Discover/crt API
live

crt APIcrt.sh

Search crt.sh certificate transparency logs by domain, fingerprint, serial number, or SPKI. Retrieve X.509 details, CA info, and revocation status via 6 endpoints.

Endpoint health
verified 3d ago
search_certificates
search_by_spki
get_certificate_detail
get_ca_details
search_by_serial
6/6 passing latest checkself-healing
Endpoints
6
Updated
10d ago

What is the crt API?

The crt.sh API gives developers structured access to certificate transparency log data through 6 endpoints covering domain search, fingerprint lookup, serial number search, SPKI hash queries, and full X.509 certificate details. The search_certificates endpoint alone returns up to a configurable number of records with fields like issuer_name, common_name, name_value, not_before, and not_after, making it straightforward to enumerate certificates issued for any domain pattern.

Try it
Group results. Accepted values: 'none' to disable grouping, 'icaid' to group by issuer CA.
Maximum number of results to return.
Match type for the query. Accepted values: 'LIKE', 'ILIKE', 'single', 'any', '='.
Search query (domain, email, organization, etc.). Use % as wildcard (e.g. '%.example.com').
Exclude certain results. Accepted value: 'expired'.
api.parse.bot/scraper/001d6ea2-68d9-4b2c-af8e-c34c2d8041d1/<endpoint>
Ready to send
Fill in the parameters and hit sign in to send to see live response data here.
Call it over HTTPgrab a free API key at signup
curl -X GET 'https://api.parse.bot/scraper/001d6ea2-68d9-4b2c-af8e-c34c2d8041d1/search_certificates?group=none&limit=5&match=any&query=example.com&exclude=expired' \
  -H 'X-API-Key: $PARSE_API_KEY'
Python SDK · recommended

Typed, relational, agent-ready

A generated client with real types, enums, and the links between objects — the structure a flat JSON response can't carry. Autocompletes in your editor and reads cleanly to coding agents.

  • Fully typed · autocompletes
  • Objects link to objects
  • Typed errors & pagination

Typed Python client. Set up the SDK in your uv project, then pull this API’s typed client:

uv add parse-sdk
uv run parse init
uv run parse add --marketplace crt-sh-api

uv run parse add --marketplace pulls a pinned snapshot of this canonical API — it won’t change underneath you. To customize it, subscribe and swap to your own copy.

from parse_apis.crt_sh_certificate_transparency_api import CrtSh, MatchType, Grouping

crtsh = CrtSh()

# Search for certificates issued for a domain
for cert in crtsh.certificates.search(query="example.com", match=MatchType.ILIKE, limit=5):
    print(cert.id, cert.common_name, cert.not_before, cert.serial_number)

# Get detailed info for a specific certificate
detail = crtsh.certificates.search(query="example.com", limit=1).__next__().detail()
print(detail.summary, detail.decoded.signature_algorithm, detail.decoded.public_key_size)
for log in detail.transparency_logs:
    print(log.operator, log.timestamp, log.entry_number)

# Look up a Certificate Authority
ca = crtsh.certificateauthorities.get(ca_id="16418")
print(ca.ca_id, ca.name, ca.raw_info)

# Search by fingerprint
fp_result = crtsh.fingerprintresults.get(fingerprint="REDACTED_SECRET")
print(fp_result.type, fp_result.crt_sh_ids, fp_result.summary)
All endpoints · 6 totalmissing one? ·

Search for certificates by identity (domain, email, organization, etc.) using the crt.sh JSON API. Returns an array of matching certificate records wrapped in an items key. Supports wildcard queries with the % character.

Input
ParamTypeDescription
groupstringGroup results. Accepted values: 'none' to disable grouping, 'icaid' to group by issuer CA.
limitintegerMaximum number of results to return.
matchstringMatch type for the query. Accepted values: 'LIKE', 'ILIKE', 'single', 'any', '='.
queryrequiredstringSearch query (domain, email, organization, etc.). Use % as wildcard (e.g. '%.example.com').
excludestringExclude certain results. Accepted value: 'expired'.
Response
{
  "type": "object",
  "fields": {
    "items": "array of certificate records with fields: id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, not_after, serial_number, result_count"
  },
  "sample": {
    "data": {
      "items": [
        {
          "id": 26928007283,
          "not_after": "2026-09-03T23:59:59",
          "name_value": "github.com\nwww.github.com",
          "not_before": "2026-06-06T00:00:00",
          "common_name": "github.com",
          "issuer_name": "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36",
          "issuer_ca_id": 204406,
          "result_count": 3,
          "serial_number": "00a8fdeadee3547b77713b711484a45be7",
          "entry_timestamp": "2026-06-06T00:50:51.981"
        }
      ]
    },
    "status": "success"
  }
}

About the crt API

Certificate Search and Filtering

The search_certificates endpoint accepts a query parameter that can be a domain name, email address, organization string, or any identity value indexed in the certificate transparency logs. The % wildcard is supported (e.g., %.example.com to match all subdomains). You can control result scope with match (values: =, LIKE, ILIKE, single, any), suppress expired certificates with exclude=expired, and cap output with the limit parameter. Results include id, issuer_ca_id, issuer_name, common_name, name_value, entry_timestamp, not_before, and not_after.

Detailed Certificate and CA Lookups

get_certificate_detail takes a numeric cert_id and returns a structured object with the full decoded X.509 certificate (decoded), SHA-1/SHA-256 fingerprints, transparency_logs entries showing which logs ingested the certificate, and revocation status. If you need issuer context, get_ca_details accepts a ca_id and returns the CA name and raw_info block for that certificate authority.

Alternative Lookup Methods

Two endpoints support lookups when you have a hash rather than a domain. search_by_fingerprint accepts either a 64-character SHA-256 or 40-character SHA-1 fingerprint (case-insensitive) and returns matching crt_sh_ids, certificate summary, fingerprints, and transparency_logs. search_by_spki takes a 64-character lowercase hex SPKI SHA-256 hash and returns all certificates that share that public key, with fields id, entry_timestamp, not_before, not_after, and issuer_name. search_by_serial accepts a hex serial number string and returns the same record shape as the main certificate search.

Coverage and Data Freshness

crt.sh indexes certificates submitted to public certificate transparency logs, meaning any certificate that was never submitted to a CT log will not appear. Coverage spans all major public logs, so the overwhelming majority of publicly-trusted TLS certificates issued since CT logging became widespread are present. Timestamps reflect when the entry appeared in the log (entry_timestamp), which may differ slightly from the certificate's own not_before date.

Reliability & maintenanceVerified

The crt API is a managed, monitored endpoint for crt.sh — not a raw scraper you maintain. Every endpoint is automatically health-checked on a schedule, and when crt.sh changes and a check fails, the API is automatically queued for repair and re-verified. It is built to keep working as the site underneath it changes.

This isn't an official crt.sh API — it's an independent, maintained REST wrapper over public data. Where the source has no official API (or only a limited one), Parse gives you a stable contract over a source that never promised one, and keeps it current. Need a new endpoint or field? You can revise it yourself in plain English and the agent rebuilds it against the live site in minutes — contributing the change back to the shared API is free.

Last verified
3d ago
Latest check
6/6 endpoints passing
Maintenance
Monitored & self-healing
Will this API break when the source site changes?+
It's built not to. Every endpoint is health-checked on a schedule with automated test probes. When the source site changes and a check fails, the API is automatically queued for repair and re-verified — that's the self-healing layer. Each API page shows when its endpoints were last verified. And because marketplace APIs are shared, any fix reaches everyone using it.
Is this an official API from the source site?+
No — Parse APIs are independent, managed REST wrappers over publicly available data. That is the point: where a site has no official API (or only a limited one), Parse gives you a maintained, monitored endpoint for that data and keeps it working as the site changes — so you get a stable contract over a source that never promised one.
Can I fix or extend this API myself if I need a new endpoint or field?+
Yes — and you don't have to wait on us. This API was generated by the Parse agent, which stays attached. Describe the change in plain English ("add an endpoint that returns reviews", "fix the price field") in the revise box on the API page or via the revise_api MCP tool, and the agent rebuilds it against the live site in minutes. Contributing the change back to the public API is free.
What happens if I call an endpoint that has an issue?+
Errors are machine-readable: a bad call returns a clean status with the list of available endpoints and a repair hint, so an agent (or you) can recover or trigger a fix instead of failing silently. Confirmed failures feed the automatic repair queue.
Common use cases
  • Enumerate all subdomains of a target domain by querying %.example.com and collecting distinct name_value entries
  • Detect unauthorized or unexpected certificates issued for your organization's domains by monitoring issuer_name and entry_timestamp
  • Look up the full certificate chain and revocation status for a known certificate using get_certificate_detail with its crt_sh_id
  • Identify all certificates sharing a compromised private key by querying search_by_spki with the key's SHA-256 hash
  • Cross-reference a certificate by serial number during incident response using search_by_serial with a hex serial string
  • Audit which certificate authorities have issued certificates for your domain by collecting issuer_ca_id values and resolving them with get_ca_details
  • Verify a specific certificate's transparency log inclusion by fingerprint using search_by_fingerprint and inspecting the transparency_logs array
Pricing & limitsSee full pricing →
TierPriceCredits/monthRate limit
Free$0/mo1005 req/min
Hobby$30/mo1,00020 req/min
Developer$100/mo5,000100 req/min

One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.

Frequently asked questions
Does crt.sh have an official developer API?+
Yes. crt.sh exposes a JSON search interface at https://crt.sh/?q=&output=json and accepts query parameters directly. Documentation is minimal and the interface is not versioned or formally supported, but it is publicly accessible.
What does `search_certificates` return when I use the `group` parameter?+
Setting group=icaid collapses results so that each unique issuer CA appears once, which reduces result volume when a CA has issued many certificates for the same domain. Setting group=none disables any grouping and returns individual certificate records. The issuer_ca_id and issuer_name fields are present in both modes.
Does the API return certificate chain or intermediate CA certificates?+
The get_certificate_detail endpoint returns decoded X.509 fields and a revocation block for the requested certificate. Full chain reconstruction (fetching intermediates in sequence) is not a built-in endpoint. The API covers individual certificate lookups and CA detail via get_ca_details. You can fork it on Parse and revise to add a chain-traversal endpoint that follows issuer_ca_id links.
Are precertificates included in search results?+
crt.sh logs both final certificates and precertificates submitted to CT logs. The name_value field in search_certificates results may therefore contain entries for precertificates alongside issued certificates. The API does not currently expose a filter parameter to restrict results to one type. You can fork it on Parse and revise to add a type filter that distinguishes precertificates from final certificates.
Is there pagination support for large result sets?+
The search_certificates endpoint supports a limit parameter to cap the number of returned records. Offset-based or cursor-based pagination across pages is not currently supported by the API. It covers the first N matching records as ordered by crt.sh. You can fork it on Parse and revise to add offset or page parameters if the underlying source supports them.
Page content last updated . Spec covers 6 endpoints from crt.sh.
Related APIs in Developer ToolsSee all →
shadcnregistry.com API
Search and discover shadcn/ui components across multiple registries. View detailed component information including source code and installation commands, browse component types and creators, bulk retrieve entire component collections, or inspect external registries by URL.
domains-monitor.com API
Search and monitor domain information across multiple zones, access free domain lists, and retrieve detailed zone metadata and account information. Aggregate domain data and track availability across supported TLDs.
isc2.org API
Discover ISC2 cybersecurity certifications, compare exam pricing, and search training courses to plan your professional development path. Find upcoming events and self-study resources to prepare for your desired certification.
tls.peet.ws API
Retrieve live TLS and HTTP/2 fingerprint information for the calling client, including JA3/JA4, Akamai HTTP/2, and PeetPrint hashes, plus detailed TLS cipher/extension data.
app.channelcrawler.com API
Search and discover YouTube channels across a database of 22M+ channels to find creators, communities, and content in your areas of interest. Get detailed channel information including stats and metadata to research creators and understand their audience.
swissreg.ch API
Search and retrieve detailed information about Swiss patents, including their full specifications, publication history, and related targets directly from the official Swiss patent registry. Access comprehensive patent data through simple lookups or broad searches to track innovations and filing details in Switzerland.
icrimewatch.net API
Search for sex offenders across multiple jurisdictions and retrieve detailed information including their physical descriptions, offenses, and dates of birth. Discover registered agencies and access comprehensive offender profiles to help protect your community.
csr.gov.in API
Search and analyze India's corporate social responsibility initiatives by accessing company CSR spending, project details, and financial contributions broken down by state, sector, and year. Track top CSR performers, compare spending amounts across companies, and explore how businesses are investing in social causes nationwide.