No API key is required; OSV.dev's REST API is publicly accessible with no authentication for standard queries.
Query vulnerabilities for a specific package version with POST https://api.osv.dev/v1/query and a JSON body containing the package name, ecosystem (e.g., PyPI, npm, Go, Maven), and version.
Retrieve full vulnerability details for a specific OSV ID with GET https://api.osv.dev/v1/vulns/{osv_id}, which returns the full Vulnerability object including affected ranges and aliases.
Perform batch queries for multiple packages in a single request with POST https://api.osv.dev/v1/querybatch supplying an array of query objects; results return vulnerability IDs and the modified timestamp.
Parse the aliases field in each vulnerability to map OSV IDs to CVE, GHSA, or other advisory identifiers for cross-reference with your existing tooling.
Integrate OSV queries into CI by calling the API for each dependency listed in your lockfile and failing the build if any result returns a non-empty vulns array.
Known gotchas
OSV aggregates advisories from multiple databases; the same underlying vulnerability may appear under multiple IDs (CVE and GHSA) — deduplicate by canonical CVE ID when reporting.
HTTP/1.1 responses are capped at 32 MiB; use HTTP/2 for packages with very large advisory sets, or use batch queries to avoid hitting the limit.
OSV data freshness depends on upstream advisory database sync intervals; a newly published CVE may not appear immediately — check the modified timestamp to gauge data recency.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp