Discover/crt.sh API
live

crt.sh APIcrt.sh

Search crt.sh certificate transparency logs by domain, fingerprint, serial number, or SPKI. Retrieve X.509 details, CA info, and revocation status via 6 endpoints.

Developer Toolsgovernment publicb2b directory
Endpoints
6
Updated
11d ago
Try it
Group results (e.g., 'none' to disable grouping, 'icaid' to group by issuer CA).
Maximum number of results to return.
Match type for the query. Accepted values: '=', 'LIKE', 'ILIKE', 'single', 'any'.
Search query (domain, email, organization, etc.). Use % as wildcard (e.g. '%.example.com')
Exclude certain results. Accepted value: 'expired'.
api.parse.bot/scraper/001d6ea2-68d9-4b2c-af8e-c34c2d8041d1/<endpoint>
Ready to send
Fill in the parameters and hit sign in to send to see live response data here.
Use it in your codegrab a free API key at signup
curl -X GET 'https://api.parse.bot/scraper/001d6ea2-68d9-4b2c-af8e-c34c2d8041d1/search_certificates?limit=2&query=example.com' \
  -H 'X-API-Key: $PARSE_API_KEY'
All endpoints · 6 totalclick to expand

Search for certificates by identity (domain, email, organization, etc.) using the crt.sh JSON API. Returns an array of matching certificate records. Supports wildcard queries with % character.

Input
ParamTypeDescription
groupstringGroup results (e.g., 'none' to disable grouping, 'icaid' to group by issuer CA).
limitintegerMaximum number of results to return.
matchstringMatch type for the query. Accepted values: '=', 'LIKE', 'ILIKE', 'single', 'any'.
queryrequiredstringSearch query (domain, email, organization, etc.). Use % as wildcard (e.g. '%.example.com').
excludestringExclude certain results. Accepted value: 'expired'.
Response
{
  "type": "object",
  "fields": {
    "data": "array of certificate records with fields: id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, not_after, serial_number, result_count",
    "status": "string indicating success"
  },
  "sample": {
    "data": [
      {
        "id": 25342399799,
        "not_after": "2026-07-01T21:24:46",
        "name_value": "*.example.com\nexample.com",
        "not_before": "2026-04-02T21:18:57",
        "common_name": "example.com",
        "issuer_name": "C=US, O=\"CLOUDFLARE, INC.\", CN=Cloudflare TLS Issuing ECC CA 1",
        "issuer_ca_id": 282054,
        "result_count": 3,
        "serial_number": "6520589ef17eb55c664433f29f2e684a",
        "entry_timestamp": "2026-04-02T21:29:08.423"
      }
    ],
    "status": "success"
  }
}

About the crt.sh API

The crt.sh API gives developers structured access to certificate transparency log data through 6 endpoints covering domain search, fingerprint lookup, serial number search, SPKI hash queries, and full X.509 certificate details. The search_certificates endpoint alone returns up to a configurable number of records with fields like issuer_name, common_name, name_value, not_before, and not_after, making it straightforward to enumerate certificates issued for any domain pattern.

Certificate Search and Filtering

The search_certificates endpoint accepts a query parameter that can be a domain name, email address, organization string, or any identity value indexed in the certificate transparency logs. The % wildcard is supported (e.g., %.example.com to match all subdomains). You can control result scope with match (values: =, LIKE, ILIKE, single, any), suppress expired certificates with exclude=expired, and cap output with the limit parameter. Results include id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, and not_after.

Detailed Certificate and CA Lookups

get_certificate_detail takes a numeric cert_id and returns a structured object with the full decoded X.509 certificate (decoded), SHA-1/SHA-256 fingerprints, transparency_logs entries showing which logs ingested the certificate, and revocation status. If you need issuer context, get_ca_details accepts a ca_id and returns the CA name and raw_info block for that certificate authority.

Alternative Lookup Methods

Two endpoints support lookups when you have a hash rather than a domain. search_by_fingerprint accepts either a 64-character SHA-256 or 40-character SHA-1 fingerprint (case-insensitive) and returns matching crt_sh_ids, certificate summary, fingerprints, and transparency_logs. search_by_spki takes a 64-character lowercase hex SPKI SHA-256 hash and returns all certificates that share that public key, with fields id, entry_timestamp, not_before, not_after, and issuer_name. search_by_serial accepts a hex serial number string and returns the same record shape as the main certificate search.

Coverage and Data Freshness

crt.sh indexes certificates submitted to public certificate transparency logs, meaning any certificate that was never submitted to a CT log will not appear. Coverage spans all major public logs, so the overwhelming majority of publicly-trusted TLS certificates issued since CT logging became widespread are present. Timestamps reflect when the entry appeared in the log (entry_timestamp), which may differ slightly from the certificate's own not_before date.

Common use cases
  • Enumerate all subdomains of a target domain by querying %.example.com and collecting distinct name_value entries
  • Detect unauthorized or unexpected certificates issued for your organization's domains by monitoring issuer_name and entry_timestamp
  • Look up the full certificate chain and revocation status for a known certificate using get_certificate_detail with its crt_sh_id
  • Identify all certificates sharing a compromised private key by querying search_by_spki with the key's SHA-256 hash
  • Cross-reference a certificate by serial number during incident response using search_by_serial with a hex serial string
  • Audit which certificate authorities have issued certificates for your domain by collecting issuer_ca_id values and resolving them with get_ca_details
  • Verify a specific certificate's transparency log inclusion by fingerprint using search_by_fingerprint and inspecting the transparency_logs array
Pricing & limitsSee full pricing →
TierPriceCredits/monthRate limit
Free$0/mo1005 req/min
Hobby$30/mo1,00020 req/min
Developer$100/mo5,000250 req/min

One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.

Frequently asked questions
Does crt.sh have an official developer API?+
Yes. crt.sh exposes a JSON search interface at https://crt.sh/?q=&output=json and accepts query parameters directly. Documentation is minimal and the interface is not versioned or formally supported, but it is publicly accessible.
What does `search_certificates` return when I use the `group` parameter?+
Setting group=icaid collapses results so that each unique issuer CA appears once, which reduces result volume when a CA has issued many certificates for the same domain. Setting group=none disables any grouping and returns individual certificate records. The issuer_ca_id and issuer_name fields are present in both modes.
Does the API return certificate chain or intermediate CA certificates?+
The get_certificate_detail endpoint returns decoded X.509 fields and a revocation block for the requested certificate. Full chain reconstruction (fetching intermediates in sequence) is not a built-in endpoint. The API covers individual certificate lookups and CA detail via get_ca_details. You can fork it on Parse and revise to add a chain-traversal endpoint that follows issuer_ca_id links.
Are precertificates included in search results?+
crt.sh logs both final certificates and precertificates submitted to CT logs. The name_value field in search_certificates results may therefore contain entries for precertificates alongside issued certificates. The API does not currently expose a filter parameter to restrict results to one type. You can fork it on Parse and revise to add a type filter that distinguishes precertificates from final certificates.
Is there pagination support for large result sets?+
The search_certificates endpoint supports a limit parameter to cap the number of returned records. Offset-based or cursor-based pagination across pages is not currently supported by the API. It covers the first N matching records as ordered by crt.sh. You can fork it on Parse and revise to add offset or page parameters if the underlying source supports them.
Page content last updated . Spec covers 6 endpoints from crt.sh.
Related APIs in Developer ToolsSee all →
arxiv.org API
Search and discover academic research papers on arXiv using keywords, authors, titles, categories, and dates, then access detailed metadata for any paper. Browse the complete arXiv category taxonomy to explore research across different scientific disciplines.
sketchfab.com API
Search and browse 3D models on Sketchfab, including filtering by category, license, animation, and downloadability. Retrieve detailed model metadata, creator profiles, collections, thumbnails, tags, and viewer configuration options.
theresanaiforthat.com API
Search and discover AI tools across different tasks, get detailed information about specific tools, browse available deals, and stay updated on the latest tools. Find the perfect AI solution for your needs by filtering by task category or checking featured and trending tools.
oeis.org API
Search OEIS for integer sequences by keyword, A-number, or known terms, then retrieve full sequence entries and b-file term data.
duden.de API
Get German verb conjugations, parts of speech, and usage frequency from Duden's comprehensive database. Quickly look up how to conjugate any German verb across all tenses and moods.
nvidia.com API
nvidia.com API
alienvault.com API
Search and analyze global threat intelligence data including indicators of compromise, threat pulses, and adversary profiles from the Open Threat Exchange community. Monitor recent security alerts and access detailed information about threats and adversaries to strengthen your cybersecurity defenses.
mvnrepository.com API
Search Maven artifacts and retrieve detailed information about Java libraries, including artifact details, relocation notices, and popular package rankings. Find the exact dependencies you need and discover trending open-source projects in the Maven ecosystem.
crt.sh API — Certificate Transparency Search · Parse