No API key is required; the deps.dev REST API v3 is publicly accessible and carries a stability guarantee with a formal deprecation policy.
Retrieve metadata for a specific package version with GET https://api.deps.dev/v3/systems/{system}/packages/{package}/versions/{version}, where system is one of go, npm, pypi, maven, cargo, nuget, or rubygems.
Fetch the full transitive dependency graph for a version with GET https://api.deps.dev/v3/systems/{system}/packages/{package}/versions/{version}/dependencies.
Look up known advisories affecting the package version from the advisories field in the version response, which lists OSV IDs and severity.
Use the batch endpoint POST https://api.deps.dev/v3/getVersionBatch to query multiple packages in one request, reducing latency for lockfile-scale scans.
Retrieve OpenSSF Scorecard results for the upstream project with GET https://api.deps.dev/v3/projects/{project_key}/scorecard to assess supply-chain health beyond just vulnerabilities.
Known gotchas
The API uses URL path segments for package names; packages with slashes or special characters (common in npm scoped packages) must be percent-encoded in the path.
Transitive dependency graphs can be very deep; set a reasonable traversal depth limit in your tooling to avoid unbounded recursion on large ecosystems like Maven.
The experimental v3alpha endpoints are unstable and may change without notice; use the v3 stable API for production integrations.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp