NAV
Shell Python Ruby Java Javascript Go

Customer Resources

Activities

Get Activity

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/activities/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/activities/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/activities/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/activities/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/activities/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/activities/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

activity found

{
  "data": {
    "id": "1337",
    "type": "activity-comment",
    "attributes": {
      "message": "Comment!",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": false
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "attachments": {
        "data": [
          {
            "id": "1337",
            "type": "attachment",
            "attributes": {
              "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
              "created_at": "2016-02-02T04:05:06.000Z",
              "file_name": "root.rb",
              "content_type": "text/x-ruby",
              "file_size": 2871
            }
          }
        ]
      }
    }
  }
}

Last revised: 2023-09-07

GET /activities/{id}

An activity object can be fetched by sending a GET request to a unique activity object. In case the request was successful, the API will respond with an activity object.

The included activity relationships depend on the type of activity that is returned. See the activity object for possible types and relationships.

Parameters

Name In Type Required Description
id path integer true The ID of the activity.

Query Activities

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/incremental/activities',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'handle': 'string'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/incremental/activities',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

programs found

{
  "data": [
    {
      "type": "activity-bug-filed",
      "id": "1337",
      "attributes": {
        "report_id": "99900",
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2017-02-02T04:05:06.000Z",
        "internal": false
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "7331",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        }
      }
    }
  ],
  "meta": {
    "max_updated_at": "2017-02-02T04:05:06.000Z"
  },
  "links": {
    "self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
    "next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
  }
}

Last revised: 2023-09-07

GET /incremental/activities

This endpoint allows you to fetch all activities of your program incrementally by time.

This endpoint is used to:

The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.

Parameters

Name In Type Required Description
handle query string true The HackerOne handle of the program with activities you wish to retrieve.
updated_at_after query string false A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved.
sort query any false The attributes to sort the activities on.
order query any false The direction to sort the activities on, by default desc.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Detailed descriptions

sort: The attributes to sort the activities on.

This parameter may contain multiple attributes that the activities should be sorted on. Sorting is applied in the specified order of attributes, by default descending.

The following attributes can be used for sorting: report_id, created_at, updated_at.

order: The direction to sort the activities on, by default desc.

The following attributes can be used for sorting: asc (ascending), desc (descending).

Analytics

Get Analytics Data (Preview)

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/analytics',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'key': 'string',  'interval': 'string',  'start_at': 'string',  'end_at': 'string'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/analytics',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/analytics", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

[
  {
    "keys": [
      "report_count",
      "interval"
    ],
    "values": [
      [
        "10",
        "2022-01-01 00:00:00 UTC"
      ],
      [
        "27",
        "2022-04-01 00:00:00 UTC"
      ],
      [
        "35",
        "2022-07-01 00:00:00 UTC"
      ]
    ]
  }
]

Last revised: 2024-01-16

GET /analytics

This endpoint returns data for a specified key corresponding to a predefined analytics query. Values for key are derived from the names of charts on these dashboards:

Submission and Bounty Trends

Hacker Engagement

Parameters

Name In Type Required Description
key query string true Filter by the query key you want to fetch data for
interval query string true The interval to use for the input date range. Valid intervals are month, quarter, or year
start_at query string true The start date of the query as a string, inclusive. Format YYYY-MM-DD
end_at query string true The end date of the query as a string, exclusive. Format YYYY-MM-DD
team_id query string false Filter by a team/program ID. If no team_id is provided, then data will be for all teams/programs in the organization
organization_id query string false Filter by an organization ID

Credentials

Get Credentials

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/credentials',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  params={
      'program_id': '0',  'structured_scope_id': '0'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/credentials',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/credentials", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "1",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "d282032e02b3d1d956ae1a9dea945535"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    },
    {
      "id": "2",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "28cf5ecddb0d781a06beed30f69a5afe"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    },
    {
      "id": "3",
      "type": "credential",
      "attributes": {
        "credentials": {
          "table": {
            "username": "test",
            "password": "643c17a23d2fb7f5dd3e17e94cb47d64"
          }
        },
        "revoked": false,
        "account_details": "test_account_details"
      }
    }
  ],
  "links": {}
}

Last revised: 2024-04-24

GET /credentials

Credentials can be fetched for a structured scope by sending a GET request to the credentials endpoint. When the request is successful, the API will respond with paginated credentials objects.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id query integer true The ID of the program. You can find the ID by fetching your programs.
structured_scope_id query integer true The ID of the structured scope. You can find the structured scope ID by fetching your programs structured scopes.
state query string false An optional state to filter your credentials. It can be revoked, available or claimed
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}

r = requests.post(
  'https://api.hackerone.com/v1/credentials',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
      "assignee": "hacker_username"
    }
  },
  "batch_id": "string"
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/credentials',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n      \"assignee\": \"hacker_username\"\n    }\n  },\n  \"batch_id\": \"string\"\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/credentials", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential created

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

Last revised: 2024-04-24

POST /credentials

This API endpoint can be used to create new credential. When the API call is successful, a credential object will be returned.

The IDs of a program's structured scopes can be retrieved from programs/{id}/structured_scopes endpoint.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
structured_scope_id body integer true The ID of the structured scope to which the credential will belong
data body object true The information to create a credential.
» type body string true credential
» attributes body object true none
»» credentials body string true A JSON-encoded hash of credentials that will eventually be provided to the hacker
»» assignee body string false If provided, the credential will be assigned to the specified user
batch_id body string false If provided, the batch will be stored on the credential

Enumerated Values

Parameter Value
» type credential

Update a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "credential",
    "attributes": {
      "credentials": "string",
      "recycle": false
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"credential\",\n    \"attributes\": {\n      \"credentials\": \"string\",\n      \"recycle\": false\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential updated

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

Last revised: 2024-04-24

PUT /credentials/{id}

This API endpoint can be used to update an existing credential. When the API call is successful, a credential object will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.
data body object true The information to update a credential.
» type body string true credential
» attributes body object true none
»» credentials body string true A JSON-encoded hash of credentials that will eventually be provided to the hacker
»» recycle body boolean false If true, the assignee will be removed. The default is false.

Enumerated Values

Parameter Value
» type credential

Assign a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/assign" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "username": "string"
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "username": "string"
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}/assign',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "username": "string"
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}/assign',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/assign");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"username\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"username\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/assign',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"username\": \"string\"\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/assign", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential assigned

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": false,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

Last revised: 2024-04-24

PUT /credentials/{id}/assign

This API endpoint can be used to assign an existing credential. When the API call is successful, a credential object will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.
username body string true The username of the user to be assigned the credential.

Delete a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/credentials/{id}/',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/credentials/{id}/',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/credentials/{id}/", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential successfully removed

{
  "data": {
    "success": true,
    "message": "Credential successfully removed"
  }
}

Last revised: 2024-04-24

DELETE /credentials/{id}/

This API endpoint can be used to delete an existing credential. When the API call is successful, a success message will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.

Revoke a Credential

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/revoke" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.put(
  'https://api.hackerone.com/v1/credentials/{id}/revoke',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/credentials/{id}/revoke',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/credentials/{id}/revoke',
{
  method: 'PUT',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/revoke", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential revoked

{
  "data": {
    "id": "<id>",
    "type": "credential",
    "attributes": {
      "credentials": {
        "table": {
          "username": "test",
          "password": "test"
        }
      },
      "revoked": true,
      "assignee_id": "<id>",
      "assignee_username": "john_doe_1234"
    }
  }
}

Last revised: 2024-04-24

PUT /credentials/{id}/revoke

This API endpoint can be used to revoke an existing credential. When the API call is successful, a credential object will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the credential.

Get Credential Inquiry Responses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "1337",
      "type": "credential_inquiry_response",
      "attributes": {
        "details": "this is a credential inquiry response",
        "created_at": "2017-01-01T00:00:00.000Z",
        "user": {
          "id": "1",
          "username": "user1"
        }
      }
    },
    {
      "id": "1339",
      "type": "credential_inquiry_response",
      "attributes": {
        "details": "this is a credential inquiry response",
        "created_at": "2017-01-01T00:00:00.000Z",
        "user": {
          "id": "2",
          "username": "user2"
        }
      }
    }
  ],
  "links": {}
}

Last revised: 2024-04-24

GET /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses

Credential inquiry responses can be fetched by sending a GET request to the credential inquiry responses endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
credential_inquiry_id path integer true The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Delete Credential Inquiry Response

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential Inquiry Response successfully removed

{
  "data": {
    "success": true,
    "message": "Credential Inquiry Response successfully removed"
  }
}

Last revised: 2024-04-24

DELETE /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}

This API endpoint can be used to delete an existing credential inquiry response. When the API call is successful, a success message will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
credential_inquiry_id path integer true The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries.
id path integer true The ID of the credential inquiry response.

Create a Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "structured_scope_id": 0,
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"structured_scope_id\": 0,\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential_inquiry created

{
  "data": {
    "id": "<id>",
    "type": "credential_inquiry",
    "attributes": {
      "description": "this is a credential inquiry"
    }
  }
}

Last revised: 2024-04-24

POST /programs/{id}/credential_inquiries

This API endpoint can be used to create new credential inquiry. When the API call is successful, a credential_inquiry object will be returned.

The IDs of a program's structured scopes can be retrieved from programs/{id}/structured_scopes endpoint.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
structured_scope_id body integer true The ID of the structured scope to which the credential will belong
data body object true The information to be requested from the hacker
» type body string true none
» attributes body object true none
»» description body string true A description of the information required from the hackers to create credentials

Enumerated Values

Parameter Value
» type credential_inquiry

Get Credential Inquiries

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

data found with valid params

{
  "data": [
    {
      "id": "<id>",
      "type": "credential_inquiry",
      "attributes": {
        "description": "this is a credential inquiry"
      }
    }
  ],
  "links": {}
}

Last revised: 2024-04-24

GET /programs/{id}/credential_inquiries

Credential inquiries can be fetched by sending a GET request to the credential inquiries endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Update Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "credential_inquiry",
    "attributes": {
      "description": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"credential_inquiry\",\n    \"attributes\": {\n      \"description\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

credential inquiry updated

{
  "data": {
    "id": "<id>",
    "type": "credential_inquiry",
    "attributes": {
      "description": "this is a credential inquiry"
    }
  }
}

Last revised: 2024-04-24

PUT /programs/{program_id}/credential_inquiries/{id}

This endpoint can be used to update a credential inquiry of a program. When the API request is successful, a credential inquiry object will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the credential inquiry.
data body object true The information to be requested from the hacker
» type body string true none
» attributes body object true none
»» description body string true A description of the information required from the hackers to create credentials

Enumerated Values

Parameter Value
» type credential_inquiry

Delete Credential Inquiry

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Credential Inquiry successfully removed

{
  "data": {
    "success": true,
    "message": "Credential Inquiry successfully removed"
  }
}

Last revised: 2024-04-24

DELETE /programs/{program_id}/credential_inquiries/{id}

This API endpoint can be used to delete an existing credential inquiry. When the API call is successful, a success message will be returned.

Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the credential inquiry.

Hai

Create Completion (Preview)

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hai/chat/completions" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "completion-request",
    "attributes": {
      "messages": [
        {
          "role": "user",
          "content": "string"
        }
      ],
      "program_handles": [
        "string"
      ],
      "report_ids": [
        0
      ],
      "cve_ids": [
        "string"
      ],
      "cwe_ids": [
        "string"
      ]
    }
  },
  "required": null
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "completion-request",
    "attributes": {
      "messages": [
        {
          "role": "user",
          "content": "string"
        }
      ],
      "program_handles": [
        "string"
      ],
      "report_ids": [
        0
      ],
      "cve_ids": [
        "string"
      ],
      "cwe_ids": [
        "string"
      ]
    }
  },
  "required": null
}

r = requests.post(
  'https://api.hackerone.com/v1/hai/chat/completions',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "completion-request",
    "attributes": {
      "messages": [
        {
          "role": "user",
          "content": "string"
        }
      ],
      "program_handles": [
        "string"
      ],
      "report_ids": [
        0
      ],
      "cve_ids": [
        "string"
      ],
      "cwe_ids": [
        "string"
      ]
    }
  },
  "required": null
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/hai/chat/completions',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hai/chat/completions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"completion-request\",\n    \"attributes\": {\n      \"messages\": [\n        {\n          \"role\": \"user\",\n          \"content\": \"string\"\n        }\n      ],\n      \"program_handles\": [\n        \"string\"\n      ],\n      \"report_ids\": [\n        0\n      ],\n      \"cve_ids\": [\n        \"string\"\n      ],\n      \"cwe_ids\": [\n        \"string\"\n      ]\n    }\n  },\n  \"required\": null\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"completion-request\",\n    \"attributes\": {\n      \"messages\": [\n        {\n          \"role\": \"user\",\n          \"content\": \"string\"\n        }\n      ],\n      \"program_handles\": [\n        \"string\"\n      ],\n      \"report_ids\": [\n        0\n      ],\n      \"cve_ids\": [\n        \"string\"\n      ],\n      \"cwe_ids\": [\n        \"string\"\n      ]\n    }\n  },\n  \"required\": null\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hai/chat/completions',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"completion-request\",\n    \"attributes\": {\n      \"messages\": [\n        {\n          \"role\": \"user\",\n          \"content\": \"string\"\n        }\n      ],\n      \"program_handles\": [\n        \"string\"\n      ],\n      \"report_ids\": [\n        0\n      ],\n      \"cve_ids\": [\n        \"string\"\n      ],\n      \"cwe_ids\": [\n        \"string\"\n      ]\n    }\n  },\n  \"required\": null\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hai/chat/completions", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

completion created

{
  "data": [
    {
      "id": "1",
      "type": "hai_chat_completion",
      "attributes": {
        "state": "created",
        "response": "This is a response",
        "created_at": "2019-01-01T00:00:00Z"
      }
    },
    {
      "id": "1",
      "type": "hai_chat_completion",
      "attributes": {
        "state": "generating",
        "response": null,
        "created_at": "2020-01-01T00:00:00Z"
      }
    }
  ]
}

Last revised: 2024-05-22

POST /hai/chat/completions

A POST request to create a completion object.

The feature is available for users whose organizations have enabled Hai.

Parameters

Name In Type Required Description
data body object true none
» type body string false none
» attributes body object false none
»» messages body [object] true none
»»» role body string true none
»»» content body string true none
»» program_handles body [string] false none
»» report_ids body [integer] false none
»» cve_ids body [string] false none
»» cwe_ids body [string] false none
required body any false none

Enumerated Values

Parameter Value
» type completion-request
»»» role user
»»» role assistant

Get Completions (Preview)

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hai/chat/completions/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hai/chat/completions/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hai/chat/completions/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hai/chat/completions/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hai/chat/completions/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hai/chat/completions/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

completion found

{
  "data": [
    {
      "id": "1",
      "type": "hai_chat_completion",
      "attributes": {
        "state": "created",
        "response": "This is a response",
        "created_at": "2019-01-01T00:00:00Z"
      }
    },
    {
      "id": "1",
      "type": "hai_chat_completion",
      "attributes": {
        "state": "generating",
        "response": null,
        "created_at": "2020-01-01T00:00:00Z"
      }
    }
  ]
}

Last revised: 2024-05-22

GET /hai/chat/completions/{id}

A GET request to retrieve and view a completion object by its ID.

The feature is available for users whose organizations have enabled Hai.

Parameters

Name In Type Required Description
id path integer true The ID of the completion.

Organizations

Get Your Organizations

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/me/organizations" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/me/organizations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/me/organizations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/me/organizations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/me/organizations',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/organizations", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organizations found

{
  "data": [
    {
      "id": "1",
      "type": "organization",
      "attributes": {
        "handle": "security",
        "created_at": "2022-09-07T08:00:00.000Z",
        "updated_at": "2022-09-07T08:00:00.000Z"
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /me/organizations

This API endpoint allows you to query the organization objects that you are a member of.

The groups and members relationships are not included in the response.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get All Eligibility Settings

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization eligibility settings found

{
  "data": [
    {
      "id": "1",
      "type": "eligibility-setting",
      "attributes": {
        "allowed_domains": [
          "hackerone.com"
        ],
        "allowed_domains_enabled": true,
        "name": "Organization Eligibility Settings",
        "organization_id": "1",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ]
}

Last revised: 2023-09-07

GET /organizations/{organization_id}/eligibility_settings

This API endpoint can be used to list all eligibility settings of an organization. When the request is successful, the API will respond with paginated eligibility-setting.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Eligibility Setting

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

eligibility setting successfully fetched from organization

{
  "data": {
    "id": "1",
    "type": "eligibility-setting",
    "attributes": {
      "allowed_domains": [
        "hackerone.com"
      ],
      "allowed_domains_enabled": true,
      "name": "Organization Eligibility Settings",
      "organization_id": "1",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    }
  }
}

Last revised: 2023-09-07

GET /organizations/{organization_id}/eligibility_settings/{id}

This API endpoint can be used to get an eligibility_setting of an organization. When the request is successful, the API will respond with eligibility-setting object.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the eligibility setting.

Get All Inboxes

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/inboxes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization inboxes found

{
  "data": [
    {
      "id": "<id>",
      "type": "inbox",
      "attributes": {
        "name": "Inbox 1"
      }
    },
    {
      "id": "<id>",
      "type": "inbox",
      "attributes": {
        "name": "Custom Inbox 2"
      }
    }
  ],
  "links": {}
}

Last revised: 2023-10-19

GET /organizations/{organization_id}/inboxes

This API endpoint can be used to list all inboxes of an organization. When the request is successful, the API will respond with paginated inbox objects.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Pending Invitations

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member groups found

{
  "data": [
    {
      "type": "invitation-organization-member",
      "id": "1",
      "attributes": {
        "email": "example@hackerone.com",
        "show_email": true,
        "invited_by_id": "2",
        "recipient_id": "5",
        "invitation_data": {
          "notify": true,
          "organization_admin": true,
          "organization_member_group_ids": []
        },
        "expires_at": "2016-02-02T04:05:06.000Z",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ]
}

Last revised: 2024-02-08

GET /organizations/{organization_id}/pending_invitations

This API endpoint can be used to list all open invitations of an organization. When the request is successful, the API will respond with paginated invitation-organization-member objects.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create An Invitation

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/invitations" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "invitation-organization-member",
    "attributes": {
      "email": "string",
      "organization_member_group_ids": [],
      "organization_admin": true,
      "notify": true
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"invitation-organization-member\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"organization_member_group_ids\": [],\n      \"organization_admin\": true,\n      \"notify\": true\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/invitations", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

invitation created

{
  "data": {
    "type": "invitation-organization-member",
    "id": "1",
    "attributes": {
      "email": "example@hackerone.com",
      "username": null,
      "invited_by_id": "2",
      "recipient_id": null,
      "invitation_data": {
        "notify": true,
        "organization_admin": true,
        "organization_member_group_ids": []
      },
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "expires_at": "2016-02-02T04:05:06.000Z"
    }
  }
}

Last revised: 2024-02-08

POST /organizations/{organization_id}/invitations

This API endpoint can be used to invite a recipient to an organization using their email address. This endpoint can trigger notifications. When the request is successful, the API will respond with an invitation-organization-member object.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
data body object true The information to create the organization member invitation.
» type body string true none
» attributes body object true none
»» email body string true The invitee email. It must respect the eligibility settings of the groups and the organization.
»» organization_member_group_ids body array false The organization groups IDs where the user should be added.
»» organization_admin body boolean false Sets the invitee as an organization admin.
»» notify body boolean false Activates organization notifications for the invitee.

Enumerated Values

Parameter Value
» type invitation-organization-member

Get Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member group found

{
  "id": "11",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard1",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "last_sign_in_at": "2023-11-24T21:24:31.102Z"
          }
        }
      ]
    },
    "programs": {
      "data": []
    }
  }
}

Last revised: 2023-11-28

GET /organizations/{organization_id}/groups/{id}

This API endpoint can be used to get a group of an organization. When the request is successful, the API will respond with organization-member-group object.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the group.

Update Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "eligibility_setting_id": 0,
      "permissions": [
        "string"
      ]
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"eligibility_setting_id\": 0,\n      \"permissions\": [\n        \"string\"\n      ]\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member group updated

{
  "id": "11",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard3",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member",
      "report_analyst"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "last_sign_in_at": "2023-11-24T21:24:31.102Z"
          }
        }
      ]
    },
    "programs": {
      "data": [
        {
          "id": "1",
          "type": "program",
          "attributes": {
            "handle": "user-management-api",
            "created_at": "2023-02-06T16:10:06.000Z",
            "updated_at": "2023-02-07T10:31:11.000Z"
          }
        }
      ]
    }
  }
}

Last revised: 2023-11-28

PUT /organizations/{organization_id}/groups/{id}

This endpoint can be used to update an organization member group. When the API request is successful, an organization member group object will be returned.

It is possible to update members and programs users have access to via organization_members and programs relationships.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the organization member group.
data body object true The information to update an organization member.
» type body string true none
» attributes body object true none
»» name body string false The name of the organization member group.
»» eligibility_setting_id body integer false The ID of the eligibility setting.
»» permissions body [string] false The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager.
» relationships body object false none
»» organization_members body object false A list of members for the organization member group.
»»» data body [any] true none
»» programs body object false A list of programs for the organization member group.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member-group

Get All Groups

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member groups found

{
  "data": [
    {
      "id": "11",
      "type": "organization-member-group",
      "attributes": {
        "name": "Standard1",
        "organization_id": "2",
        "eligibility_setting_id": "8",
        "permissions": [
          "read_only_member"
        ],
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z",
        "migrated_at": null
      }
    }
  ],
  "links": {}
}

Last revised: 2023-11-28

GET /organizations/{organization_id}/groups

This API endpoint can be used to list all groups of an organization. When the request is successful, the API will respond with paginated organization-member-group objects.

Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create Group

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member-group",
    "attributes": {
      "name": "string",
      "permissions": [],
      "eligibility_setting_id": 0
    },
    "relationships": {
      "organization_members": {
        "data": [
          {
            "id": 0,
            "type": "organization-member"
          }
        ]
      },
      "programs": {
        "data": [
          {
            "id": 0,
            "type": "program"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member-group\",\n    \"attributes\": {\n      \"name\": \"string\",\n      \"permissions\": [],\n      \"eligibility_setting_id\": 0\n    },\n    \"relationships\": {\n      \"organization_members\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member\"\n          }\n        ]\n      },\n      \"programs\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"program\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization group created

{
  "id": "1",
  "type": "organization-member-group",
  "attributes": {
    "name": "Standard1",
    "organization_id": "2",
    "eligibility_setting_id": "8",
    "permissions": [
      "read_only_member"
    ],
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "migrated_at": null
  },
  "relationships": {
    "organization_members": {
      "data": [
        {
          "id": "45",
          "type": "organization-member",
          "attributes": {
            "organization_id": "2",
            "user_id": "22",
            "email": "example@hackerone.com",
            "organization_admin": true,
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "last_sign_in_at": "2023-11-24T21:24:31.102Z"
          }
        }
      ]
    }
  }
}

Last revised: 2023-11-28

POST /organizations/{organization_id}/groups

This API endpoint can be used to create a new organization group. When the request is successful the API will respond with an organization group object.

It is possible to add users to the new organization group by including a list of organization members as relationships. A list of organization members can be obtained at organizations/{organization_id}/members

It is possible to add programs to the new organization group by including a list of programs as relationships.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
data body object true The information to create the organization group.
» type body string true none
» attributes body object true none
»» name body string true The name of the new organization group.
»» permissions body array true The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager.
»» eligibility_setting_id body integer false The id of the eligibility settings.
» relationships body object false none
»» organization_members body object false A list of members for the organization member group.
»»» data body [any] true none
»» programs body object false A list of programs for the organization member group.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member-group

Get All Members

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization members found

{
  "data": [
    {
      "id": "1",
      "type": "organization-member",
      "attributes": {
        "organization_id": "3",
        "user_id": "5",
        "email": "example@hackerone.com",
        "organization_admin": true,
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z",
        "last_sign_in_at": "2023-11-24T21:24:31.102Z"
      },
      "relationships": {
        "organization_member_groups": {
          "data": [
            {
              "id": "2",
              "type": "organization-member-group",
              "attributes": {
                "name": "Standard1",
                "organization_id": "3",
                "eligibility_setting_id": "4",
                "permissions": [
                  "read_only_member"
                ],
                "created_at": "2016-02-02T04:05:06.000Z",
                "updated_at": "2016-02-02T04:05:06.000Z",
                "migrated_at": null
              }
            }
          ]
        }
      }
    }
  ],
  "links": {}
}

Last revised: 2023-11-28

GET /organizations/{organization_id}/members

This API endpoint can be used to list all members of an organization. When the request is successful, the API will respond with paginated organization member objects.

Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

member successfully fetched from organization

{
  "data": {
    "id": "1",
    "type": "organization-member",
    "attributes": {
      "organization_id": "3",
      "user_id": "5",
      "email": "example@hackerone.com",
      "organization_admin": true,
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "last_sign_in_at": "2023-11-24T21:24:31.102Z"
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": "2",
            "type": "organization-member-group",
            "attributes": {
              "name": "Standard1",
              "organization_id": "3",
              "eligibility_setting_id": "4",
              "permissions": [
                "read_only_member"
              ],
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "migrated_at": null
            }
          }
        ]
      }
    }
  }
}

Last revised: 2023-11-28

GET /organizations/{organization_id}/members/{id}

This API endpoint can be used to get a member of an organization. When the request is successful, the API will respond with organization-member object.

Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

You can get the IDs of your organization members from get all members endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the member.

Remove Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

member successfully removed from organization

{
  "data": {
    "success": true,
    "message": "Member successfully removed from organization"
  }
}

Last revised: 2023-11-28

DELETE /organizations/{organization_id}/members/{id}

This API endpoint can be used to delete a member of an organization. When the request is successful, the API will respond with a successfully message.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

Trying to remove an organization admin with an api token that is not an organization admin will return error 403 Forbidden.

You can get the ID of your organization from me/organizations endpoint.

You can get the IDs of your organization members from get all members endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the member.

Update Member

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "organization-member",
    "attributes": {
      "organization_admin": true
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": 0,
            "type": "organization-member-group"
          }
        ]
      }
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"organization-member\",\n    \"attributes\": {\n      \"organization_admin\": true\n    },\n    \"relationships\": {\n      \"organization_member_groups\": {\n        \"data\": [\n          {\n            \"id\": 0,\n            \"type\": \"organization-member-group\"\n          }\n        ]\n      }\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization member updated

{
  "data": {
    "id": "1",
    "type": "organization-member",
    "attributes": {
      "organization_id": "3",
      "user_id": "5",
      "email": "example@hackerone.com",
      "organization_admin": true,
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "last_sign_in_at": "2023-11-24T21:24:31.102Z"
    },
    "relationships": {
      "organization_member_groups": {
        "data": [
          {
            "id": "2",
            "type": "organization-member-group",
            "attributes": {
              "name": "Standard1",
              "organization_id": "3",
              "eligibility_setting_id": "4",
              "permissions": [
                "read_only_member"
              ],
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "migrated_at": null
            }
          }
        ]
      }
    }
  }
}

Last revised: 2023-11-28

PUT /organizations/{organization_id}/members/{id}

This endpoint can be used to update an organization member. When the API request is successful, an organization member object will be returned.

It is possible to update groups users have access to via organization_member_groups relationships.

Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
id path integer true The ID of the organization member.
data body object true The information to update an organization member.
» type body string true none
» attributes body object true none
»» organization_admin body boolean false If the member is an organization admin.
» relationships body object false none
»» organization_member_groups body object false A list of groups for the organization member.
»»» data body [any] true none

Enumerated Values

Parameter Value
» type organization-member

Get All Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/programs" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/organizations/{organization_id}/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/programs", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

organization programs found

{
  "data": [
    {
      "id": "<id>",
      "type": "program",
      "attributes": {
        "handle": "user-management-api",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    },
    {
      "id": "<id>",
      "type": "program",
      "attributes": {
        "handle": "user-management-api-2",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /organizations/{organization_id}/programs

This API endpoint can be used to list all programs of an organization. When the request is successful, the API will respond with paginated program objects.

Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

You can get the ID of your organization from me/organizations endpoint.

Parameters

Name In Type Required Description
organization_id path integer true The ID of the organization.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Programs

Get Your Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/me/programs',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/me/programs',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/me/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

programs found

{
  "data": [
    {
      "id": "1",
      "type": "program",
      "attributes": {
        "handle": "security",
        "created_at": "2017-01-01T08:00:00.000Z",
        "updated_at": "2017-02-17T04:34:15.910Z"
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /me/programs

This API endpoint allows you to query the program objects that you are a member of.

The groups and members relationships are not included in the response.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Allowed Reporter Activities

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

activities found

{
  "data": [
    {
      "type": "activity-program-hacker-joined",
      "id": "1337",
      "attributes": {
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2016-02-02T04:05:06.000Z",
        "internal": false
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/activities

This resource allows you to retrieve a list of activities of a researcher that belong to your private program.

These activities are "activity-program-hacker-joined", "activity-program-hacker-left" and "activity-invitation-received"

Multiple activities objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated activities objects. Note that, you won't see other relationships and attachments of an activity.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
allowed_reporter_id path integer true The ID of the allowed reporter.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Allowed Reporter username history

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

allowed reporter found

{
  "data": {
    "type": "allowed_reporter_username_history",
    "attributes": {
      "old_usernames": [
        "zero-trust",
        "zero_trust-the-sequel"
      ],
      "user_id": "42"
    }
  }
}

Last revised: 2023-11-21

GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history

This resource allows you to retrieve a list of old usernames of a researcher that belong to your private program.

This can be useful for debugging purposes, but HackerOne advises to rely on IDs for cross-referencing data (instead of usernames) The current username is not included in the list.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
allowed_reporter_id path integer true The ID of the allowed reporter.

Get Allowed Reporters

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

allowed reporters found

{
  "data": [
    {
      "id": "1337",
      "type": "allowed_reporter",
      "attributes": {
        "username": "awesome-hacker",
        "email_alias": "awesome-hacker@wearehackerone.com",
        "rules_of_engagement_signed": true,
        "identity_verified": true,
        "background_checked": true,
        "cleared": true,
        "citizenship_verified": false,
        "residency_verified": true,
        "created_at": "2016-02-02T04:05:06.000Z"
      }
    }
  ],
  "links": {}
}

Last revised: 2024-03-01

GET /programs/{id}/allowed_reporters

This resource allows you to retrieve a list of all researchers that belong to your private program.

Multiple allowed reporter objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated allowed reporter objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Audit Log

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/audit_log',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Audit logs

{
  "data": {
    "id": "1",
    "type": "audit-log-item",
    "attributes": {
      "log": "\"@member\" invited \"someone@example.com\".",
      "event": "invitations.team_members.create",
      "source": "User#1",
      "subject": "Invitation#1",
      "user_agent": "Chrome/11.0",
      "country": "US",
      "parameters": "{\"identifier\":\"jobert\"}",
      "created_at": "2019-05-15T04:05:06.000Z"
    }
  }
}

Last revised: 2024-04-11

GET /programs/{id}/audit_log

Returns a paginated list of the audit log items of the provided program.

This API endpoint allows a user to view all audit log items that have been created for a particular program.

Required permissions: Program Management. You can view audit log items and manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Note: This feature is currently in beta and has not been enabled for all programs.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Your Programs Balance

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

balance found

{
  "data": {
    "id": "1337",
    "type": "program-balance",
    "attributes": {
      "balance": "1500.00"
    }
  }
}

Last revised: 2023-09-07

GET /programs/{id}/billing/balance

This API endpoint allows a user to retrieve the current balance for a particular program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Get Payment Transactions

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Payment transactions found

{
  "id": 10,
  "bounty_award": "1000.00",
  "bounty_fee": "200.00",
  "activity_date": "2019-09-25T04:22:42.686Z",
  "activity_description": "Bounty for report #9",
  "debit_or_credit_amount": "-1200.00",
  "balance": "-1200.00",
  "payment_transaction_type": "payment",
  "relationships": {
    "payer": {
      "data": {
        "id": 3,
        "type": "user"
      },
      "attributes": {
        "username": "payer-username"
      },
      "links": {
        "self": "http://hackerone.com/payer-username"
      }
    },
    "report": {
      "data": {
        "id": 9,
        "type": "report"
      },
      "links": {
        "self": "http://hackerone.com/reports/9"
      }
    },
    "user": {
      "data": {
        "id": 1,
        "type": "user"
      },
      "attributes": {
        "username": "hacker-username"
      },
      "links": {
        "self": "http://hackerone.com/hacker-username"
      }
    },
    "team": {
      "data": {
        "id": 2,
        "type": "team"
      },
      "attributes": {
        "handle": "hacker-team"
      },
      "links": {
        "self": "http://hackerone.com/hacker-team"
      }
    }
  },
  "links": {
    "self": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=1",
    "next": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=5"
  }
}

Last revised: 2023-09-07

GET /programs/{id}/billing/transactions

This API endpoint enables a user to retrieve program's list of payment transactions for the selected month. When the request is successful, the API will respond with paginated payment transaction objects of the provided program.

If you want to get transactions for an entire year, you will need to request each month individually.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. If the program has a parent program, the API user should belong to the parent program. Insufficient permissions will result in a 403 Forbidden or a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
month query integer false The month of the transaction period. The default is set to the current month.
year query integer false The year of the transaction period. The default is set to the current year.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Award Bounty

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/bounties',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "recipient_id": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"recipient_id\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

bounty awarded

{
  "data": {
    "id": "1",
    "type": "bounty",
    "attributes": {
      "amount": "100.00",
      "bonus_amount": "0.00",
      "awarded_amount": "100.00",
      "awarded_bonus_amount": "0.00",
      "awarded_currency": "USD",
      "created_at": "2017-02-14T23:07:24.252Z"
    },
    "relationships": {
      "report": {
        "data": {
          "id": "1337",
          "type": "report",
          "attributes": {
            "title": "XSS in login form",
            "state": "new",
            "created_at": "2016-02-02T04:05:06.000Z",
            "vulnerability_information": "...",
            "triaged_at": null,
            "closed_at": null,
            "last_reporter_activity_at": null,
            "first_program_activity_at": null,
            "last_program_activity_at": null,
            "bounty_awarded_at": null,
            "swag_awarded_at": null,
            "disclosed_at": null,
            "last_public_activity_at": null,
            "last_activity_at": null,
            "issue_tracker_reference_url": "https://example.com/reference",
            "cve_ids": [],
            "source": null,
            "reporter_agreed_on_going_public_at": null
          }
        }
      },
      "invitations": [
        {
          "id": "10",
          "recipient": "hacker@hackerone.com",
          "claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
        }
      ]
    }
  }
}

Last revised: 2023-09-07

POST /programs/{id}/bounties

Use this endpoint to award a bounty. When the API call is successful, a bounty object will be returned.

Required permissions: Reward Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information required to create a bounty.
» type body string true none
» attributes body object true none
»» recipient body string false The email address of the recipient.
»» recipient_id body string false The id of the recipient.
»» amount body number true The bounty amount to be awarded.
»» reference body string true An internal reference attached to the report that makes searching or filtering in the future easy.
»» title body string true The title of the security vulnerability that was reported to you.
»» currency body string true none
»» severity_rating body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.

Detailed descriptions

»» recipient: The email address of the recipient.

When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.

»» recipient_id: The id of the recipient.

When the recipient_id is provided, an email will be sent to the recipient to claim the bounty. If both recipient and recipient_id provided then recipient attribute has a higher priority. If non of attributes provided then email won't be sent.

Enumerated Values

Parameter Value
» type bounty
»» currency USD
»» severity_rating none
»» severity_rating low
»» severity_rating medium
»» severity_rating high
»» severity_rating critical

Get Common Responses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/common_responses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

reporters found

{
  "data": [
    {
      "id": "108878",
      "attributes": {
        "title": "Vulnerability Scanner False Positive",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
      }
    },
    {
      "id": "108886",
      "attributes": {
        "title": "X-XSS-Protection",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
      }
    },
    {
      "id": "108891",
      "attributes": {
        "title": "Video Without Content",
        "message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /programs/{id}/common_responses

Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create a CVE Request

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/cve_requests" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "cve-request",
    "attributes": {
      "team_handle": "string",
      "versions": [
        {
          "vendor": "string",
          "product": "string",
          "func": "string",
          "version": "string",
          "versionType": "string",
          "affected": true
        }
      ],
      "metrics": [
        {
          "vectorString": "string"
        }
      ],
      "weakness_id": 0,
      "description": "string",
      "vulnerability_discovered_at": "2019-08-24T14:15:22Z"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "cve-request",
    "attributes": {
      "team_handle": "string",
      "versions": [
        {
          "vendor": "string",
          "product": "string",
          "func": "string",
          "version": "string",
          "versionType": "string",
          "affected": true
        }
      ],
      "metrics": [
        {
          "vectorString": "string"
        }
      ],
      "weakness_id": 0,
      "description": "string",
      "vulnerability_discovered_at": "2019-08-24T14:15:22Z"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/cve_requests',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "cve-request",
    "attributes": {
      "team_handle": "string",
      "versions": [
        {
          "vendor": "string",
          "product": "string",
          "func": "string",
          "version": "string",
          "versionType": "string",
          "affected": true
        }
      ],
      "metrics": [
        {
          "vectorString": "string"
        }
      ],
      "weakness_id": 0,
      "description": "string",
      "vulnerability_discovered_at": "2019-08-24T14:15:22Z"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/cve_requests',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/cve_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"cve-request\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"versions\": [\n        {\n          \"vendor\": \"string\",\n          \"product\": \"string\",\n          \"func\": \"string\",\n          \"version\": \"string\",\n          \"versionType\": \"string\",\n          \"affected\": true\n        }\n      ],\n      \"metrics\": [\n        {\n          \"vectorString\": \"string\"\n        }\n      ],\n      \"weakness_id\": 0,\n      \"description\": \"string\",\n      \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"cve-request\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"versions\": [\n        {\n          \"vendor\": \"string\",\n          \"product\": \"string\",\n          \"func\": \"string\",\n          \"version\": \"string\",\n          \"versionType\": \"string\",\n          \"affected\": true\n        }\n      ],\n      \"metrics\": [\n        {\n          \"vectorString\": \"string\"\n        }\n      ],\n      \"weakness_id\": 0,\n      \"description\": \"string\",\n      \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/cve_requests',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"cve-request\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"versions\": [\n        {\n          \"vendor\": \"string\",\n          \"product\": \"string\",\n          \"func\": \"string\",\n          \"version\": \"string\",\n          \"versionType\": \"string\",\n          \"affected\": true\n        }\n      ],\n      \"metrics\": [\n        {\n          \"vectorString\": \"string\"\n        }\n      ],\n      \"weakness_id\": 0,\n      \"description\": \"string\",\n      \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/cve_requests", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

CVE request created

{
  "id": "1337",
  "type": "cve-request",
  "attributes": {
    "request_type": "new",
    "versions": [
      {
        "func": "<",
        "vendor": "WidgetFactory",
        "product": "WidgetOne",
        "version": "1.0.0",
        "affected": true,
        "versionType": "semver"
      }
    ],
    "metrics": [
      {
        "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
      }
    ],
    "products": [
      "WidgetFactory WidgetOne"
    ],
    "description": "Insufficient URI encoding in WidgetOne before 1.0.0 allows attacker to inject arbitrary parameters into API requests.",
    "references": [],
    "report_id": null,
    "team_handle": "acme",
    "state": "draft",
    "vulnerability_discovered_at": "2024-01-20",
    "created_at": "2024-01-20T14:26:19.286Z",
    "updated_at": "2024-01-20T14:26:19.286Z",
    "weakness_name": "Improper Input Validation",
    "latest_state_change_reason": null,
    "cve_identifier": null,
    "auto_submit_on_publicly_disclosing_report": true
  }
}

Last revised: 2024-02-28

POST /programs/{id}/cve_requests

This API endpoint can be used to create a new CVE request. When the API call is successful, a cve_request object will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information to be requested from the hacker.
» type body string true none
» attributes body object true none
»» team_handle body string true The handle of the team.
»» versions body [object] true none
»»» vendor body string true The vendor of the version.
»»» product body string true The product of the version.
»»» func body string true The function of the version.
»»» version body string true The version.
»»» versionType body string true The type of the version.
»»» affected body boolean true Whether the version is affected or not.
»» metrics body [object] true none
»»» vectorString body string true The vector string.
»» weakness_id body integer true The ID of the weakness.
»» description body string true A description of the information required from the hackers to create a CVE request.
»» vulnerability_discovered_at body string(date-time) true The date when the vulnerability was discovered.

Enumerated Values

Parameter Value
» type cve-request

Get all CVE Requests

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/cve_requests" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/cve_requests',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/cve_requests',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/cve_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/cve_requests',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/cve_requests", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

CVE requests listed

{
  "id": "1337",
  "type": "cve-request",
  "attributes": {
    "request_type": "new",
    "versions": [
      {
        "func": "<",
        "vendor": "WidgetFactory",
        "product": "WidgetOne",
        "version": "1.0.0",
        "affected": true,
        "versionType": "semver"
      }
    ],
    "metrics": [
      {
        "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
      }
    ],
    "products": [
      "WidgetFactory WidgetOne"
    ],
    "description": "Insufficient URI encoding in WidgetOne before 1.0.0 allows attacker to inject arbitrary parameters into API requests.",
    "references": [],
    "report_id": null,
    "team_handle": "acme",
    "state": "draft",
    "vulnerability_discovered_at": "2024-01-20",
    "created_at": "2024-01-20T14:26:19.286Z",
    "updated_at": "2024-01-20T14:26:19.286Z",
    "weakness_name": "Improper Input Validation",
    "latest_state_change_reason": null,
    "cve_identifier": null,
    "auto_submit_on_publicly_disclosing_report": true
  }
}

Last revised: 2024-02-28

GET /programs/{id}/cve_requests

This API endpoint can be used to list all the CVE requests for a program. When the API call is successful, a list of cve_request objects will be returned.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Upload Policy Attachments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: multipart/form-data' \
  -H 'Accept: application/json' \
  -d @- <<EOD
null
EOD

import requests
headers = {
  'Content-Type': 'multipart/form-data',
  'Accept': 'application/json'
}

data = null

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'multipart/form-data',
  'Accept' => 'application/json'
}

data = null

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'multipart/form-data');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"multipart/form-data"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"null"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachment uploaded

{
  "id": "1337",
  "type": "attachment",
  "attributes": {
    "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
    "created_at": "2016-02-02T04:05:06.000Z",
    "file_name": "root.rb",
    "content_type": "text/x-ruby",
    "file_size": 2871
  }
}

Last revised: 2023-09-07

POST /programs/{id}/policy_attachments

Policy attachments can be uploaded by sending a POST request to the program policy attachments endpoint. When the API call is successful, an attachment object will be returned.

You can use the attachment ID to display the attachment on your policy page. For example, if the attachment ID is 1337, then include {F1337} in your policy to display the attachment.

Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Update Policy

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{id}/policy',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

Policy updated

{
  "data": {
    "id": "12",
    "type": "program",
    "attributes": {
      "handle": "security",
      "policy": "...",
      "created_at": "2013-01-01T00:00:00.000Z",
      "updated_at": "2019-08-26T13:53:24.807Z"
    }
  }
}

Last revised: 2023-09-07

PUT /programs/{id}/policy

Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information to update the policy of a program.
» type body string true none
» attributes body object true none
»» policy body string true The new policy that will be set on the program.

Enumerated Values

Parameter Value
» type program-policy

Get Reporters

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/reporters',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

reporters found

{
  "data": [
    {
      "id": "1337",
      "type": "user",
      "attributes": {
        "username": "awesome-hacker",
        "name": "Awesome Hacker",
        "disabled": false,
        "created_at": "2016-02-02T04:05:06.000Z",
        "profile_picture": {
          "62x62": "/assets/avatars/default.png",
          "82x82": "/assets/avatars/default.png",
          "110x110": "/assets/avatars/default.png",
          "260x260": "/assets/avatars/default.png"
        }
      }
    }
  ],
  "links": {}
}

Last revised: 2023-09-07

GET /programs/{id}/reporters

This resource allows you to retrieve a list of all users that ever submitted a report to the program.

Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Structured Scopes

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scopes found

{
  "data": [
    {
      "id": "57",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "api.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2015-02-02T04:05:06.000Z",
        "updated_at": "2016-05-02T04:05:06.000Z",
        "instruction": null,
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001001"
      }
    },
    {
      "id": "58",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "www.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "low",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2017-02-03T04:05:10.000Z",
        "updated_at": "2018-05-02T04:05:10.000Z",
        "instruction": "Instruction text",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001002"
      }
    }
  ],
  "links": {}
}

Last revised: 2024-04-05

GET /programs/{id}/structured_scopes

Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Add Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scope created

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

Last revised: 2024-04-05

POST /programs/{id}/structured_scopes

This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
data body object true The information to create a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» asset_type body string true The type of asset.
»» eligible_for_bounty body boolean false The eligibility of the asset for bounties.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program. Markdown is not parsed.
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» asset_type CIDR
»» asset_type URL
»» asset_type APPLE_STORE_APP_ID
»» asset_type TESTFLIGHT
»» asset_type OTHER_IPA
»» asset_type GOOGLE_PLAY_APP_ID
»» asset_type OTHER_APK
»» asset_type WINDOWS_APP_STORE_APP_ID
»» asset_type SOURCE_CODE
»» asset_type DOWNLOADABLE_EXECUTABLES
»» asset_type HARDWARE
»» asset_type OTHER
»» asset_type SMART_CONTRACT
»» asset_type WILDCARD
»» asset_type IP_ADDRESS
»» asset_type AI_MODEL
»» asset_type API
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Update Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X PUT \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scope updated

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

Last revised: 2024-04-05

PUT /programs/{program_id}/structured_scopes/{id}

This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the structured scope.
data body object true The information to update a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» eligible_for_bounty body boolean false If the asset is eligible for bounty.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program (markdown is not parsed).
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Archive Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client