crt APIcrt.sh ↗
Search crt.sh certificate transparency logs by domain, fingerprint, serial number, or SPKI. Retrieve X.509 details, CA info, and revocation status via 6 endpoints.
What is the crt API?
The crt.sh API gives developers structured access to certificate transparency log data through 6 endpoints covering domain search, fingerprint lookup, serial number search, SPKI hash queries, and full X.509 certificate details. The search_certificates endpoint alone returns up to a configurable number of records with fields like issuer_name, common_name, name_value, not_before, and not_after, making it straightforward to enumerate certificates issued for any domain pattern.
curl -X GET 'https://api.parse.bot/scraper/001d6ea2-68d9-4b2c-af8e-c34c2d8041d1/search_certificates?group=none&limit=5&match=any&query=example.com&exclude=expired' \ -H 'X-API-Key: $PARSE_API_KEY'
Typed, relational, agent-ready
A generated client with real types, enums, and the links between objects — the structure a flat JSON response can't carry. Autocompletes in your editor and reads cleanly to coding agents.
- Fully typed · autocompletes
- Objects link to objects
- Typed errors & pagination
Typed Python client. Set up the SDK in your uv project, then pull this API’s typed client:
uv add parse-sdk uv run parse init uv run parse add --marketplace crt-sh-api
uv run parse add --marketplace pulls a pinned snapshot of this canonical API — it won’t change underneath you. To customize it, subscribe and swap to your own copy.
from parse_apis.crt_sh_certificate_transparency_api import CrtSh, MatchType, Grouping
crtsh = CrtSh()
# Search for certificates issued for a domain
for cert in crtsh.certificates.search(query="example.com", match=MatchType.ILIKE, limit=5):
print(cert.id, cert.common_name, cert.not_before, cert.serial_number)
# Get detailed info for a specific certificate
detail = crtsh.certificates.search(query="example.com", limit=1).__next__().detail()
print(detail.summary, detail.decoded.signature_algorithm, detail.decoded.public_key_size)
for log in detail.transparency_logs:
print(log.operator, log.timestamp, log.entry_number)
# Look up a Certificate Authority
ca = crtsh.certificateauthorities.get(ca_id="16418")
print(ca.ca_id, ca.name, ca.raw_info)
# Search by fingerprint
fp_result = crtsh.fingerprintresults.get(fingerprint="REDACTED_SECRET")
print(fp_result.type, fp_result.crt_sh_ids, fp_result.summary)Search for certificates by identity (domain, email, organization, etc.) using the crt.sh JSON API. Returns an array of matching certificate records wrapped in an items key. Supports wildcard queries with the % character.
| Param | Type | Description |
|---|---|---|
| group | string | Group results. Accepted values: 'none' to disable grouping, 'icaid' to group by issuer CA. |
| limit | integer | Maximum number of results to return. |
| match | string | Match type for the query. Accepted values: 'LIKE', 'ILIKE', 'single', 'any', '='. |
| queryrequired | string | Search query (domain, email, organization, etc.). Use % as wildcard (e.g. '%.example.com'). |
| exclude | string | Exclude certain results. Accepted value: 'expired'. |
{
"type": "object",
"fields": {
"items": "array of certificate records with fields: id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, not_after, serial_number, result_count"
},
"sample": {
"data": {
"items": [
{
"id": 26928007283,
"not_after": "2026-09-03T23:59:59",
"name_value": "github.com\nwww.github.com",
"not_before": "2026-06-06T00:00:00",
"common_name": "github.com",
"issuer_name": "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36",
"issuer_ca_id": 204406,
"result_count": 3,
"serial_number": "00a8fdeadee3547b77713b711484a45be7",
"entry_timestamp": "2026-06-06T00:50:51.981"
}
]
},
"status": "success"
}
}About the crt API
Certificate Search and Filtering
The search_certificates endpoint accepts a query parameter that can be a domain name, email address, organization string, or any identity value indexed in the certificate transparency logs. The % wildcard is supported (e.g., %.example.com to match all subdomains). You can control result scope with match (values: =, LIKE, ILIKE, single, any), suppress expired certificates with exclude=expired, and cap output with the limit parameter. Results include id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, and not_after.
Detailed Certificate and CA Lookups
get_certificate_detail takes a numeric cert_id and returns a structured object with the full decoded X.509 certificate (decoded), SHA-1/SHA-256 fingerprints, transparency_logs entries showing which logs ingested the certificate, and revocation status. If you need issuer context, get_ca_details accepts a ca_id and returns the CA name and raw_info block for that certificate authority.
Alternative Lookup Methods
Two endpoints support lookups when you have a hash rather than a domain. search_by_fingerprint accepts either a 64-character SHA-256 or 40-character SHA-1 fingerprint (case-insensitive) and returns matching crt_sh_ids, certificate summary, fingerprints, and transparency_logs. search_by_spki takes a 64-character lowercase hex SPKI SHA-256 hash and returns all certificates that share that public key, with fields id, entry_timestamp, not_before, not_after, and issuer_name. search_by_serial accepts a hex serial number string and returns the same record shape as the main certificate search.
Coverage and Data Freshness
crt.sh indexes certificates submitted to public certificate transparency logs, meaning any certificate that was never submitted to a CT log will not appear. Coverage spans all major public logs, so the overwhelming majority of publicly-trusted TLS certificates issued since CT logging became widespread are present. Timestamps reflect when the entry appeared in the log (entry_timestamp), which may differ slightly from the certificate's own not_before date.
The crt API is a managed, monitored endpoint for crt.sh — not a raw scraper you maintain. Every endpoint is automatically health-checked on a schedule, and when crt.sh changes and a check fails, the API is automatically queued for repair and re-verified. It is built to keep working as the site underneath it changes.
This isn't an official crt.sh API — it's an independent, maintained REST wrapper over public data. Where the source has no official API (or only a limited one), Parse gives you a stable contract over a source that never promised one, and keeps it current. Need a new endpoint or field? You can revise it yourself in plain English and the agent rebuilds it against the live site in minutes — contributing the change back to the shared API is free.
Will this API break when the source site changes?+
Is this an official API from the source site?+
Can I fix or extend this API myself if I need a new endpoint or field?+
What happens if I call an endpoint that has an issue?+
- Enumerate all subdomains of a target domain by querying
%.example.comand collecting distinctname_valueentries - Detect unauthorized or unexpected certificates issued for your organization's domains by monitoring
issuer_nameandentry_timestamp - Look up the full certificate chain and revocation status for a known certificate using
get_certificate_detailwith itscrt_sh_id - Identify all certificates sharing a compromised private key by querying
search_by_spkiwith the key's SHA-256 hash - Cross-reference a certificate by serial number during incident response using
search_by_serialwith a hex serial string - Audit which certificate authorities have issued certificates for your domain by collecting
issuer_ca_idvalues and resolving them withget_ca_details - Verify a specific certificate's transparency log inclusion by fingerprint using
search_by_fingerprintand inspecting thetransparency_logsarray
| Tier | Price | Credits/month | Rate limit |
|---|---|---|---|
| Free | $0/mo | 100 | 5 req/min |
| Hobby | $30/mo | 1,000 | 20 req/min |
| Developer | $100/mo | 5,000 | 100 req/min |
One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.
Does crt.sh have an official developer API?+
What does `search_certificates` return when I use the `group` parameter?+
group=icaid collapses results so that each unique issuer CA appears once, which reduces result volume when a CA has issued many certificates for the same domain. Setting group=none disables any grouping and returns individual certificate records. The issuer_ca_id and issuer_name fields are present in both modes.Does the API return certificate chain or intermediate CA certificates?+
get_certificate_detail endpoint returns decoded X.509 fields and a revocation block for the requested certificate. Full chain reconstruction (fetching intermediates in sequence) is not a built-in endpoint. The API covers individual certificate lookups and CA detail via get_ca_details. You can fork it on Parse and revise to add a chain-traversal endpoint that follows issuer_ca_id links.Are precertificates included in search results?+
name_value field in search_certificates results may therefore contain entries for precertificates alongside issued certificates. The API does not currently expose a filter parameter to restrict results to one type. You can fork it on Parse and revise to add a type filter that distinguishes precertificates from final certificates.Is there pagination support for large result sets?+
search_certificates endpoint supports a limit parameter to cap the number of returned records. Offset-based or cursor-based pagination across pages is not currently supported by the API. It covers the first N matching records as ordered by crt.sh. You can fork it on Parse and revise to add offset or page parameters if the underlying source supports them.