Limited Event: Join XBOW's CISO Nico Waisman, Jason Haddix, and Dave Aitel from OpenAI at RSA. Register Now.

XBOW API Terms of Service

Effective date: Feburary 1, 2026

These API Terms of Service ("API Terms") govern your access to and use of XBOW 's ("XBOW," "we," "us," or "our") application programming interfaces (the "API"). These API Terms supplement and incorporate by reference XBOW's general Terms and Conditions available at https://xbow.com/terms-and-conditions or, if applicable, such separate agreement entered into between you and XBOW governing your use of XBOW’s services (collectively, the “Terms”). By accessing or using the API, you agree to be bound by these API Terms.

1. Definitions

The following definitions apply:

  • "API" means XBOW's application programming interfaces, associated tools, documentation, and related materials.
  • "API Credentials" means authentication credentials, including API keys, tokens, secrets, or other access credentials issued to you for API access.
  • "API Call" means any request made to the API, including queries, data retrievals, writes, or any other operation performed through the API.
  • "API Client" means any application, script, software, or system you develop or operate that accesses the API.
  • "Rate Limits" means the maximum number of API Calls permitted within a specified time period.
  • "API Version" means a specific release of the API identified by a version identifier (e.g., 2026-02-01).

2. API License and Access

2.1. License Grant

Subject to your compliance with these API Terms, XBOW grants you a non-exclusive, non-transferable, non-sublicensable, revocable, limited license to access and use the API solely for your internal business purposes in connection with your use of XBOW's security testing services.

2.2 API Credentials

To access the API, you must obtain API Credentials through your XBOW account. You are responsible for:

  • Maintaining the confidentiality and security of your API Credentials
  • All activities that occur under your API Credentials
  • Immediately notifying XBOW of any unauthorized use or security breach
  • Not sharing, publishing, or distributing your API Credentials to any third party
  • Rotating API Credentials regularly in accordance with security best practices

2.3 API Versions

XBOW releases API versions identified by date-based version identifiers. You must specify an API Version in each API Call using the x-xbow-api-version header. Failure to specify a valid API Version will result in an error response.

3. Rate Limits and Usage Restrictions

3.1 Rate Limits

Your use of the API may be limited based on the time of day and the system load. Rate Limits are enforced per API Credential and may vary based on:

  • Your subscription tier
  • API endpoint or operation type
  • Time of day or system load

If you exceed Rate Limits, your API requests may be throttled, delayed, or rejected with HTTP 429 (Too Many Requests) responses. XBOW reserves the right to modify Rate Limits at any time with reasonable notice.

3.2 Fair Use

You agree to use the API in a manner that does not:

  • Overburden or impair XBOW's systems or infrastructure
  • Interfere with other customers' use of the API or Services
  • Attempt to circumvent Rate Limits through multiple accounts, credential rotation, or other means
  • Generate excessive or abusive API traffic, including through automated scraping or data harvesting

3.3 Caching

You may cache API responses for reasonable periods to reduce API Calls, provided that:

  • Cached data is used solely for your internal purposes
  • You implement appropriate cache invalidation strategies
  • You do not cache or store sensitive data longer than necessary

4. Prohibited Uses

You shall not:

  • Use the API for any unlawful, harmful, or fraudulent purpose
  • Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code or underlying algorithms of the API
  • Use the API to develop competing products or services
  • Resell, redistribute, or provide third-party access to the API without XBOW's prior written consent
  • Use the API to transmit viruses, malware, or other malicious code
  • Attempt to gain unauthorized access to XBOW's systems, accounts, or data
  • Use the API to test, attack, or probe the security of any system or network
  • Remove, obscure, or alter any proprietary notices or labels on API documentation or responses
  • Use the API in connection with life-critical systems (medical devices, aviation, nuclear facilities, etc.)
  • Make false or misleading statements about XBOW or the API

5. Data Privacy and Security

5.1 Data Handling

Your use of the API is subject to XBOW's Privacy Policy and data handling provisions in the Terms. You acknowledge that:

  • XBOW processes API request and response data to provide the Services
  • XBOW may collect usage data, analytics, and performance metrics related to your API usage
  • You remain responsible for the security and privacy of data transmitted through the API

5.2 Sensitive Data Restrictions

You shall not transmit through the API any:

  • Protected health information (PHI) subject to HIPAA
  • Payment card information (PCI data)
  • Government-issued identification numbers
  • Passwords, private keys, or authentication credentials (other than your own API Credentials used for authentication)
  • Any other regulated or highly sensitive personal information

5.3 Security Requirements

You must:

  • Use TLS 1.2 or higher for all API communications
  • Implement appropriate authentication and authorization controls
  • Secure API Credentials using encryption and access controls
  • Promptly report security vulnerabilities or incidents to security@xbow.com
  • Comply with applicable security standards and regulations

6. Service Availability

6.1 Availability Target

XBOW will use commercially reasonable efforts to maintain API availability. However, the API is provided on an "as available" basis, and XBOW does not guarantee uninterrupted or error-free service.

6.2 Maintenance and Downtime

XBOW may perform scheduled maintenance on the API with advance notice when practicable. Emergency maintenance may be performed without notice. During maintenance windows, the API may be unavailable or experience degraded performance.

6.3 Service Level Agreement

If your subscription includes a Service Level Agreement (SLA), API availability commitments and remedies, if any, are specified in your SLA documentation.

7. API Modifications and Deprecation

7.1 API Lifecycle

XBOW releases API versions through a staged release cycle: Unstable (internal development), Next (public preview), and Stable (production). Only Stable API versions are subject to the performance commitments in this Section 7.

7.2 Stable API Versions

For Stable API versions, XBOW will:

  • Not make breaking changes to the API contract (request/response schemas, authentication methods, or core functionality)
  • Support multiple Stable API versions concurrently
  • Provide at least 90 days' advance notice before deprecating a Stable API version

7.3 Non-Breaking Changes

XBOW may make non-breaking changes to Stable API versions without notice, including:

  • Fixing a security issue
  • Adding new optional request parameters
  • Adding new fields to response payloads
  • Adding new API endpoints
  • Bug fixes that align behavior with documentation
  • Performance improvements

We recommend that customers handle unknown responses to avoid unexpected errors on the customer side.

7.4 Breaking Changes

Breaking changes (removing fields, changing field types, adding required parameters, etc.) will only be introduced in new API versions. XBOW will provide migration guides and support when releasing new versions with breaking changes.

7.5 Unstable and Next Versions

API versions in Unstable or Next stages are subject to change without notice and are not recommended for production use. Use of these versions is at your own risk.

8. Intellectual Property

8.1 XBOW IP

XBOW retains all right, title, and interest in and to the API, including all intellectual property rights. These API Terms do not grant you any ownership rights in the API.

8.2 Your IP

You retain all rights to your API Clients and applications. You grant XBOW a non-exclusive, royalty-free, worldwide license to use, reproduce, and analyze usage data and performance metrics generated by your use of the API for purposes of operating, improving, and securing the Services.

8.3 Feedback

If you provide feedback, suggestions, or ideas about the API, you grant XBOW an unrestricted, perpetual, irrevocable, royalty-free license to use, modify, and incorporate such feedback without attribution or compensation.

9. Warranties and Disclaimers

THE API IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

XBOW DOES NOT WARRANT THAT:

  • The API will be uninterrupted, secure, or error-free
  • API responses will be accurate, complete, or reliable
  • Defects in the API will be corrected
  • The API will meet your requirements or expectations

You acknowledge that your use of the API is at your sole risk. Any disclaimers in the Terms also apply to the API.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, XBOW'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE API OR THESE API TERMS SHALL NOT EXCEED $1000.

IN NO EVENT SHALL XBOW BE LIABLE FOR:

  • Indirect, incidental, special, consequential, or punitive damages
  • Lost profits, revenue, data, or business opportunities
  • Service interruptions or degradation
  • Third-party claims arising from your use of the API
  • Unauthorized access to or use of your API Credentials

These limitations apply even if XBOW has been advised of the possibility of such damages and regardless of the legal theory (contract, tort, negligence, strict liability, or otherwise).

11. Termination

11.1 Termination by You

You may terminate your use of the API at any time by ceasing all API Calls and deleting your API Credentials.

11.2 Termination by XBOW

XBOW may suspend or terminate your API access immediately without notice if:

  • You breach these API Terms or the Terms
  • Your account is suspended or terminated
  • You exceed Rate Limits excessively or engage in abusive API usage
  • Your use of the API poses security or legal risks
  • You fail to pay fees for XBOW’s services when due

11.3 Effect of Termination

Upon termination:

  • Your API access rights immediately cease
  • Your API Credentials will be revoked
  • You must cease all use of the API


Sections covering warranties, liability, indemnification, and general provisions survive termination

12. Monitoring and Compliance

XBOW may monitor your use of the API to:

  • Ensure compliance with these API Terms
  • Detect security threats or abuse
  • Improve service quality and performance
  • Generate usage analytics and metrics

You consent to such monitoring and agree to cooperate with XBOW's compliance investigations.

13. Changes to These API Terms

XBOW may modify these API Terms at any time by posting updated terms at this URL. Material changes will be effective 30 days after posting, unless you are notified otherwise. Your continued use of the API after changes take effect constitutes acceptance of the modified terms.

If you do not agree to the modified terms, you must cease using the API before the changes take effect.

14. General Provisions

14.1 Relationship to General Terms

These API Terms supplement the Terms. In case of conflict between these API Terms and the Terms with respect to the API, these API Terms control.

14.2 Governing Law and Venue

Except to the extent that a different governing law and venue are specified in the Terms, these API Terms are governed by Delaware law, and the exclusive venue for disputes is in Wilmington, Delaware.

14.3 Entire Agreement

These API Terms, together with Terms, constitute the entire agreement between you and XBOW regarding the API.

14.4 Severability

If any provision of these API Terms is found unenforceable, the remaining provisions remain in full effect.

14.5 No Waiver

XBOW's failure to enforce any provision does not constitute a waiver of that provision or any other provision.

14.6 Assignment

You may not assign these API Terms without XBOW's prior written consent. 

14.7 Contact Information

Questions about these API Terms? Contact us at:


BY ACCESSING OR USING THE XBOW API, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE API TERMS OF SERVICE.

Site map
Legal
CONNECT
© 2025 XBOW USA Inc.