NAV
Shell Python Ruby Java Javascript Go

Customer Resources

Activities

Get Activity

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/activities/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/activities/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/activities/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/activities/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/activities/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/activities/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

activity found

{
  "data": {
    "id": "1337",
    "type": "activity-comment",
    "attributes": {
      "message": "Comment!",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": false
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "attachments": {
        "data": [
          {
            "id": "1337",
            "type": "attachment",
            "attributes": {
              "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
              "created_at": "2016-02-02T04:05:06.000Z",
              "file_name": "root.rb",
              "content_type": "text/x-ruby",
              "file_size": 2871
            }
          }
        ]
      }
    }
  }
}

GET /activities/{id}

An activity object can be fetched by sending a GET request to a unique activity object. In case the request was successful, the API will respond with an activity object.

The included activity relationships depend on the type of activity that is returned. See the activity object for possible types and relationships.

Parameters

Name In Type Required Description
id path integer true The ID of the activity.

Query Activities

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/incremental/activities',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'handle': 'string'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/incremental/activities',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

programs found

{
  "data": [
    {
      "type": "activity-bug-filed",
      "id": "1337",
      "attributes": {
        "report_id": "99900",
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2017-02-02T04:05:06.000Z",
        "internal": false
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "7331",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        }
      }
    }
  ],
  "meta": {
    "max_updated_at": "2017-02-02T04:05:06.000Z"
  },
  "links": {
    "self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
    "next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
  }
}

GET /incremental/activities

This endpoint allows you to fetch all activities of your program incrementally by time.

This endpoint is used to:

The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.

Parameters

Name In Type Required Description
handle query string true The HackerOne handle of the program with activities you wish to retrieve.
updated_at_after query string false A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved.
sort query any false The attributes to sort the activities on.
order query any false The direction to sort the activities on, by default desc.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Detailed descriptions

sort: The attributes to sort the activities on.

This parameter may contain multiple attributes that the activities should be sorted on. Sorting is applied in the specified order of attributes, by default descending.

The following attributes can be used for sorting: report_id, created_at, updated_at.

order: The direction to sort the activities on, by default desc.

The following attributes can be used for sorting: asc (ascending), desc (descending).

Analytics

Get Analytics Data (Preview)

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/analytics',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'key': 'string',  'interval': 'string',  'start_at': 'string',  'end_at': 'string'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/analytics',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/analytics", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

[
  {
    "keys": [
      "report_count",
      "interval"
    ],
    "values": [
      [
        "10",
        "2022-01-01 00:00:00 UTC"
      ],
      [
        "27",
        "2022-04-01 00:00:00 UTC"
      ],
      [
        "35",
        "2022-07-01 00:00:00 UTC"
      ]
    ]
  }
]

GET /analytics

This endpoint returns data for a specified key corresponding to a predefined analytics query. Values for key are derived from the names of charts on these dashboards:

Submission and Bounty Trends

Hacker Engagement

Parameters

Name In Type Required Description
key query string true Filter by the query key you want to fetch data for
interval query string true The interval to use for the input date range. Valid intervals are month, quarter, or year
start_at query string true The start date of the query as a string, inclusive. Format YYYY-MM-DD
end_at query string true The end date of the query as a string, exclusive. Format YYYY-MM-DD
team_id query string false Filter by a team/program ID. If no team_id is provided, then data will be for all teams/programs in the organization
organization_id query string false Filter by an organization ID

Credentials

Get Credentials

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/credentials',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'program_id': '0',  'structured_scope_id': '0'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/credentials',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/credentials", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "1",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "d282032e02b3d1d956ae1a9dea945535"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    },
    {
      "id": "2",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "28cf5ecddb0d781a06beed30f69a5afe"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    },
    {
      "id": "3",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "643c17a23d2fb7f5dd3e17e94cb47d64"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    }
  ],
  "links": {}
}

GET /credentials

Credentials can be fetched for a structured scope by sending a GET request to the credentials endpoint. When the request is successful, the API will respond with paginated credentials objects.

Parameters

Name In Type Required Description
program_id query integer true The ID of the program. You can find the ID by fetching your programs.
structured_scope_id query integer true The ID of the structured scope. You can find the structured scope ID by fetching your programs structured scopes.
state query string false An optional state to filter your credentials. It can be revoked, available or claimed
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}

r = requests.post(
  'https://api.hackerone.com/v1/credentials',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/credentials',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/credentials", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential created

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

POST /credentials

This API endpoint can be used to create new credential. When the API call is successful, a credential object will be returned.

The IDs of a program's structured scopes can be retrieved from programs/{id}/structured_scopes endpoint.

Parameters

Name In Type Required Description
structured_scope_id body integer true The ID of the structured scope to which the credential will belong
data body object true The information to create a credential.
» type body string true credential
» attributes body object true none
»» credentials body string true A JSON-encoded hash of credentials that will eventually be provided to the hacker
»» assignee body string false If provided, the credential will be assigned to the specified user
batch_id body string false If provided, the batch will be stored on the credential

Enumerated Values

Parameter Value
» type credential

Update a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential updated

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

PUT /credentials/{id}

This API endpoint can be used to update an existing credential. When the API call is successful, a credential object will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.
data body object true The information to update a credential.
» type body string true credential
» attributes body object true none
»» credentials body string true If provided, a JSON-encoded hash of credentials that will eventually be provided to the hacker
»» recycle body boolean false If provided, the assignee will be removed

Enumerated Values

Parameter Value
» type credential

Assign a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/assign" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "username": "string"
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "username": "string"
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}/assign',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "username": "string"
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}/assign',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/assign");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"username\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"username\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/assign',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"username\": \"string\"\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/assign", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential assigned

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

PUT /credentials/{id}/assign

This API endpoint can be used to assign an existing credential. When the API call is successful, a credential object will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.
username body string true The username of the user to be assigned the credential.

Delete a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/credentials/{id}/',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/credentials/{id}/',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/credentials/{id}/", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential successfully removed

{
  "data": {
    "success": true,
    "message": "Credential successfully removed"
  }
}

DELETE /credentials/{id}/

This API endpoint can be used to delete an existing credential. When the API call is successful, a success message will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.

Revoke a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/revoke" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}/revoke',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}/revoke',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/revoke',
{
  method: 'PUT',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/revoke", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential revoked

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": true,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

PUT /credentials/{id}/revoke

This API endpoint can be used to revoke an existing credential. When the API call is successful, a credential object will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.

Get Credential Inquiry Responses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "1337",
      "type": "credential_inquiry_response",
      "attributes": {
        "details": "this is a credential inquiry response",
        "created_at": "2017-01-01T00:00:00.000Z",
        "user": {
          "id": "1",
          "username": "user1"
        }
      }
    },
    {
      "id": "1339",
      "type": "credential_inquiry_response",
      "attributes": {
        "details": "this is a credential inquiry response",
        "created_at": "2017-01-01T00:00:00.000Z",
        "user": {
          "id": "2",
          "username": "user2"
        }
      }
    }
  ],
  "links": {}
}

GET /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses

Credential inquiry responses can be fetched by sending a GET request to the credential inquiry responses endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
credential_inquiry_id path integer true The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Delete Credential Inquiry Response

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential Inquiry Response successfully removed

{
  "data": {
    "success": true,
    "message": "Credential Inquiry Response successfully removed"
  }
}

DELETE /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}

This API endpoint can be used to delete an existing credential inquiry response. When the API call is successful, a success message will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
credential_inquiry_id path integer true The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries.
id path integer true The ID of the credential inquiry response.

Create a Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential_inquiry created

{
  "data": {
    "id": "<id>",
    "type": "credential_inquiry",
    "attributes": {
      "description": "this is a credential inquiry"
    }
  }
}

POST /programs/{id}/credential_inquiries

This API endpoint can be used to create new credential inquiry. When the API call is successful, a credential_inquiry object will be returned.

The IDs of a program's structured scopes can be retrieved from programs/{id}/structured_scopes endpoint.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
structured_scope_id body integer true The ID of the structured scope to which the credential will belong
data body object true The information to be requested from the hacker
» type body string false none
» attributes body object false none
»» description body string true A description of the information required from the hackers to create credentials

Enumerated Values

Parameter Value
» type credential_inquiry

Get Credential Inquiries

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "<id>",
      "type": "credential_inquiry",
      "attributes": {
        "description": "this is a credential inquiry"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/credential_inquiries

Credential inquiries can be fetched by sending a GET request to the credential inquiries endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Update Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential inquiry updated

{
  "data": {
    "id": "<id>",
    "type": "credential_inquiry",
    "attributes": {
      "description": "this is a credential inquiry"
    }
  }
}

PUT /programs/{program_id}/credential_inquiries/{id}

This endpoint can be used to update a credential inquiry of a program. When the API request is successful, a credential inquiry object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the credential inquiry.
data body object true The information to be requested from the hacker
» type body string false none
» attributes body object false none
»» description body string true A description of the information required from the hackers to create credentials

Enumerated Values

Parameter Value
» type credential_inquiry

Delete Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential Inquiry successfully removed

{
  "data": {
    "success": true,
    "message": "Credential Inquiry successfully removed"
  }
}

DELETE /programs/{program_id}/credential_inquiries/{id}

This API endpoint can be used to delete an existing credential inquiry. When the API call is successful, a success message will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the credential inquiry.

Organizations

Get Your Organizations

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/me/organizations" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/me/organizations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/me/organizations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/me/organizations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/me/organizations',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/organizations", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organizations found

{
  "data": [
    {
      "id": "1",
      "type": "organization",
      "attributes": {
        "handle": "security",
        "created_at": "2022-09-07T08:00:00.000Z",
        "updated_at": "2022-09-07T08:00:00.000Z"
      }
    }
  ],
  "links": {}
}

GET /me/organizations

This API endpoint allows you to query the organization objects that you are a member of.

The groups and members relationships are not included in the response.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get All Eligibility Settings

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization eligibility settings found

{
  "data": [
    {
      "id": "1",
      "type": "eligibility-setting",
      "attributes": {
        "allowed_domains": [
          "hackerone.com"
        ],
        "allowed_domains_enabled": true,
        "name": "Organization Eligibility Settings",
        "organization_id": "1",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ]
}

GET /organizations/{organization_id}/eligibility_settings

This API endpoint can be used to list all eligibility settings of an organization. When the request is successful, the API will respond with paginated eligibility-setting.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Eligibility Setting

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

eligibility setting successfully fetched from organization

{
  "data": {
    "id": "1",
    "type": "eligibility-setting",
    "attributes": {
      "allowed_domains": [
        "hackerone.com"
      ],
      "allowed_domains_enabled": true,
      "name": "Organization Eligibility Settings",
      "organization_id": "1",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    }
  }
}

GET /organizations/{organization_id}/eligibility_settings/{id}

This API endpoint can be used to get an eligibility_setting of an organization. When the request is successful, the API will respond with eligibility-setting object.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the eligibility setting.

Get Pending Invitations

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member groups found

{
  "data": [
    {
      "type": "invitation-organization-member",
      "id": "1",
      "attributes": {
        "email": "example@hackerone.com",
        "show_email": true,
        "invited_by_id": "2",
        "recipient_id": "5",
        "invitation_data": {
          "notify": true,
          "organization_admin": true,
          "organization_member_group_ids": []
        },
        "expires_at": "2016-02-02T04:05:06.000Z",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ]
}

GET /organizations/{organization_id}/pending_invitations

This API endpoint can be used to list all open invitations of an organization. When the request is successful, the API will respond with paginated invitation-organization-member objects.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create An Invitation

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/invitations" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/invitations", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

invitation created

{
  "data": {
    "type": "invitation-organization-member",
    "id": "1",
    "attributes": {
      "email": "example@hackerone.com",
      "username": null,
      "invited_by_id": "2",
      "recipient_id": null,
      "invitation_data": {
        "notify": true,
        "organization_admin": true,
        "organization_member_group_ids": []
      },
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "expires_at": "2016-02-02T04:05:06.000Z"
    }
  }
}

POST /organizations/{organization_id}/invitations

This API endpoint can be used to invite a recipient to an organization using their email address. This endpoint can trigger notifications. When the request is successful, the API will respond with an invitation-organization-member object.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
data body object true The information to create the organization member invitation.
» type body string false none
» attributes body object true none
»» email body string true The invitee email. It must respect the eligibility settings of the groups and the organization.
»» organization_member_group_ids body array false The organization groups IDs where the user should be added.
»» organization_admin body boolean false Sets the invitee as an organization admin.
»» notify body boolean false Activates organization notifications for the invitee.

Enumerated Values

Parameter Value
» type invitation-organization-member

Get Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member group found

{
  "id": "11",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard1",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      ]
    },
    "programs": {
      "data": []
    }
  }
}

GET /organizations/{organization_id}/groups/{id}

This API endpoint can be used to get a group of an organization. When the request is successful, the API will respond with organization-member-group object.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the group.

Update Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member group updated

{
  "id": "11",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard3",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member",
      "report_analyst"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      ]
    },
    "programs": {
      "data": [
        {
          "id": "1",
          "type": "program",
          "attributes": {
            "handle": "user-management-api",
            "created_at": "2023-02-06T16:10:06.000Z",
            "updated_at": "2023-02-07T10:31:11.000Z"
          }
        }
      ]
    }
  }
}

PUT /organizations/{organization_id}/groups/{id}

This endpoint can be used to update an organization member group. When the API request is successful, an organization member group object will be returned.

It is possible to update members and programs users have access to via organization_members and programs relationships.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the organization member group.
data body object true The information to update an organization member.
» type body string true none
» attributes body object true none
»» name body string false The name of the organization member group.
»» eligibility_setting_id body integer false The ID of the eligibility setting.
»» permissions body [string] false The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager.
» relationships body object false none
»» organization_members body object false A list of members for the organization member group.
»»» data body [any] true none
»» programs body object false A list of programs for the organization member group.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member-group

Get All Groups

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member groups found

{
  "data": [
    {
      "id": "11",
      "type": "organization-member-group",
      "attributes": {
        "name": "Standard1",
        "organization_id": "2",
        "eligibility_setting_id": "8",
        "permissions": [
          "read_only_member"
        ],
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z",
        "migrated_at": null
      }
    }
  ],
  "links": {}
}

GET /organizations/{organization_id}/groups

This API endpoint can be used to list all groups of an organization. When the request is successful, the API will respond with paginated organization-member-group objects.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization group created

{
  "id": "1",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard1",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      ]
    }
  }
}

POST /organizations/{organization_id}/groups

This API endpoint can be used to create a new organization group. When the request is successful the API will respond with an organization group object.

It is possible to add users to the new organization group by including a list of organization members as relationships. A list of organization members can be obtained at organizations/{organization_id}/members

It is possible to add programs to the new organization group by including a list of programs as relationships.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
data body object true The information to create the organization group.
» type body string true none
» attributes body object true none
»» name body string true The name of the new organization group.
»» permissions body array true The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager.
»» eligibility_setting_id body integer false The id of the eligibility settings.
» relationships body object false none
»» organization_members body object false A list of members for the organization member group.
»»» data body [any] true none
»» programs body object false A list of programs for the organization member group.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member-group

Get All Members

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization members found

{
  "data": [
    {
      "id": "1",
      "type": "organization-member",
      "attributes": {
        "organization_id": "3",
        "user_id": "5",
        "email": "example@hackerone.com",
        "organization_admin": true,
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      },
      "relationships": {
        "organization_member_groups": {
          "data": [
            {
              "id": "2",
              "type": "organization-member-group",
              "attributes": {
                "name": "Standard1",
                "organization_id": "3",
                "eligibility_setting_id": "4",
                "permissions": [
                  "read_only_member"
                ],
                "created_at": "2016-02-02T04:05:06.000Z",
                "updated_at": "2016-02-02T04:05:06.000Z",
                "migrated_at": null
              }
            }
          ]
        }
      }
    }
  ],
  "links": {}
}

GET /organizations/{organization_id}/members

This API endpoint can be used to list all members of an organization. When the request is successful, the API will respond with paginated organization member objects.

Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

member successfully fetched from organization

{
  "data": {
    "id": "1",
    "type": "organization-member",
    "attributes": {
      "organization_id": "3",
      "user_id": "5",
      "email": "example@hackerone.com",
      "organization_admin": true,
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": "2",
            "type": "organization-member-group",
            "attributes": {
              "name": "Standard1",
              "organization_id": "3",
              "eligibility_setting_id": "4",
              "permissions": [
                "read_only_member"
              ],
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "migrated_at": null
            }
          }
        ]
      }
    }
  }
}

GET /organizations/{organization_id}/members/{id}

This API endpoint can be used to get a member of an organization. When the request is successful, the API will respond with organization-member object.

Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

You can get the IDs of your organization members from get all members endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the member.

Remove Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

member successfully removed from organization

{
  "data": {
    "success": true,
    "message": "Member successfully removed from organization"
  }
}

DELETE /organizations/{organization_id}/members/{id}

This API endpoint can be used to delete a member of an organization. When the request is successful, the API will respond with a successfully message.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

Trying to remove an organization admin will return error 422 Unprocessable Entity.

You can get the ID of your organization from me/organizations endpoint.

You can get the IDs of your organization members from get all members endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the member.

Update Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member updated

{
  "data": {
    "id": "1",
    "type": "organization-member",
    "attributes": {
      "organization_id": "3",
      "user_id": "5",
      "email": "example@hackerone.com",
      "organization_admin": true,
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": "2",
            "type": "organization-member-group",
            "attributes": {
              "name": "Standard1",
              "organization_id": "3",
              "eligibility_setting_id": "4",
              "permissions": [
                "read_only_member"
              ],
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "migrated_at": null
            }
          }
        ]
      }
    }
  }
}

PUT /organizations/{organization_id}/members/{id}

This endpoint can be used to update an organization member. When the API request is successful, an organization member object will be returned.

It is possible to update groups users have access to via organization_member_groups relationships.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the organization member.
data body object true The information to update an organization member.
» type body string true none
» attributes body object true none
»» organization_admin body boolean false If the member is an organization admin.
» relationships body object false none
»» organization_member_groups body object false A list of groups for the organization member.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member

Get All Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/programs" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/programs", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization programs found

{
  "data": [
    {
      "id": "<id>",
      "type": "program",
      "attributes": {
        "handle": "user-management-api",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    },
    {
      "id": "<id>",
      "type": "program",
      "attributes": {
        "handle": "user-management-api-2",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ],
  "links": {}
}

GET /organizations/{organization_id}/programs

This API endpoint can be used to list all programs of an organization. When the request is successful, the API will respond with paginated program objects.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Programs

Get Your Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/me/programs',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/me/programs',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/me/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

programs found

{
  "data": [
    {
      "id": "1",
      "type": "program",
      "attributes": {
        "handle": "security",
        "created_at": "2017-01-01T08:00:00.000Z",
        "updated_at": "2017-02-17T04:34:15.910Z"
      }
    }
  ],
  "links": {}
}

GET /me/programs

This API endpoint allows you to query the program objects that you are a member of.

The groups and members relationships are not included in the response.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Allowed Reporter Activities

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

activities found

{
  "data": [
    {
      "type": "activity-program-hacker-joined",
      "id": "1337",
      "attributes": {
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z",
        "internal": false
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/activities

This resource allows you to retrieve a list of activities of a researcher that belong to your private program.

These activities are "activity-program-hacker-joined", "activity-program-hacker-left" and "activity-invitation-received"

Multiple activities objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated activities objects. Note that, you won't see other relationships and attachments of an activity.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
allowed_reporter_id path integer true The ID of the allowed reporter.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Allowed Reporters

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

allowed reporters found

{
  "data": [
    {
      "id": "1337",
      "type": "allowed_reporter",
      "attributes": {
        "username": "awesome-hacker",
        "email_alias": "awesome-hacker@wearehackerone.com",
        "cleared": true,
        "created_at": "2016-02-02T04:05:06.000Z",
        "old_usernames": [
          "old-awesome-hacker"
        ]
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/allowed_reporters

This resource allows you to retrieve a list of all researchers that belong to your private program.

Multiple allowed reporter objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated allowed reporter objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Audit Log

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/audit_log',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Audit logs

{
  "data": {
    "id": "1",
    "type": "audit-log-item",
    "attributes": {
      "log": "\"@member\" invited \"someone@example.com\".",
      "event": "invitations.team_members.create",
      "source": "User#1",
      "subject": "Invitation#1",
      "user_agent": "Chrome/11.0",
      "country": "US",
      "parameters": "{\"identifier\":\"jobert\"}",
      "created_at": "2019-05-15T04:05:06.000Z"
    }
  }
}

GET /programs/{id}/audit_log

Returns a paginated list of the audit log items of the provided program.

This API endpoint allows a user to view all audit log items that have been created for a particular program.

Required permissions: Program Management. You can view audit log items and manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Note: This feature is currently in beta and has not been enabled for all programs.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Your Programs Balance

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

balance found

{
  "data": {
    "id": "1337",
    "type": "program-balance",
    "attributes": {
      "balance": "1500.00"
    }
  }
}

GET /programs/{id}/billing/balance

This API endpoint allows a user to retrieve the current balance for a particular program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Get Payment Transactions

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Payment transactions found

{
  "id": 10,
  "bounty_award": "1000.00",
  "bounty_fee": "200.00",
  "activity_date": "2019-09-25T04:22:42.686Z",
  "activity_description": "Bounty for report #9",
  "debit_or_credit_amount": "-1200.00",
  "balance": "-1200.00",
  "payment_transaction_type": "payment",
  "relationships": {
    "payer": {
      "data": {
        "id": 3,
        "type": "user"
      },
      "attributes": {
        "username": "payer-username"
      },
      "links": {
        "self": "http://hackerone.com/payer-username"
      }
    },
    "report": {
      "data": {
        "id": 9,
        "type": "report"
      },
      "links": {
        "self": "http://hackerone.com/reports/9"
      }
    },
    "user": {
      "data": {
        "id": 1,
        "type": "user"
      },
      "attributes": {
        "username": "hacker-username"
      },
      "links": {
        "self": "http://hackerone.com/hacker-username"
      }
    },
    "team": {
      "data": {
        "id": 2,
        "type": "team"
      },
      "attributes": {
        "handle": "hacker-team"
      },
      "links": {
        "self": "http://hackerone.com/hacker-team"
      }
    }
  },
  "links": {
    "self": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=1",
    "next": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=5"
  }
}

GET /programs/{id}/billing/transactions

This API endpoint enables a user to retrieve program's list of payment transactions for the selected month. When the request is successful, the API will respond with paginated payment transaction objects of the provided program.

If you want to get transactions for an entire year, you will need to request each month individually.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. If the program has a parent program, the API user should belong to the parent program. Insufficient permissions will result in a 403 Forbidden or a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
month query integer false The month of the transaction period. The default is set to the current month.
year query integer false The year of the transaction period. The default is set to the current year.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Award Bounty

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/bounties',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

bounty awarded

{
  "data": {
    "id": "1",
    "type": "bounty",
    "attributes": {
      "amount": "100.00",
      "bonus_amount": "0.00",
      "awarded_amount": "100.00",
      "awarded_bonus_amount": "0.00",
      "awarded_currency": "USD",
      "created_at": "2017-02-14T23:07:24.252Z"
    },
    "relationships": {
      "report": {
        "data": {
          "id": "1337",
          "type": "report",
          "attributes": {
            "title": "XSS in login form",
            "state": "new",
            "created_at": "2016-02-02T04:05:06.000Z",
            "vulnerability_information": "...",
            "triaged_at": null,
            "closed_at": null,
            "last_reporter_activity_at": null,
            "first_program_activity_at": null,
            "last_program_activity_at": null,
            "bounty_awarded_at": null,
            "swag_awarded_at": null,
            "disclosed_at": null,
            "last_public_activity_at": null,
            "last_activity_at": null,
            "issue_tracker_reference_url": "https://example.com/reference",
            "cve_ids": [],
            "source": null,
            "reporter_agreed_on_going_public_at": null
          }
        }
      },
      "invitations": [
        {
          "id": "10",
          "recipient": "hacker@hackerone.com",
          "claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
        }
      ]
    }
  }
}

POST /programs/{id}/bounties

Use this endpoint to award a bounty. When the API call is successful, a bounty object will be returned.

Required permissions: Reward Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information required to create a bounty.
» type body string true none
» attributes body object true none
»» recipient body string false The email address of the recipient.
»» recipient_id body string false The id of the recipient.
»» amount body number true The bounty amount to be awarded.
»» reference body string true An internal reference attached to the report that makes searching or filtering in the future easy.
»» title body string true The title of the security vulnerability that was reported to you.
»» currency body string true none
»» severity_rating body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.

Detailed descriptions

»» recipient: The email address of the recipient.

When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.

»» recipient_id: The id of the recipient.

When the recipient_id is provided, an email will be sent to the recipient to claim the bounty. If both recipient and recipient_id provided then recipient attribute has a higher priority. If non of attributes provided then email won't be sent.

Enumerated Values

Parameter Value
» type bounty
»» currency USD
»» severity_rating none
»» severity_rating low
»» severity_rating medium
»» severity_rating high
»» severity_rating critical

Get Common Responses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/common_responses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

reporters found

{
  "data": [
    {
      "id": "108878",
      "attributes": {
        "title": "Vulnerability Scanner False Positive",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
      }
    },
    {
      "id": "108886",
      "attributes": {
        "title": "X-XSS-Protection",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
      }
    },
    {
      "id": "108891",
      "attributes": {
        "title": "Video Without Content",
        "message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/common_responses

Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Upload Policy Attachments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: multipart/form-data' \
  -H 'Accept: application/json' \
  -d @- <<EOD
null
EOD

import requests
headers = {
  'Content-Type': 'multipart/form-data',
  'Accept': 'application/json'
}

data = null

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'multipart/form-data',
  'Accept' => 'application/json'
}

data = null

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'multipart/form-data');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"multipart/form-data"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"null"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachment uploaded

{
  "id": "1337",
  "type": "attachment",
  "attributes": {
    "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
    "created_at": "2016-02-02T04:05:06.000Z",
    "file_name": "root.rb",
    "content_type": "text/x-ruby",
    "file_size": 2871
  }
}

POST /programs/{id}/policy_attachments

Policy attachments can be uploaded by sending a POST request to the program policy attachments endpoint. When the API call is successful, an attachment object will be returned.

You can use the attachment ID to display the attachment on your policy page. For example, if the attachment ID is 1337, then include {F1337} in your policy to display the attachment.

Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Update Policy

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{id}/policy',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Policy updated

{
  "data": {
    "id": "12",
    "type": "program",
    "attributes": {
      "handle": "security",
      "policy": "...",
      "created_at": "2013-01-01T00:00:00.000Z",
      "updated_at": "2019-08-26T13:53:24.807Z"
    }
  }
}

PUT /programs/{id}/policy

Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information to update the policy of a program.
» type body string true none
» attributes body object true none
»» policy body string true The new policy that will be set on the program.

Enumerated Values

Parameter Value
» type program-policy

Get Reporters

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/reporters',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

reporters found

{
  "data": [
    {
      "id": "1337",
      "type": "user",
      "attributes": {
        "username": "awesome-hacker",
        "name": "Awesome Hacker",
        "disabled": false,
        "created_at": "2016-02-02T04:05:06.000Z",
        "profile_picture": {
          "62x62": "/assets/avatars/default.png",
          "82x82": "/assets/avatars/default.png",
          "110x110": "/assets/avatars/default.png",
          "260x260": "/assets/avatars/default.png"
        }
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/reporters

This resource allows you to retrieve a list of all users that ever submitted a report to the program.

Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Structured Scopes

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scopes found

{
  "data": [
    {
      "id": "57",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "api.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2015-02-02T04:05:06.000Z",
        "updated_at": "2016-05-02T04:05:06.000Z",
        "instruction": null,
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001001"
      }
    },
    {
      "id": "58",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "www.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "low",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2017-02-03T04:05:10.000Z",
        "updated_at": "2018-05-02T04:05:10.000Z",
        "instruction": "Instruction text",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001002"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/structured_scopes

Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Add Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scope created

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

POST /programs/{id}/structured_scopes

This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
data body object true The information to create a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» asset_type body string true The type of asset.
»» eligible_for_bounty body boolean false The eligibility of the asset for bounties.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program. Markdown is not parsed.
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» asset_type CIDR
»» asset_type URL
»» asset_type APPLE_STORE_APP_ID
»» asset_type TESTFLIGHT
»» asset_type OTHER_IPA
»» asset_type GOOGLE_PLAY_APP_ID
»» asset_type OTHER_APK
»» asset_type WINDOWS_APP_STORE_APP_ID
»» asset_type SOURCE_CODE
»» asset_type DOWNLOADABLE_EXECUTABLES
»» asset_type HARDWARE
»» asset_type OTHER
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Update Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scope updated

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

PUT /programs/{program_id}/structured_scopes/{id}

This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the structured scope.
data body object true The information to update a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» eligible_for_bounty body boolean false If the asset is eligible for bounty.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program (markdown is not parsed).
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Archive Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scope archived

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

DELETE /programs/{program_id}/structured_scopes/{id}

This endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the structured scope.

Get Awarded Swag

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/swag',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/swag',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

swag found

{
  "data": [
    {
      "id": "8",
      "type": "swag",
      "attributes": {
        "sent": true,
        "created_at": "2019-08-30T08:33:42.147Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "Jane Doe",
              "street": "535 Mission Street",
              "city": "San Francisco",
              "postal_code": "94105",
              "state": "CA",
              "country": "United States of America",
              "created_at": "2016-02-02T04:05:06.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-510-000-0000"
            }
          }
        }
      }
    },
    {
      "id": "7",
      "type": "swag",
      "attributes": {
        "sent": false,
        "created_at": "2019-08-20T03:47:04.163Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1338",
            "type": "user",
            "attributes": {
              "username": "johndoe",
              "name": "John Doe",
              "disabled": false,
              "created_at": "2017-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "John Smith",
              "street": "535 Mission Street",
              "city": "New York",
              "postal_code": "10001",
              "state": "NY",
              "country": "United States of America",
              "created_at": "2017-01-03T07:08:09.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-212-000-0000"
            }
          }
        }
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/swag

Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request is successful, the API will respond with paginated swag objects.

Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Mark Swag as Sent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Swag marked as sent

{
  "data": {
    "id": "8",
    "type": "swag",
    "attributes": {
      "sent": true,
      "created_at": "2019-08-30T08:33:42.147Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "M_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }
    }
  }
}

PUT /programs/{program_id}/swag/{id}

The status of swag can be updated to "sent" through this endpoint. When the request is successful, the API will respond with a swag object.

Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program.
id path integer true The ID of the swag.

Get Thanks to Hackers

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/thanks',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

thanks items found

{
  "data": [
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 1,
        "reputation": 7,
        "recognized_report_count": 1,
        "username": "lorem",
        "user_id": "55"
      }
    },
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 1,
        "reputation": 22,
        "recognized_report_count": 1,
        "username": "ipsum",
        "user_id": "56"
      }
    },
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 5,
        "reputation": 38,
        "recognized_report_count": 3,
        "username": "adam",
        "user_id": "57"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/thanks

This endpoint enables you to view a program's thanks to hackers.

A program's thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Weaknesses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/weaknesses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

weaknesses found

{
  "data": [
    {
      "id": "1337",
      "type": "weakness",
      "attributes": {
        "name": "Cross-Site Request Forgery (CSRF)",
        "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
        "created_at": "2016-02-02T04:05:06.000Z",
        "external_id": "cwe-352"
      }
    },
    {
      "id": "1338",
      "type": "weakness",
      "attributes": {
        "name": "SQL Injection",
        "description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
        "created_at": "2016-03-02T04:05:06.000Z",
        "external_id": "cwe-89"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/weaknesses

The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.

Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Program

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

program found

{
  "data": {
    "id": "1337",
    "type": "program",
    "attributes": {
      "handle": "security",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "groups": {
        "data": [
          {
            "id": "2557",
            "type": "group",
            "attributes": {
              "name": "Standard",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "report_management",
                "reward_management"
              ]
            }
          },
          {
            "id": "2558",
            "type": "group",
            "attributes": {
              "name": "Admin",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "user_management",
                "program_management"
              ]
            }
          }
        ]
      },
      "members": {
        "data": [
          {
            "id": "1339",
            "type": "member",
            "attributes": {
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "program_management",
                "report_management",
                "reward_management",
                "user_management"
              ]
            },
            "relationships": {
              "user": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      }
    }
  }
}

GET /programs/{id}

A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.

The following program relationships are included: groups, members, custom field attributes and policy attachments.

Parameters

Name In Type Required Description
id path integer true The ID of the program. Find the program ID by fetching your programs

Assets

Import assets with CSV file

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: multipart/form-data' \
  -H 'Accept: application/json' \
  -d @- <<EOD
null
EOD

import requests
headers = {
  'Content-Type': 'multipart/form-data',
  'Accept': 'application/json'
}

data = null

r = requests.post(
  'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'multipart/form-data',
  'Accept' => 'application/json'
}

data = null

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'multipart/form-data');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"multipart/form-data"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"null"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachment uploaded

{
  "data": {
    "id": "4",
    "type": "asset-import",
    "attributes": {
      "state": "processed",
      "errors": [],
      "created_at": "2022-06-21T13:38:04.672Z",
      "updated_at": "2022-06-21T13:38:04.693Z"
    }
  }
}

POST /organizations/{organization_id}/asset_imports

This API endpoint can be used to bulk import assets into the HackerOne platform and to detect duplicates. When the API call is successful, an asset import object will be returned.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization

Retrieve an assets import

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out