HTTP Post and Error Queries

Josh Rodriguez

May 20, 2026 17:00

Introduction

NowSecure utilizes the Apollo Sandbox that provides an environment to perform GraphQL API queries and mutations on completed assessments, organization details, applications, and much more in NowSecure Platform to obtain detailed results.

For all API calls, replace the $API_TOKEN with your own token. Create a token by selecting the Profile icon on the top right corner of Platform > select Tokens. See Creating an API Bearer Token in NowSecure Platform for further information.

Note: The base URL of our Graph API has been changed to api.nowsecure.com. All requests to lab-api.nowsecure.com/graphql will be forwarded here.

HTTP Post

Interacting with NowSecure GraphQL API from code, e.g. through curl or via HTTP client library, is as simple as an HTTP POST with the relevant GraphQL query.

Below is a query to list NowSecure’s Findings, resolving just the Finding id and title for each:

The results will come back as a JSON with a data key. The values will be structured as requested (with results formatted and elided for clarity):

POST

query {
    findings {
      list {
        id
        title
      }
    }
}

curl \
  -X POST \
  -H "Authorization: Bearer ${AUTH_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{ "query": "{ findings { list { id title } } }" }' \
  https://api.nowsecure.com/graphql

{
  "data": {
    "findings": {
      "list": [
        {
          "id": "asl",
          "title": "System Log Messages (ASL)"
        },
        {
          "id": "oslog",
          "title": "System Log Messages (OSLog)"
        },
        {
          "id": "geoip",
          "title": "Network Connections"
        },
        {
          "id": "snoop_network_hosts",
          "title": "Network Connections"
        },
        // ...
      ]
    }
  }
}

Expected response in Apollo Sandbox:

Note: As described in the field documentation, the Finding id is a case and space normalized version of the legacy Finding id used by the legacy Lab Auto API. You may also resolve the unnormalized key for each finding within the legacyFindingKey field. If you have existing logic depending on identifying individual findings, use this legacyFindingKey .

Error Query

If the query issued contains one or more errors, these will be listed in a top level errors array in the response. For example, this query and response:

POST

query {
    findings {
      list {
        id
        title
        nonExistentField
      }
    }
}

curl \
  -X POST \
  -H "Authorization: Bearer ${AUTH_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{ "query": "{ findings { list { id title nonExistentField } } }" }' \
  https://api.nowsecure.com/graphql

{
  "errors": [
    {
      "message": "Cannot query field \"nonExistentField\" on type \"FindingCheck\"."
      // ...
    }
  ]
}

The same is true if your GraphQL query includes invalid syntax.

Note the response for a lack of closing } :

POST

curl \
  -X POST \
  -H "Authorization: Bearer ${AUTH_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{ "query": "{ findings { list { id title"' \
  https://api.nowsecure.com/graphql

{"error":true,"code":"UNKNOWN_ERROR_CODE","message":"Unexpected end of JSON input"}%