complair.
Langue
English Deutsch Français Español
Commencer gratuitement
Developer preview

SBOM upload API

Push a Software Bill of Materials to a product record from CI or a script. The endpoint accepts CycloneDX, SPDX, package-lock.json, and Gemfile.lock evidence. Authentication is a per-product bearer token issued from the workspace.

Endpoint

POST https://complair.eu/api/v1/sboms
  • Authorization: Bearer <product_api_token>
  • Content-Type: application/octet-stream
  • Idempotency-Key: <optional uuid>

Request body is the raw SBOM file (no multipart, no JSON wrapper). Size cap is 50 MB. Token scope must include sboms:write (the default for tokens minted on a product).

Query parameters

Param Required Description
format No Format hint. Auto-detected from the body when omitted. Accepted values: cyclonedx_1_5, spdx_2_3, manifest_npm, manifest_bundler.
release_version No Tag this SBOM to a product release (e.g. 1.4.2). When a matching release exists on the product, the SBOM is linked to it.

Sample requests

CycloneDX 1.5 JSON

curl -X POST "https://complair.eu/api/v1/sboms?format=cyclonedx_1_5&release_version=1.4.2" \
  -H "Authorization: Bearer $COMPLAIR_SBOM_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  -H "Idempotency-Key: $(uuidgen)" \
  --data-binary @sbom.cdx.json

SPDX 2.3 JSON

curl -X POST "https://complair.eu/api/v1/sboms?format=spdx_2_3" \
  -H "Authorization: Bearer $COMPLAIR_SBOM_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @sbom.spdx.json

Gemfile.lock

curl -X POST "https://complair.eu/api/v1/sboms?format=manifest_bundler" \
  -H "Authorization: Bearer $COMPLAIR_SBOM_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @Gemfile.lock

package-lock.json

curl -X POST "https://complair.eu/api/v1/sboms?format=manifest_npm" \
  -H "Authorization: Bearer $COMPLAIR_SBOM_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @package-lock.json

Success response · 201 Created

{
  "id": 42,
  "product_id": 17,
  "release_version": "1.4.2",
  "format": "cyclonedx_1_5",
  "component_count": 318,
  "parse_error_count": 0,
  "sha256": "9ab8…f01",
  "uploaded_at": "2026-05-16T09:42:11Z"
}

Error responses

401 invalid_token

Bearer token missing, malformed, or revoked.

403 missing_scope

Token lacks sboms:write scope.

409 duplicate_sbom

Identical SBOM (same SHA-256) was already ingested on this product.

413 payload_too_large

Body exceeds the 50 MB cap.

422 schema_error / unsupported_version

Body parsed but failed schema validation, or the format version is outside the supported set.

429 rate_limited

Per-token rate limit hit. Back off and retry after the response's Retry-After header.

Idempotency

Set Idempotency-Key to any unique value (a UUID works) when retrying. Complair caches the response for 24 hours keyed by token + key. A retry with the same key returns the original response instead of re-ingesting.