Everything in OMG QA is available over a clean REST API: projects, findings, comments, evidence, test runs, and webhooks. Use it from your CI, your backend, or your own tooling. The full machine spec is published as OpenAPI.
Responses are JSON. Errors use RFC 7807 problem details with a clear detail message.
Authenticate machine-to-machine calls with an API key as a Bearer token. Create
keys under Account → API keys; the raw key (omg_live_…) is shown once.
Each key carries scopes and is bound to your organization. By default a key is also
scoped to a single project (least privilege) — it can only read and write that
project's findings, evidence, comments and test runs, enforced on the server; granting a key the
whole workspace is a deliberate, broader choice at creation time.
A key can only be granted scopes its creator holds. Available scopes:
| Method | Path | Description |
|---|---|---|
GET | /projects | List projects |
POST | /projects | Create a project (key 2–8 alphanumerics) |
GET | /projects/{id}/findings | List findings in a project (paged) |
POST | /projects/{id}/findings | Create a finding |
GET | /findings/{id} | Get a finding |
GET | /findings/search?q= | Full-text search findings |
POST | /findings/{id}/transition | Move a finding through its workflow |
POST | /findings/{id}/evidence | Register evidence → returns an upload URL |
POST | /evidence/{id}/complete | Confirm an evidence upload |
POST | /projects/{id}/test-runs | Open a test run (CI ingestion) |
POST | /test-runs/{id}/results | Submit results — failures become findings |
POST | /webhooks | Subscribe to events (signed deliveries) |
Responds 201 Created with the finding (including its key, e.g. CHK-1).
Evidence is a two-step flow: register it, PUT the bytes to the returned signed URL,
then call /complete.
The complete, always-current schema — every endpoint, request, and response — is the OpenAPI document:
OMG QA — Capture Every Finding. Fix Faster.