Help

Getting Started

• Sign in — authenticate with your GitHub account using the Sign In button on the landing page. DevTrace uses GitHub OAuth, so no separate account is needed.
• Accept Terms — on your first sign-in, you will be asked to accept the Terms of Service before accessing the dashboard.
• Dashboard — once signed in, the dashboard shows your profile, a search bar to score contributors, your quota usage, and a list of recently scored contributors.
• Score a contributor — type any GitHub username into the search bar and click Score. DevTrace will analyze 22 signals across 5 categories and return a reputation score.

Understanding Scores

• Overall Score — a value between 0.00 and 1.00 representing the contributor's reputation. Higher is better.
• Grade — letter grade from A+ to F derived from the score. A+/A = exceptional, B = good, C = average, D = below average, F = poor or insufficient data.
• Categories — scores are broken down into five categories:
  • Identity — profile completeness (bio, company, location, website, public email)
  • Behavioral — account age, suspension status, contribution patterns
  • Community — followers, public repos, fork ratio
  • Engagement — PRs merged, PRs closed, recent PR activity across repos
  • AI Sensing — AI-generated contribution transparency signals. Pro plans include behavioral heuristics: Velocity Anomaly (recent vs. baseline PR rate), Active Hours (hour-of-day spread), Burst-Vanish (peak/median activity ratio), and Synthetic Risk (composite flag from profile, reviews, and commit patterns).
• Risk Summary — AI-generated narrative summarizing the contributor's reputation, strengths, and areas of concern.
• Score Trend — when a contributor has been scored more than once, a trend chart shows how their score has changed over time.

Dashboard

• Profile — shows your GitHub username, name, company, location, and bio as imported from your GitHub profile.
• Score Contributor — search bar to score any GitHub user. Results open on the scorecard detail page.
• Quota — circular gauge showing what percentage of your monthly contributor limit has been used.
• Recently Scored — table of your most recent scoring activity with contributor name, provider, source (ui/api), deep scoring flag, and timestamp.

Settings

• Profile — view your GitHub username, name, email, company, location, bio, and account dates.
• Plan — see your current plan, contributor limit per month, and API rate limit.
• API Tokens — create and revoke API tokens for programmatic access. Tokens are shown once at creation and cannot be recovered. See the API section below for usage.
• Appearance — switch between Light, Dark, or System theme. Your preference is saved in the browser.

API Reference

The scoring endpoint works without authentication (grade and score only, 1 req/min). For full signal breakdown, create a Bearer token in Settings. Set your base URL:

export HOST=https://devtrace.thingz.io
export TOKEN=dt_your_token_here

Score a contributor (unauthenticated)

Returns grade and score only. No token needed.

curl -s $HOST/api/v1/score/octocat

Score a contributor (authenticated)

Returns the full reputation score based on your plan tier.

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  $HOST/api/v1/score/octocat

Score with repository context

Add ?repo=owner/name for repo-specific signals.

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  "$HOST/api/v1/score/octocat?repo=kubernetes/kubernetes"

Score with trusted organizations

Pass trusted_orgs to boost scores for org members.

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  "$HOST/api/v1/score/octocat?trusted_orgs=google&trusted_orgs=microsoft"

Score history

Returns historical scores for trend analysis.

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  $HOST/api/v1/score/octocat/history

Returns an array of {"score": 0.97, "scored_at": "..."} entries.

API Response Examples

Response fields vary by plan. Below are full examples for each tier using /api/v1/score/octocat.

Unauthenticated

No token required. Returns grade and score only.

{
  "version": "0.13.1",
  "username": "octocat",
  "provider": "github",
  "score": {
    "grade": "C",
    "value": 0.61
  },
  "scoring_mode": "global",
  "scored_at": "2026-04-16T22:50:30.671968868Z",
  "cached_at": "2026-04-16T23:00:46.224572471Z",
  "detail": "Sign up for full signal breakdown -> devtrace.thingz.io"
}

Free plan

Includes profile, signals, categories, risk summary, behavior, and AI sensing metadata.

{
  "version": "0.13.1",
  "username": "octocat",
  "provider": "github",
  "profile": {
    "name": "The Octocat",
    "avatar_url": "https://avatars.githubusercontent.com/u/583231?v=4",
    "company": "@github",
    "location": "San Francisco"
  },
  "score": {
    "grade": "C",
    "value": 0.61,
    "categories": {
      "behavioral": 0.1,
      "community": 0.19,
      "engagement": 0,
      "identity": 0.3167
    }
  },
  "signals": {
    "account_age_days": 5560,
    "followers": 22358,
    "following": 9,
    "public_repos": 8,
    "forked_repos": 2,
    "prs_merged": 0,
    "prs_closed": 3,
    "recent_pr_repo_count": 0,
    "has_bio": false,
    "has_company": true,
    "has_location": true,
    "has_website": true,
    "has_public_email": true,
    "suspended": false
  },
  "risk_summary": "Established contributor with consistent activity history...",
  "ai_sensing": {
    "co_authored_commits": 0,
    "bot_associated_prs": 0,
    "known_tool_signatures": null,
    "total_commits_analyzed": 0,
    "ai_associated_ratio": 0
  },
  "scoring_mode": "global",
  "scored_at": "2026-04-16T22:50:30.671968868Z"
}

Starter plan

Adds Claude-powered PR authenticity classification.

{
  "version": "0.13.1",
  "username": "octocat",
  "provider": "github",
  "profile": { ... },
  "score": { ... },
  "signals": { ... },
  "risk_summary": "...",
  "ai_sensing": {
    "co_authored_commits": 0,
    "bot_associated_prs": 0,
    "known_tool_signatures": null,
    "total_commits_analyzed": 0,
    "ai_associated_ratio": 0,
    "pr_authenticity": {
      "classification": "human",
      "confidence": 0.92,
      "reasoning": "Commit patterns show consistent human authoring..."
    }
  },
  "scoring_mode": "global",
  "scored_at": "2026-04-16T22:50:30.671968868Z"
}

Pro plan

Full response including behavioral heuristics (velocity anomaly, active hours, burst-vanish, synthetic risk).

{
  "version": "0.13.1",
  "username": "octocat",
  "provider": "github",
  "profile": {
    "name": "The Octocat",
    "avatar_url": "https://avatars.githubusercontent.com/u/583231?v=4",
    "company": "@github",
    "location": "San Francisco"
  },
  "score": {
    "grade": "C",
    "value": 0.61,
    "categories": {
      "behavioral": 0.1,
      "community": 0.19,
      "engagement": 0,
      "identity": 0.3167
    }
  },
  "signals": {
    "account_age_days": 5560,
    "followers": 22358,
    "following": 9,
    "public_repos": 8,
    "forked_repos": 2,
    "prs_merged": 0,
    "prs_closed": 3,
    "recent_pr_repo_count": 0,
    "has_bio": false,
    "has_company": true,
    "has_location": true,
    "has_website": true,
    "has_public_email": true,
    "suspended": false
  },
  "risk_summary": "octocat has a moderate reputation score of 0.61 with strong identity verification (0.32) and solid community presence (22k followers, 8 public repos across 15+ years of account history), but shows limited contribution traction with zero merged PRs and three closed PRs.",
  "ai_sensing": {
    "co_authored_commits": 0,
    "bot_associated_prs": 0,
    "known_tool_signatures": null,
    "total_commits_analyzed": 0,
    "ai_associated_ratio": 0,
    "behavioral": {
      "velocity_anomaly_ratio": 0,
      "active_hour_spread": 0,
      "burst_vanish_score": 0,
      "synthetic_risk_flags": 2,
      "synthetic_risk_details": [
        "no_reviews",
        "no_consistency"
      ]
    }
  },
  "scoring_mode": "global",
  "scored_at": "2026-04-16T22:50:30.671968868Z"
}

Usage Limits

• Unauthenticated — 1 lookup per minute per IP. Sign in with GitHub to unlock higher limits and full features.
• Free plan — 50 unique contributors/month, 60 API requests/hour, basic scoring with category breakdown and risk summary.
• Starter plan — 200 unique contributors/month, 300 API requests/hour, includes PR authenticity analysis.
• Pro plan — 2,000 unique contributors/month, 1,000 API requests/hour, full AI Sensing with behavioral heuristics (Velocity Anomaly, Active Hours, Burst-Vanish, Synthetic Risk).
• Quota — each unique contributor scored counts against your monthly limit. Rescoring the same contributor does not consume additional quota.
• Rate limiting — unauthenticated requests are limited to 1 per minute. Authenticated requests are rate-limited per hour based on your plan. When the limit is reached, requests return HTTP 429 with a Retry-After header.

Troubleshooting

• Stuck in sign-in loop — clear your browser cookies for the DevTrace domain and try again.
• Score returns an error — check that the GitHub username exists and is spelled correctly. If the GitHub API is rate-limited, wait a few minutes.
• API returns 401 — your token may be revoked or missing. Generate a new one in Settings.
• API returns 429 — you've hit the rate limit (1/min unauthenticated, or your plan's hourly limit). Check the Retry-After header for when to retry, or sign in for higher limits.
• API returns 403 — you've reached your monthly contributor quota. Wait for the next billing period or upgrade your plan.
• Score data looks stale — scores are cached. The same contributor scored within a short window may return cached results.

Compliance

• NIST SSDF — Pro plan scorecards include a Regulatory Context section mapping contributor signals to 8 NIST SP 800-218 (SSDF) practices.
• EU CRA — contributor provenance signals support due-diligence obligations under the EU Cyber Resilience Act (enforcement begins 2027).
• Full methodology — see the Compliance page for the complete practice mapping, task-level callouts, and disclaimer.