan.yml

# .github/workflows/security-scan.yml
name: Bachao.AI Security Scan
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Trigger VAPT Scan
        run: |
          curl -X POST https://www.bachao.ai/api/scans/book \
            -H "Cookie: bachao-session=${{secrets.BACHAO_SESSION}}" \
            -H "Content-Type: application/json" \
            -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}'

SDKs & Libraries

Official client libraries and platform support.

@bachao/rasp-node

Node.js RASP SDK

npm

Java, Python, PHP

Server-side RASP agents

Coming Soon

REST API

Available for all products

Available

Need help integrating?

Talk to our engineering team. We'll help you get set up in under 30 minutes.

Talk to Engineering

import express from "express"; import { bachaoRasp } from "@bachao/rasp-node"; const app = express(); app.use(bachaoRasp({ apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", mode: "monitor", // start in monitor mode, switch to "block" from dashboard })); app.listen(3000);

import Fastify from "fastify"; import { bachaoRaspFastify } from "@bachao/rasp-node/fastify"; const app = Fastify(); app.register(bachaoRaspFastify, { apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", });

import { Module } from "@nestjs/common"; import { BachaoRaspModule } from "@bachao/rasp-node/nestjs"; @Module({ imports: [BachaoRaspModule.forRoot({ apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", })], }) export class AppModule {}

# Generate setup token from dashboard curl -X POST https://www.bachao.ai/api/rasp/setup/generate-key \ -H "Cookie: bachao-session=YOUR_SESSION" \ -H "Content-Type: application/json" # Response: # { "success": true, "setupToken": "eyJ..." }

Method

Endpoint

Auth

Description

POST

/api/rasp/register

Setup token

POST

/api/rasp/heartbeat

API key

Agent health check + rule sync

POST

/api/rasp/events

API key

Report security events (batch)

GET

/api/rasp/rules

API key

Fetch protection rules

POST

/api/rasp/rules

Session

Create protection rule

GET

/api/rasp/agents

Session

List registered agents

GET

/api/rasp/stats

Session

Dashboard statistics

POST

/api/scans/book

Session

Book a VAPT scan

GET

/api/scans

Session

List your scans

GET

/api/reports/{id}

Session

Fetch scan report

{ "event": "scan.completed", "scanId": "clx...", "scanUrl": "https://example.com", "scanType": "pentest", "riskScore": 72, "findingsCount": 23, "criticalCount": 2, "timestamp": "2026-03-23T10:00:00Z" }

# .github/workflows/security-scan.yml name: Bachao.AI Security Scan on: [push] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trigger VAPT Scan run: | curl -X POST https://www.bachao.ai/api/scans/book \ -H "Cookie: bachao-session=${{secrets.BACHAO_SESSION}}" \ -H "Content-Type: application/json" \ -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}'