REST API · v1 · Stable

Accessly API & Webhooks

Run a WCAG 2.2 scan from your CI/CD pipeline, get notified the moment a scan completes, and embed a live compliance badge — all under one base URL.

Authentication →

Bearer tokens · CICD_API_KEY

Endpoints →

/api/v1/scan · /api/badge/:id

Webhooks →

scan.completed · signed payloads

Base URL

https://accessly.us/api

Authentication

The CI/CD scan endpoint (/api/v1/scan) authenticates with a Bearer token. Your API key lives in Settings → API Access on your dashboard. Pass it on every request:

Authorization: Bearer <YOUR_API_KEY>

The badge endpoint and webhook receivers are public — no auth needed.

Endpoints

POST/api/v1/scan🔑 Bearer auth

Run a fresh WCAG 2.2 scan on the given URL and return the report synchronously. Hard 30-second timeout — most pages complete in 5-15s.

Request

curl -X POST https://accessly.us/api/v1/scan \
  -H "Authorization: Bearer $ACCESSLY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "url": "https://your-site.com" }'

Response · 200 OK

{
  "url":       "https://your-site.com",
  "score":     87,
  "errors":    3,
  "warnings":  12,
  "passes":    104,
  "violations": [
    {
      "id":          "color-contrast",
      "impact":      "serious",
      "description": "Elements must have sufficient color contrast",
      "wcag":        "1.4.3",
      "helpUrl":     "https://dequeuniversity.com/rules/axe/...",
      "nodes": [
        { "target": ".cta-button", "html": "<a class=\"cta-button\">…</a>",
          "failureSummary": "...", "impact": "serious" }
      ]
    }
  ],
  "scannedAt": "2026-05-14T18:24:51.211Z"
}

Error codes

400 — invalid URL or invalid JSON body
401 — missing or wrong Bearer token
500 — scan failed (timeout, target down, etc.)

GET/api/badge/:scanIdPublic

Returns an SVG 'Audited by Accessly' badge for the given scan id. Embed it in your README, footer, or marketing page — the score auto-refreshes whenever a new scan runs.

Query params

style=full (default) — 220×72 branded card
style=compact — 144×20 shields.io-style pill

Markdown embed

[![Audited by Accessly](https://accessly.us/api/badge/<scanId>)](https://accessly.us/scan/<scanId>)

HTML embed

<a href="https://accessly.us/scan/<scanId>" target="_blank" rel="noopener">
  <img src="https://accessly.us/api/badge/<scanId>" alt="Audited by Accessly — WCAG 2.2" width="220" height="72" />
</a>

Pull your latest scan id from Settings → Compliance badge, or use /api/badge/previewwhile you're still wiring it up.

Webhooks

Configure a webhook URL in Settings → Webhooksand we'll POST a JSON payload to it every time a scan completes — both dashboard scans and CI/CD API scans.

Event: scan.completed

{
  "event":     "scan.completed",
  "url":       "https://your-site.com",
  "score":     87,
  "errors":    3,
  "warnings":  12,
  "passes":    104,
  "scannedAt": "2026-05-14T18:24:51.211Z",
  "scanId":    "e3f1a2c0-...",
  "reportUrl": "https://accessly.us/scan/e3f1a2c0-..."
}

Headers

Content-Type: application/json
User-Agent: Accessly-Webhooks/1.0
X-Accessly-Event: scan.completed
X-Accessly-Signature: sha256=<hmac> — only if signing is enabled

Verifying the signature (Node.js)

import { createHmac, timingSafeEqual } from 'node:crypto'

const body      = await req.text()
const signature = req.headers.get('x-accessly-signature') ?? ''
const expected  = 'sha256=' + createHmac('sha256', process.env.WEBHOOK_SIGNING_SECRET)
  .update(body)
  .digest('hex')

const a = Buffer.from(signature)
const b = Buffer.from(expected)
if (a.length !== b.length || !timingSafeEqual(a, b)) {
  return new Response('Invalid signature', { status: 401 })
}

const event = JSON.parse(body)
console.log(event)  // { event: 'scan.completed', ... }

Delivery semantics: fire-and-forget with a 5-second timeout. We retry on transient failures but don't guarantee at-least-once delivery — your handler should be idempotent on scanId.

Recipe: GitHub Actions

Drop this into .github/workflows/accessibility.yml and your repo will fail any PR that drops below an a11y score of 80.

name: Accessibility check
on:
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run Accessly scan
        run: |
          RESULT=$(curl -fsS -X POST https://accessly.us/api/v1/scan \
            -H "Authorization: Bearer ${{ secrets.ACCESSLY_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"url": "https://staging.your-site.com"}')

          SCORE=$(echo "$RESULT" | jq .score)
          echo "Accessibility score: $SCORE"

          if [ "$SCORE" -lt 80 ]; then
            echo "::error::Score $SCORE is below the 80 threshold"
            exit 1
          fi

Add ACCESSLY_API_KEY in Repo → Settings → Secrets and variables → Actions.

Need a feature we don't have?

We're a small team and we read every email. Tell us what you need — we'll get back to you within a few hours.

Email contact@accessly.us