Documentation

Quickstart

Get started with Codve in under 5 minutes. Verify your first function with a single API call.

Authentication

All API requests require authentication via a Codve API key. Generate one from your dashboard.

Authorization Header

Authorization: Bearer vk_live_xxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Bring Your Own Key (BYOK) for AI Endpoints

AI endpoints require both your Codve API key (for authentication and usage tracking) and your own AI provider API key (OpenAI, Anthropic, or custom).

Two storage options:

Browser only (default): Your AI key is stored in localStorage and passed in request bodies. Never stored on Codve servers.
Cloud storage (opt-in): Enable "Save to Codve Cloud" in AI Settings to store your encrypted AI config server-side. This enables CI/GitHub Actions to use your BYOK for AI-suggested patches.

When cloud storage is enabled, your API key is encrypted at rest and only used for your own CI runs.

Your First Verification

Send a POST request to verify a function. Include the code, function name, and input schema.

Request

curl -X POST https://codve.ai/api/v1/verify \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "function add(a, b) { return a + b; }",
    "functionName": "add",
    "inputSchema": {
      "a": { "type": "number" },
      "b": { "type": "number" }
    },
    "expectedBehavior": "Returns the sum of two numbers"
  }'

Response

{
  "verificationId": "ver_abc123",
  "status": "completed",
  "confidence": 94,
  "verdict": "likely_correct",
  "findings": [
    {
      "strategy": "property-based",
      "status": "passed",
      "confidence": 98,
      "message": "Verified commutativity: add(a,b) === add(b,a)"
    }
  ]
}

POST /api/v1/verify

Submit code for verification. Returns a verification result with confidence score and findings.

Request Body

Field	Type	Required	Description
code	string	Yes	The code to verify (max 50KB)
functionName	string	No	Name of the function to verify
inputSchema	object	No	JSON schema for function inputs
expectedBehavior	string	No	Natural language description
strategies	string[]	No	Strategies to use (defaults to all)
language	string	No	Code language (default: javascript)

GET /api/v1/verifications

List your verification history with pagination and filtering.

Request

curl https://codve.ai/api/v1/verifications?limit=10&status=completed \
  -H "Authorization: Bearer vk_live_xxx.xxx"

API Keys

API keys are prefixed with vk_live_ and consist of a prefix and secret separated by a dot.

Generate keys from the dashboard
Keys are shown once at creation - store them securely
Revoke compromised keys immediately

POST /api/v1/ai/fix

Use your AI provider to automatically fix code based on verification feedback. Requires BYOK (Bring Your Own Key).

Rate Limit: 5 requests per minute per user (stricter than verification endpoints)

Request Body

Field	Type	Required	Description
provider	string	Yes	openai, anthropic, or custom
apiKey	string	Yes	Your AI provider API key
model	string	No	Model to use (e.g., gpt-4o, claude-sonnet-4-20250514)
baseUrl	string	Custom only	Base URL for custom OpenAI-compatible APIs
code	string	Yes	The code to fix (max 50KB)
functionName	string	No	Name of the function
feedbackPrompt	object	No	Verification feedback (if not provided, verification runs first)
maxIterations	number	No	Max fix attempts (1-3, default 2)

Examples

With OpenAI

curl -X POST https://codve.ai/api/v1/ai/fix \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "openai",
    "apiKey": "sk-...",
    "model": "gpt-4o",
    "code": "function divide(a, b) { return a / b; }",
    "functionName": "divide",
    "expectedBehavior": "Safely divides two numbers, handling division by zero"
  }'

With Anthropic Claude

curl -X POST https://codve.ai/api/v1/ai/fix \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "anthropic",
    "apiKey": "sk-ant-...",
    "model": "claude-sonnet-4-20250514",
    "code": "function divide(a, b) { return a / b; }",
    "functionName": "divide"
  }'

With Custom Provider (OpenAI-compatible)

curl -X POST https://codve.ai/api/v1/ai/fix \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "custom",
    "apiKey": "your-api-key",
    "model": "gpt-4o",
    "baseUrl": "https://api.your-provider.com/v1",
    "code": "function divide(a, b) { return a / b; }"
  }'

Response

{
  "success": true,
  "originalCode": "function divide(a, b) { return a / b; }",
  "patchedCode": "function divide(a, b) {\n  if (b === 0) throw new Error('Division by zero');\n  return a / b;\n}",
  "beforeConfidence": 45,
  "afterConfidence": 92,
  "iterations": 1,
  "verificationResult": {
    "confidence": 92,
    "verdict": "likely_correct",
    "findings": [...]
  },
  "usage": {
    "aiTokens": 847,
    "codveUsage": { "current": 15, "limit": 100 }
  }
}

POST /api/v1/ai/generate-and-verify

Generate code from a natural language prompt, verify it, and optionally auto-fix until confidence is high.

Request Body

Field	Type	Required	Description
provider	string	Yes	openai, anthropic, or custom
apiKey	string	Yes	Your AI provider API key
model	string	No	Model to use
baseUrl	string	Custom only	Base URL for custom APIs
prompt	string	Yes	What the function should do
expectedBehavior	string	Yes	Detailed expected behavior
functionName	string	No	Desired function name
autoFix	boolean	No	Auto-fix if verification fails (default: true)
maxFixIterations	number	No	Max fix attempts (1-3, default 2)

Request

curl -X POST https://codve.ai/api/v1/ai/generate-and-verify \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "openai",
    "apiKey": "sk-...",
    "prompt": "A function that validates email addresses",
    "expectedBehavior": "Returns true for valid emails, false for invalid. Handles edge cases like missing @ symbol, invalid domains, etc.",
    "functionName": "isValidEmail"
  }'

Response

{
  "success": true,
  "generatedCode": "function isValidEmail(email) { ... }",
  "finalCode": "function isValidEmail(email) { ... }",
  "confidence": 89,
  "wasFixed": true,
  "fixIterations": 1,
  "verificationResult": {
    "confidence": 89,
    "verdict": "likely_correct",
    "findings": [...]
  },
  "usage": {
    "aiTokens": 1523,
    "codveUsage": { "current": 16, "limit": 100 }
  }
}

New Feature

MCP Server

Integrate Codve directly into AI coding assistants like Cursor and Cline using the Model Context Protocol (MCP). The MCP server lets AI assistants verify, fix, and re-verify code in real-time.

Why MCP?

AI assistants can verify code as they write it
Automatic fix suggestions when issues are found
Seamless integration with your workflow

Available Tools

codve.verify- Verify code correctness
codve.fix_with_ai- AI-powered code fixing
codve.reverify- Re-verify after patches
codve.health- Check API status

Installation

Install the MCP server globally or run directly with npx.

Install globally

# npm
npm install -g @codve/mcp-server

# pnpm
pnpm add -g @codve/mcp-server

# Or run directly
npx @codve/mcp-server

Environment Variables

Variable	Required	Default	Description
CODVE_API_TOKEN	Yes	-	Your Codve API key
CODVE_API_BASE_URL	No	https://codve.ai	Base URL for API
CODVE_TIMEOUT_MS	No	8000	Request timeout in ms
DEBUG	No	0	Enable debug logging (stderr)

MCP Tools Reference

codve.verify

Verify code correctness using multi-strategy analysis.

Input

{
  "language": "javascript",
  "code": "function add(a, b) { return a + b; }",
  "functionName": "add",
  "expectedBehavior": "Returns the sum of two numbers"
}

Output

{
  "tool": "codve.verify",
  "version": "1.0.0",
  "requestId": "req_abc123_xyz789",
  "status": "pass",
  "confidence": 94,
  "finding": "[symbolic] No issues; [property-based] Verified commutativity",
  "evidence": null,
  "suggested_actions": []
}

codve.fix_with_ai

Use AI to fix code issues. Returns a unified diff patch (never auto-applied).

Input

{
  "language": "javascript",
  "code": "function divide(a, b) { return a / b; }",
  "issue": "Division by zero not handled",
  "byok": {
    "provider": "openai",
    "apiKey": "sk-your-key",
    "model": "gpt-4"
  }
}

Output

{
  "tool": "codve.fix_with_ai",
  "version": "1.0.0",
  "requestId": "req_def456_uvw012",
  "status": "success",
  "patch": "--- a/code\n+++ b/code\n@@ -1,1 +1,4 @@...",
  "notes": "Confidence improved from 45% to 92%",
  "safety": "Patch NOT auto-applied. Review and apply manually."
}

Cursor Setup

Add Codve to your Cursor settings file at ~/.cursor/mcp.json

~/.cursor/mcp.json

{
  "mcpServers": {
    "codve": {
      "command": "npx",
      "args": ["@codve/mcp-server"],
      "env": {
        "CODVE_API_TOKEN": "vk_live_your_api_key_here"
      }
    }
  }
}

Cline Setup

Add Codve to your Cline MCP settings in VS Code.

Cline MCP Settings

{
  "mcpServers": {
    "codve": {
      "command": "npx",
      "args": ["@codve/mcp-server"],
      "env": {
        "CODVE_API_TOKEN": "vk_live_your_api_key_here"
      }
    }
  }
}

Pro Tip

After setting up, tell your AI assistant: "Use codve.verify to check this function" and it will automatically call the MCP tool to verify your code.

New Feature

Spec Hub

Create and manage executable specifications for your code. Codve verifies your code against specs — if you don't have one, Codve helps you create it.

From Requirements

Paste your requirements in natural language, and Codve generates executable specifications with preconditions, postconditions, and invariants.

AI-powered spec generation
Edge case detection
Metamorphic relations

From Code

Paste existing code and Codve infers specifications with confidence levels, helping you document legacy code.

Confidence scoring per rule
Prevent regressions
Version history

Creating Specs from Requirements

Provide natural language requirements and Codve generates a complete specification.

Request

curl -X POST https://codve.ai/api/specs/from-requirements \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Email Validator",
    "requirements": "A function that validates email addresses. Must check for @ symbol, valid domain, no spaces, and proper format.",
    "targetType": "function",
    "targetRef": "validateEmail"
  }'

Response

{
  "id": "spec_abc123",
  "name": "Email Validator",
  "status": "draft",
  "version": {
    "preconditions": [
      { "expr": "typeof email === 'string'", "severity": "error" }
    ],
    "postconditions": [
      { "expr": "result === true || result === false", "severity": "error" },
      { "expr": "email.includes('@') || result === false", "severity": "error" }
    ],
    "invariants": [
      { "expr": "email with spaces returns false", "severity": "warning" }
    ],
    "metamorphicRelations": [
      { "expr": "validate(email) === validate(email.toLowerCase())", "confidence": "medium" }
    ],
    "edgeCases": ["empty string", "null", "no @", "multiple @", "unicode"]
  }
}

Inferring Specs from Code

Analyze existing code to generate specifications with confidence levels.

Request

curl -X POST https://codve.ai/api/specs/from-code \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Sort Function",
    "code": "function sort(arr) { return [...arr].sort((a,b) => a-b); }",
    "targetType": "function",
    "targetRef": "sort"
  }'

Response

{
  "id": "spec_def456",
  "name": "Sort Function",
  "status": "draft",
  "source": "code",
  "version": {
    "preconditions": [
      { "expr": "Array.isArray(arr)", "confidence": "high" }
    ],
    "postconditions": [
      { "expr": "result.length === arr.length", "confidence": "high" },
      { "expr": "result is sorted ascending", "confidence": "high" },
      { "expr": "original arr is unchanged", "confidence": "high" }
    ],
    "invariants": [
      { "expr": "sort(sort(arr)) === sort(arr)", "confidence": "medium" }
    ]
  }
}

Verifying Against Specs

Once you have a spec, verify any code against it to catch regressions and violations.

Request

curl -X POST https://codve.ai/api/specs/spec_abc123/verify \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "function validateEmail(email) { return email.includes('@'); }"
  }'

Response

{
  "status": "fail",
  "counterexamples": [
    {
      "ruleId": "post_2",
      "input": { "email": "test @example.com" },
      "expected": "false (contains space)",
      "actual": "true"
    }
  ],
  "report": {
    "ruleFailCounts": { "postconditions": 1 },
    "confidenceScore": 72,
    "failingRuleIds": ["post_2"]
  }
}

Spec Hub API Reference

Endpoint	Method	Description
/api/specs	GET	List all your specs
/api/specs	POST	Create a new spec
/api/specs/from-requirements	POST	Generate spec from requirements
/api/specs/from-code	POST	Infer spec from code
/api/specs/:id	GET	Get spec details
/api/specs/:id	PUT	Update spec (creates new version if locked)
/api/specs/:id/verify	POST	Verify code against spec
/api/specs/:id/lock	POST	Lock spec version

MCP Tools for Spec Hub

Tool	Description
codve.spec_create	Create a spec from requirements or code
codve.spec_list	List your specs
codve.spec_get	Get spec details
codve.spec_verify	Verify code against a spec
codve.spec_lock	Lock a spec version

CI Integration

GitHub Action

Run Codve verification on every PR. Block merges when specs fail.

Quick Setup with Wizard

Use our setup wizard to generate config files in seconds. No manual file creation needed.

• Enter your repo URL
• Choose preset or spec mode
• Configure paths and options
• Copy generated files to your repo

Open Wizard →

Manual Setup

Prefer to set up manually? Follow the steps below.

Step 1: Add Workflow File

.github/workflows/codve.yml

name: Codve Verification
on: [pull_request]

permissions:
  pull-requests: write
  contents: read

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Codve Verification
        uses: codve/verify-action@v1
        with:
          api-key: ${{ secrets.CODVE_API_KEY }}
          config: .codve.yml
          comment: true

Step 2: Create Config File

Choose between Preset Mode (quick setup, no spec required) or Spec Mode (custom rules from Spec Hub).

Preset Mode (Recommended for Quick Start)

Use built-in verification profiles without creating custom specs.

• basic - General code quality checks
• strict - Comprehensive verification
• security-hygiene - Security-focused checks
• null-safety - Null/undefined edge cases

Spec Mode (Custom Rules)

Verify against your own specifications from Spec Hub.

• Custom preconditions & postconditions
• Your own invariants
• Project-specific edge cases
• Versioned specs with lock

.codve.yml (Preset Mode)

version: 1

# Quick setup - no spec required
preset: "basic"

paths:
  - "src/**/*.ts"
  - "src/**/*.js"

settings:
  failOn: error
  threshold: 0.8
  timeout: 300

.codve.yml (Spec Mode)

version: 1

# Custom specs from Spec Hub
specs:
  - specId: "your-locked-spec-uuid"
    paths:
      - "src/**/*.ts"
    failOn: error
    threshold: 0.8

settings:
  timeout: 300
  comment: true

Step 3: Add API Key to Secrets

Go to your repo Settings → Secrets → Actions → New repository secret. Name it CODVE_API_KEY and paste your API key.

PR Comments

When verification fails, Codve posts a comment showing counterexamples and suggested fixes.

Example PR Comment (Failure)

❌ Codve Verification Failed

Spec: payment-validation (v3) | Status: 2 rules failed

Postcondition #3: "Result should never be negative"

Counterexample:

calculateDiscount({ price: 10, discount: 150 }) // Returns: -140

Suggested Fix:

+ return Math.max(0, price - (price * discount / 100));

Make it a Merge Gate

Require Codve verification to pass before PRs can be merged.

Setup Branch Protection

1Go to your repo Settings → Branches → Add branch protection rule
2Enter main as the branch name pattern
3Check "Require status checks to pass before merging"
4Search for and select Codve Verification

CI API

For custom CI integrations, use the CI verify endpoint directly.

Using Preset Mode

Request (Preset Mode)

curl -X POST https://codve.ai/api/v1/ci/verify \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "repo": "owner/repo",
    "sha": "abc123def456",
    "prNumber": 42,
    "branch": "feature/new-feature",
    "preset": "basic",
    "files": [
      { "path": "src/utils/math.ts", "content": "..." }
    ]
  }'

Using Spec Mode

Request (Spec Mode)

curl -X POST https://codve.ai/api/v1/ci/verify \
  -H "Authorization: Bearer vk_live_xxx.xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "repo": "owner/repo",
    "sha": "abc123def456",
    "prNumber": 42,
    "branch": "feature/new-feature",
    "specId": "your-locked-spec-uuid",
    "files": [
      { "path": "src/utils/math.ts", "content": "..." }
    ],
    "threshold": 0.8,
    "failOn": "error",
    "timeout": 300
  }'

Response

{
  "status": "fail",
  "runId": "run_xyz789",
  "reportUrl": "https://codve.ai/ci/runs/run_xyz789",
  "summary": {
    "totalRules": 12,
    "passed": 10,
    "failed": 2,
    "warnings": 1
  },
  "failingRules": [
    { "id": "post_3", "expr": "result >= 0", "severity": "error" }
  ],
  "counterexamples": [
    { "ruleId": "post_3", "input": { "price": 10, "discount": 150 }, "actual": -140 }
  ],
  "suggestedPatches": [
    { "ruleId": "post_3", "patch": "..." }
  ]
}

Limits & Behavior

Payload Limits

To ensure fast responses and prevent timeouts, the CI verify endpoint enforces payload size limits:

•Max 50 files per request (HTTP 413 if exceeded)
•Max 200KB per file (files larger than 200KB are rejected)
•Max 3MB total payload (combined size of all files)

Tip: For PRs, use changedFilesOnly: true (default in GitHub Action) to only verify changed files, significantly reducing payload size.

Rate Limits

CI verification is subject to rate limits based on your subscription plan:

Plan	Req/Min	Req/Hour	Concurrent Runs
Free	10	100	2
Pro	30	500	5
Enterprise	60	2000	10

If you exceed rate limits, the API returns HTTP 429 with a retryAfter value in seconds.

Idempotency

CI runs are idempotent based on a unique key: repo:workflowRunId:attempt

If you submit the same request multiple times (e.g., GitHub workflow retry), the API returns the existing run result instead of creating a duplicate. This prevents wasted API quota.

Example: Retrying a failed workflow with the same workflowRunId and attempt returns the cached result with HTTP 200.

Secret Redaction

To protect your credentials, Codve automatically redacts common secret patterns before storing or returning results:

• OpenAI API keys (sk-..., sk-proj-...)
• AWS credentials (AKIA..., AWS_SECRET_ACCESS_KEY)
• Private key blocks (-----BEGIN PRIVATE KEY-----)
• JWT tokens and Bearer tokens

Redacted values are replaced with [REDACTED] in counterexamples and error messages.

Report Link Visibility

The reportUrl in the response is publicly accessible to anyone with the link. Do not share this URL if your code or findings contain sensitive information.

When viewing a report, a warning banner reminds users that the link is shareable.

Verification Strategies

Codve uses multiple verification strategies to analyze your code from different angles.

Symbolic Execution

Explores all possible execution paths through your code by treating inputs as symbolic values. Finds edge cases that might not be caught by traditional testing.

Property-Based Testing

Generates random inputs to verify properties like commutativity, associativity, and idempotence. Tests your code against hundreds of cases automatically.

Invariant Checking

Verifies that certain conditions always hold before and after function execution. Ensures your code maintains expected state.

Constraint Solving

Uses SMT solvers to find inputs that violate your specifications. Can prove absence of bugs for certain classes of errors.

Metamorphic Testing

Checks relationships between multiple executions. For example: sort(sort(x)) should equal sort(x), or encrypt(decrypt(x)) should equal x.