API Endpoint
https://api.hackerone.com/The HackerOne Hacker API can be used to query or update information about reports, programs, bounties, and earnings.
The API always returns a JSON response and implementsREST to access resources. The API can only be accessed over HTTPS and is compliant with theJSON API specification.
API tokens can be generated from your Settings if you’re already using the HackerOne Professional, Community, or Enterprise edition. If you're unable to generate an API token, pleasecontact support
To get started with the HackerOne API:
cURL example
curl"https://api.hackerone.com/v1/hackers/reports/129329"\-u"<YOUR_USERNAME>:<YOUR_API_TOKEN>"Replace the example credentials in the example above with your own.
HTTP Basic authentication is used to authenticate to the API. As a user, you can generateand manage API Tokens from your API settings page. The API Token identifier and valueare used as the username and password for basic authentication and must be sent in theAuthorization header for every request.
If an invalid token is provided, the serverwill respond with a 401 Unauthorized response. See theerror codes sectionfor more information how these errors are returned.
To ensure a pleasant platform experience for all our users, we have implemented several rate limits in our API. Hackers who send too many requests may see an error show up with the status code: 429. We have the following rate limits in place:
| Error Code | Meaning | Description |
|---|---|---|
| 400 | Bad Request | Request does not conform with the specification. Please see the endpoint's documentation for further instructions. |
| 401 | Unauthorized | The client sent a request without any form of identification. More information about this error can be found in the Authentication section. |
| 403 | Forbidden | The API token does not grant the client access to perform this action. This can happen in case where the client requests a resource that belongs to another program or account. |
| 404 | Not Found | The requested resource is not found. The client might be using outdated information to identify the resource. |
| 406 | Not Acceptable | This error is returned when the client requests our API to respond in a format that we haven't implemented yet. The current version of the API only supports responses to be returned when the client requestsapplication/javascript. The good news is that most clients do this by default, so you shouldn't see this error very often. |
| 422 | Unprocessable Entity | The server understands the content type of the request entity, and the syntax of the request entity is correct, but it was unable to process the contained instructions. |
| 429 | Too Many Requests | The client sent too many requests, please review ourrate limits to make sure you're not sending more requests than the limit indicates. |
| 500 | Internal Server Error | This means that there's an error on our side. Our engineering team is notified of these errors, so we try to come up with a solution as soon as possible. If the error persists, please contact https://support.hackerone.com/ |
| 503 | Service Unavailable | Seems like our servers are offline. You can check our server status atwww.hackeronestatus.com. |
URL structure
https://api.hackerone.com/{version}/hackers/{resource}The entire API uses a global version. For every backwards-incompatible change, theversion is bumped. There is no default version, so the requested version must bespecified in the resource URL.
Introducing new attributes or resources arenot considered backwards-incompatibleand can be added to the latest stable version at any time.
May 14, 2025: Fixed bug inHacktivity endpoint which was causing theseverity_rating,cve_ids andcwe attributes not to be returned.
January 14, 2025: Added policy attribute toGet Programs andGet Program resources.
March 19, 2024: Added program declarations forPrograms.
March 1, 2024: Added endpoint forHacktivity.
February 8, 2024: Make user field nullable in report-summary.
August 7, 2023: Added endpoint toget all structured scopes of a program.
November 4, 2022: Added endpoint tocreate asset enrichment submissions.
October 31, 2022: Added endpoint tobulk create hacker asset submissions.
July 15, 2021: Global release of the Hacker API.
We strive to build the best API possible to help you fulfill your API use cases. If you have any questions or feedback, feel free to reach out to us usingthis form.