API usage tiers and upgrade guide
The Spectra Assure platform provides two APIs for working with software packages: Community API and Portal API.
The Community API is for Community and Community+ accounts. This API lets users query for information about open-source packages from supported communities and retrieve reports for specific package versions available on the Spectra Assure Community website.
The Portal API is for Spectra Assure customers on the Essentials or Enterprise tier who want to scan, store, and manage any software artifact on their Portal instance. These customers also have full, unlimited access to the OSS information on Spectra Assure Community via the Portal API, so a separate Spectra Assure Community account is not necessary.
Spectra Assure product capabilities are offered under different tiers to suit your needs. The Community and Community+ tiers are ideal for individual developers or small projects, while the Essentials and Enterprise tiers go beyond OSS risks and support scanning a broad range of binary files, team-based workflows, and advanced artifact management.
For details on what each tier includes and how it is priced, see the Spectra Assure plans and pricing page.
This guide is for software developers, security specialists, and teams who want to:
- select the appropriate tier for specific needs and workflows
- understand what changes when transitioning between different tiers
- see how usage limits and quotas are applied
Usage tiersโ
The table below gives you more details on the APIs and their tiers:
| API | Tiers | Properties |
|---|---|---|
| Community API |
| |
| Portal API |
|
Tiers using the Community APIโ
The Community API includes the following tiers:
Community (free)โ
The Community (free) tier is automatically available to any user who signs up for a Community account.
This tier provides up to 100,000 lookups per month via the Community API, allowing users to search for open source packages and retrieve information about the package itself and its versions. These lookups also help users identify risks in the open-source dependencies included in their projects.
Community+โ
The Community+ tier provides up to 1,000,000 lookups per month via the Community API, allowing users to expand the use of API-based checks and incorporate them into multiple, automated processes. Other than a higher number of monthly lookups, this tier is the same as the Community tier.
Tiers using the Portal APIโ
The Portal API includes the following Spectra Assure tiers:
Essentialsโ
The Essentials tier is intended for security and development teams that want to protect their software against supply chain attacks.
With this tier, users can scan binary files up to 10 GB in size, allowing them to:
- Detect compromised or malicious software artifacts
- Analyze proprietary, commercial, and open-source packages for malware and tampering
- Track software evolution through risk insights and differential analysis
- Generate comprehensive xBOMs to track all software components for auditing and regulatory compliance
- Manage teams of users through an SSO-capable Portal
- Integrate security checks of build artifacts into CI/CD pipelines
In addition to these capabilities, the Essentials tier includes all capabilities of the Community+ tier. This means that if you're an existing Portal user, you do not need to create a separate Community account to access the OSS risk information on Spectra Assure Community. However, usage in this tier is measured by file size limits rather than lookup-based request limits. Users on the Essentials tier have unlimited API lookups.
Enterpriseโ
The Enterprise tier provides the full, Spectra Assure experience and is intended for enterprises that want to secure their software supply chain end-to-end.
With this tier, users can scan large binary files up to 50 GB in size, enabling them to:
- Detect vulnerabilities using reachability analysis and auto-triage
- Identify sensitive information exposure
- Assess whether applications are properly hardened against attacks
- Gain visibility into licenses and compliance obligations
- Scan LLMs, virtual machines, and container images natively
- Scale usage across the entire enterprise
- Integrate with Application Security Posture Management (ASPM) tools
In addition to these upgrades and the premium technical support option, the Enterprise tier includes all capabilities of the Essentials tier, including access to the OSS risk information on Spectra Assure Community. Usage in this tier is also measured by file size limits rather than lookup-based request limits. Users on the Enterprise tier have unlimited API lookups.
Transitioning between Community and Portal API tiersโ
Community and Portal APIs function differently and are designed for different use cases. Moving from a Community tier to a Spectra Assure tier means going from only looking up information about open-source packages and fetching their reports to also working with complete software artifacts. This includes uploading your own software and supported open-source packages.
If you need to scan larger files, handle full artifacts, or support team-based workflows, it may make sense to switch to one of the higher tiers.
This section explains what changes when you transition and helps you determine whether a Spectra Assure tier better fits your needs. More specifically, it covers:
- the changes that occur when you transition between Community and Spectra Assure tiers
- use cases that typically require moving to a higher tier.
What happens when you transition to a Spectra Assure tier?โ
When switching between a Community and Spectra Assure tier, the following changes occur:
- The base URL changes, as Community API and Portal API use different base URLs for requests. The Community API uses
https://data.reversinglabs.com/api/oss/community/v2/free, while the Portal API useshttps://{portalUrl}/api/public/v1/community/ - A new API token is required, since each API uses a different token type. Community API token has a
rlcmmprefix, while Portal API uses a token starting withrls3c - The usage model changes from request-based limits (lookups) to data volume-based limits (file size)
- An Enterprise account on a dedicated Spectra Assure Portal instance is provided. This means that you can use Portal APIs to access Community data
- Instead of only querying open-source package metadata, you can also analyze both these open-source software packages and complete software artifacts. Additionally, you get unlimited OSS package lookups with any higher Spectra Assure tier via the Portal API
- Usage is tracked separately for each API and does not transfer between them
Despite these changes, authentication remains token-based, and no downtime is required during the transition.
When to transition to a Spectra Assure tier?โ
Consider upgrading to one of the higher Spectra Assure tiers if you:
- want to have access to both Portal and Community without creating separate accounts for each product. On a Spectra Assure tier, you get unlimited OSS package lookups with Community and can use Portal to preserve, organize, and compare the analyzed artifacts
- frequently reach the monthly limits
- start working with complete software artifacts (including open-source and proprietary software)
- handle larger files (up to 10 GB with the Essentials tier and up to 50 GB with the Enterprise tier)
- want to integrate analysis into CI/CD pipelines
- need comprehensive xBOMs for auditing purposes
- are working in a team or corporate environment