§ OVERVIEW

WICK Developer API

The WICK API exposes formal verification as a programmable service. Submit code, contracts, or AI model decisions — receive Z3 proof artifacts with SAT/UNSAT verdicts, witness values, and machine-verifiable evidence.

Base URL

https://api.wicksecurity.com

Version

v1 (Beta)

Auth

Bearer token

Format

JSON / SMT-LIB2

Authentication

All requests require a Bearer token in the Authorization header. API keys are issued after a technical briefing. Keys are prefixed wk_live_ for production and wk_test_ for sandbox.

bash

Authorization: Bearer wk_live_xxxxxxxxxxxxxxxxxxxx

// API keys grant access to all 12 surfaces unless scoped. Keep them server-side — never expose in client code.

Quickstart

Submit a C source file for formal verification and retrieve the proof artifact:

bash

# Authenticate
export WICK_KEY="wk_live_xxxxxxxxxxxx"

# Submit a scan
curl -X POST https://api.wicksecurity.com/v1/scan \
  -H "Authorization: Bearer $WICK_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "surface": "cobalt",
    "target": {
      "type": "source",
      "content": "'$(base64 -i target.c)'",
      "lang": "c"
    },
    "threat_model": "external"
  }'

# Response:
# { "job_id": "cbl-7f2a91e3", "status": "queued", "eta_seconds": 45 }

# Poll for result
curl https://api.wicksecurity.com/v1/artifact/cbl-7f2a91e3 \
  -H "Authorization: Bearer $WICK_KEY"

# Verify with Python SDK
pip install wick-sdk

python3 -c "
import wick
client = wick.Client(api_key='wk_live_xxx')
job = client.scan(surface='cobalt', source=open('target.c').read(), lang='c')
artifact = job.wait()
print(f'Verdict: {artifact.verdict}')
print(f'Finding: {artifact.fn} — {artifact.cls}')
if artifact.verdict == 'SAT':
    print(artifact.z3_proof)
"

Endpoints

POST/v1/scan

Submit a scan job. Returns a job ID. Scanning runs asynchronously — poll /v1/artifact/:id for results.

Request Body

json

{
  "surface": "cobalt",          // SRF-01 through SRF-11 slug
  "target": {
    "type": "source",           // "source" | "binary" | "address" | "abi"
    "content": "<base64>",      // base64-encoded source code or binary
    "lang": "c"                 // "c" | "cpp" | "sol" | "asm" | "gguf"
  },
  "constraints": [              // optional: additional invariants
    "no_integer_overflow",
    "null_guard_all_pointers"
  ],
  "threat_model": "external"    // "external" | "internal" | "supply_chain"
}

Response

json

{
  "job_id": "cbl-7f2a91e3",
  "surface": "cobalt",
  "status": "queued",
  "eta_seconds": 45
}

GET/v1/artifact/:id

Retrieve a proof artifact by job ID. Returns SAT/UNSAT verdict with full Z3 proof output when complete.

Response

json

{
  "id": "cbl-7f2a91e3",
  "status": "complete",
  "verdict": "SAT",
  "surface": "cobalt",
  "artifact": {
    "id": "COBALT-AUTO-001",
    "target": "target.c",
    "fn": "parse_packet()",
    "cls": "buffer_overflow",
    "cwe": "CWE-121",
    "condition": "packet_len = 0xFFFF0001",
    "result": "Heap write past allocation",
    "z3_proof": "; Z3 SMT-LIB2\n(declare-const ...)",
    "witness": { "packet_len": "0xFFFF0001" },
    "remediation": "Add bounds check: if (len > MAX_PACKET) return -1;"
  },
  "completed_at": "2026-05-01T21:33:12Z"
}

GET/v1/scans

List all scan jobs for your API key. Paginated. Returns last 100 by default.

Response

json

{
  "jobs": [
    { "id": "cbl-7f2a91e3", "surface": "cobalt", "status": "complete", "verdict": "SAT" },
    { "id": "frg-2b19d044", "surface": "forge", "status": "complete", "verdict": "UNSAT" }
  ],
  "total": 2,
  "page": 1
}

POST/v1/verify

Synchronous single-constraint verification. For fast checks (<5s). Use /v1/scan for full analysis.

Request Body

json

{
  "surface": "forge",
  "address": "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
  "constraint": "no_reentrancy",
  "fn": "withdraw(uint256)"
}

Response

json

{
  "verdict": "UNSAT",
  "constraint": "no_reentrancy",
  "fn": "withdraw(uint256)",
  "proof": "; Reentrancy unreachable under defined call graph\n; UNSAT",
  "elapsed_ms": 312
}

Surface Reference

Slug	Surface	Input Type	ID
`cobalt`	Cobalt	C / C++ / RTOS / embedded	SRF-01
`forge`	Forge	Solidity / EVM bytecode	SRF-02
`ferrite`	Ferrite	Rust crate / WASM binary / FFI boundary	SRF-03
`cobalt-pqc`	Cobalt PQC	Post-quantum crypto implementation	SRF-04
`cobalt-cobol`	Cobalt COBOL	COBOL source / mainframe batch / copybooks	SRF-05
`bedrock`	Bedrock	Firmware / bootloader / UEFI / MCU	SRF-06
`vein`	Vein	SBOM / dependency graph / supply chain	SRF-07
`wraith`	Wraith	System spec + attacker model	SRF-08
`skyveil`	Skyveil	ADS-B / AIS / GDELT / NOTAM stream	SRF-09
`augur`	Augur	Agent FSM specification	SRF-10
`the-answer`	The Answer	AI decision log + protected attributes	SRF-11
`lattice`	Lattice	Cross-surface proof composition	SRF-12
`cassandre`	Cassandre	Deployed contract address	SRF-14
`verdict`	Verdict	Agent action log	SRF-15
`sentinel`	Sentinel	Proposed action + policy	SRF-16
`phantom`	Phantom	Protocol ABI + deployment params	SRF-17
`trace`	Trace	Transaction hash / address	SRF-18
`vantum`	Vantum	AIS stream / vessel identifier	SRF-19
`iris`	IRIS	Biometric match log + identity record	SRF-20
`sovereignty`	Sovereignty	IaC manifest / vendor registry / data flow	SRF-21
`signal`	Signal	PLC Ladder Logic / SCADA / ICS protocol source	SRF-13

Error Codes

Code	Status	Meaning
`401`	Unauthorized	Missing or invalid API key
`400`	Bad Request	Malformed request body or unsupported surface
`413`	Payload Too Large	Source file exceeds 10MB limit
`422`	Unprocessable	Source could not be parsed — check lang field
`429`	Rate Limited	Max 60 scans/hour on Standard tier
`503`	Solver Unavailable	Z3 solver pool at capacity — retry with backoff

API access is by invitation.

Request a technical briefing to get your API key and onboarding package.

Request API Access →