Getting Started Hacker API

API Endpoint

The HackerOne Hacker API can be used to query or update information about reports, programs, bounties, and earnings.

The API always returns a JSON response and implements REST to access resources. The API can only be accessed over HTTPS and is compliant with the JSON API specification.

API tokens can be generated from your Settings if you’re already using the HackerOne Professional, Community, or Enterprise edition. If you're unable to generate an API token, please contact support

To get started with the HackerOne API:

  1. Generate an API Token.
  2. Go to Hacker Resources and choose the endpoint you want to pull information from.
  3. Copy the curl command for the endpoint.
  4. Paste the curl command in an editor.
  5. Edit the curl code with your own information.
  6. Paste the code into your terminal or the program you normally use to run the API call.


cURL example

  curl "" \

Replace the example credentials in the example above with your own.

HTTP Basic authentication is used to authenticate to the API. As an user, you can generate and manage API Tokens from your API settings page. The API Token identifier and value are used as the username and password for basic authentication and must be sent in the Authorization header for every request.

If an invalid token is provided, the server will respond with a 401 Unauthorized response. See the error codes section for more information how these errors are returned.

Rate Limits

To ensure a pleasant platform experience for all our users, we have implemented several rate limits in our API. Hackers who send too many requests may see an error show up with the status code: 429. We have the following rate limits in place:

Error Responses

Error Code Meaning Description
400 Bad Request Request does not conform with the specification. Please see the endpoint's documentation for further instructions.
401 Unauthorized The client sent a request without any form to identification. More information about this error can be found in the Authentication section.
403 Forbidden The API token does not grant the client access to perform this action. This can happen in case where the client requests a resource that belongs to another program or account.
404 Not Found The requested resource is not found. The client might be using outdated information to identify the resource.
406 Not Acceptable This error is returned when the client requests our API to respond in a format that we haven't implemented yet. The current version of the API only supports responses to be returned when the client requests application/javascript. The good news is that most clients do this by default, so you shouldn't see this error very often.
422 Unprocessable Entity The server understands the content type of the request entity, and the syntax of the request entity is correct, but it was unable to process the contained instructions.
429 Too Many Requests The client sent too many requests, please review our rate limits to make sure you're not sending more requests than the limit indicates.
500 Internal Server Error This means that there's an error on our side. Our engineering team is notified of these errors, so we try to come up with a solution as soon as possible. If the error persists, please contact
503 Service Unavailable Seems like our servers are offline. You can check our server status at


URL structure{version}/hackers/{resource}

The entire API uses a global version. For every backwards-incompatible change, the version is bumped. There is no default version, so the requested version must be specified in the resource URL.

Introducing new attributes or resources are not considered backwards-incompatible and can be added to the latest stable version at any time.


March 19, 2024: Added program declarations for Programs.

March 1, 2024: Added endpoint for Hacktivity.

February 8, 2024: Make user field nullable in report-summary.

August 7, 2023: Added endpoint to get all structured scopes of a program.

November 4, 2022: Added endpoint to create asset enrichment submissions.

October 31, 2022: Added endpoint to bulk create hacker asset submissions.

July 15, 2021: Global release of the Hacker API.


We strive to build the best API possible to help you fulfill your API use cases. If you have any questions or feedback, feel free to reach out to us using this form.