Get non-PCI script inventory | HUMAN Documentation

curl -G https://api-gw.perimeterx.com/v1/non-pci/inventory/scripts \
     -H "Authorization: Bearer <token>" \
     -d appId=PXabc123 \
     -d appId=PXdef456 \
     -d tld=domain1.com \
     -d tld=domain2.com \
     -d include=cookies \
     -d include=value_access \
     -d from=1674313200000 \
     -d to=1674399600000 \
     -d skip=0 \
     -d take=20

{
  "paging": {
    "previous": "",
    "current": "https://api-gw.perimeterx.com/v1/non-pci/inventory/scripts?appId=PXabc1234&tld=humansecurity.com&include=cookies&include=value_access&take=20&skip=0",
    "next": "https://api-gw.perimeterx.com/v1/non-pci/inventory/scripts?appId=PXabc1234&tld=humansecurity.com&include=cookies&include=value_access&take=20&skip=20",
    "count": 142
  },
  "data": [
    {
      "app_id": "PXabc1234",
      "account_name": "HUMAN Security",
      "host_domain": "humansecurity.com",
      "page_url": "https://humansecurity.com/checkout.html",
      "page_type": "checkout",
      "script_url": "cdn.mxpnl.com/libs/mixpanel-2-latest.min.js",
      "access_type": "cookie",
      "cookie_name": "_ga",
      "input_element_name": "email",
      "input_element_id": "email-input"
    }
  ]
}

Unlike the PCI DSS script inventory, this endpoint returns raw behavioral observations rather than aggregated, compliance-reviewed scripts. The response does not include status, risk, or justification fields. Observations from scripts that have been deactivated or suppressed are excluded from results.

The include parameter is functionally required. If include is omitted or empty, the endpoint returns an empty data array.

Returns a flat list of non-PCI script observations for the given Application IDs and host domains. Each row represents one unique combination of script, page, and access type (cookie read or form field access). Unlike the [PCI DSS script inventory](/applications/reference/get-script-inventory), this endpoint returns raw behavioral observations rather than aggregated, compliance-reviewed scripts. The response does not include status, risk, or justification fields. Observations from scripts that have been deactivated or suppressed are excluded from results. <Note> The `include` parameter is functionally required. If `include` is omitted or empty, the endpoint returns an empty `data` array. </Note>

Authentication

AuthorizationBearer

Bearer authentication of the form Bearer <token>, where token is your auth token.

Query parameters

appIdlist of stringsRequired

One or more Application IDs to filter results by.

tldlist of stringsRequired

One or more host domains to filter results by.

includelist of enumsRequired

Controls which observation types are returned. Must include at least one value. Accepted values: cookies, value_access.

Allowed values:

fromintegerOptional

Timestamp in milliseconds. Start of the time range to filter observations by. Defaults to 24 hours ago.

tointegerOptional

Timestamp in milliseconds. End of the time range to filter observations by. Defaults to the current time.

skipintegerOptionalDefaults to 0

Number of results to skip for pagination.

takeintegerOptionalDefaults to 20

Number of results to return per page.

Response

Success

pagingobject

datalist of objects

Errors

401

Unauthorized Error

422

Unprocessable Entity Error

500

Internal Server Error