Getting Started Hacker API
The HackerOne Hacker API can be used to query or update information about reports, programs, bounties, and earnings.
The API always returns a JSON response and implements REST to access resources. The API can only be accessed over HTTPS and is compliant with the JSON API specification.
API tokens can be generated from your Settings if you’re already using the HackerOne Professional, Community, or Enterprise edition. If you're unable to generate an API token, please contact support.
To get started with the HackerOne API:
- Generate an API Token.
- Go to Hacker Resources and choose the endpoint you want to pull information from.
- Copy the curl command for the endpoint.
- Paste the curl command in an editor.
- Edit the curl code with your own information.
- Paste the code into your terminal or the program you normally use to run the API call.
curl "https://api.hackerone.com/v1/hackers/reports/129329" \ -u "<YOUR_USERNAME>:<YOUR_API_TOKEN>"
Replace the example credentials in the example above with your own.
HTTP Basic authentication is used to authenticate to the API. As an user, you can generate and manage API Tokens from your API settings page. The API Token identifier and value are used as the username and password for basic authentication and must be sent in the Authorization header for every request.
If an invalid token is provided, the server will respond with a 401 Unauthorized response. See the error codes section for more information how these errors are returned.
To ensure a pleasant platform experience for all our users, we have implemented several rate limits in our API. Hackers who send too many requests may see an error show up with the status code: 429. We have the following rate limits in place:
- Read operations: 600 requests per minute.
- Write operations: 25 requests per 20 seconds.
|400||Bad Request||Request does not conform with the specification. Please see the endpoint's documentation for further instructions.|
|401||Unauthorized||The client sent a request without any form to identification. More information about this error can be found in the Authentication section.|
|403||Forbidden||The API token does not grant the client access to perform this action. This can happen in case where the client requests a resource that belongs to another program or account.|
|404||Not Found||The requested resource is not found. The client might be using outdated information to identify the resource.|
|422||Unprocessable Entity||The server understands the content type of the request entity, and the syntax of the request entity is correct, but it was unable to process the contained instructions.|
|429||Too Many Requests||The client sent too many requests, please review our rate limits to make sure you're not sending more requests than the limit indicates.|
|500||Internal Server Error||This means that there's an error on our side. Our engineering team is notified of these errors, so we try to come up with a solution as soon as possible. If the error persists, please contact email@example.com.|
|503||Service Unavailable||Seems like our servers are offline. You can check our server status at www.hackeronestatus.com.|
The entire API uses a global version. For every backwards-incompatible change, the version is bumped. There is no default version, so the requested version must be specified in the resource URL.
Introducing new attributes or resources are not considered backwards-incompatible and can be added to the latest stable version at any time.
November 4, 2022: Added endpoint to create asset enrichment submissions.
October 31, 2022: Added endpoint to bulk create hacker asset submissions.
July 15, 2021: Global release of the Hacker API.
We strive to build the best API possible to help you fulfill your API use cases. If you have any questions or feedback, feel free to reach out to us using this form.