SBOM Download API
Download the original SBOM file for a release via the authenticated API.
The SBOM download endpoint provides programmatic access to the original SBOM files uploaded for your releases. For the full SBOM API including upload, scanning, and vulnerability listing, see SBOMs & Scanning.
Download an SBOM
GET /api/sboms/{id}/download
Scope: sboms:read
curl -H "Authorization: Bearer cvk_YOUR_KEY" \
https://cis.cveium.com/api/sboms/{sbomId}/download
Access is controlled by Row Level Security — you can only download SBOMs for releases belonging to your team.
Response headers
| Header | Description |
|---|---|
Content-Type | application/vnd.cyclonedx+json or application/spdx+json |
Content-Disposition | attachment; filename="original-filename.json" |
X-Content-Hash | SHA-256 hash for integrity verification (if available) |
Integrity verification
To verify the downloaded SBOM has not been modified:
- Download the file using this endpoint
- Compute the SHA-256 hash of the downloaded content
- Compare it with the
X-Content-Hashresponse header
If the hashes match, the file is identical to what was originally uploaded.