# security.txt API > Fetch and parse any domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. Pass a domain and the service locates the file (the canonical .well-known path with a legacy root fallback), parses every field — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring and CSAF — and reports whether it is valid (has at least one Contact and a single, non-expired Expires), whether it is PGP-signed, whether it has expired (with the number of days remaining) and a list of issues with concrete advice. A companion endpoint returns the raw file. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for security audits, vendor and third-party risk assessment, attack-surface reviews and vulnerability-disclosure-policy compliance checks. A security.txt parser and validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/securitytxt-api/..." ``` ## Pricing - **Free** (Free) — 2,400 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 48,000 calls/Mo, 8 req/s - **Pro** ($22/Mo) — 244,000 calls/Mo, 20 req/s - **Mega** ($58/Mo) — 888,000 calls/Mo, 50 req/s ## Endpoints ### security.txt #### `GET /v1/check` — Parse & validate a domain's security.txt **Parameters:** - `url` (query, required, string) — Domain or URL Example: `google.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/securitytxt-api/v1/check?url=google.com" ``` **Response:** ```json { "data": { "found": true, "valid": true, "domain": "google.com", "fields": { "csaf": [], "hiring": [ "https://g.co/SecurityPrivacyEngJobs" ], "policy": [ "https://g.co/vrp" ], "contact": [ "https://g.co/vulnz", "mailto:security@google.com" ], "expires": "2030-04-01T00:00:00z", "canonical": [], "encryption": [ "https://services.google.com/corporate/publickey.txt" ], "acknowledgments": [ "https://bughunters.google.com/" ], "preferred_languages": null }, "issues": [ "no Canonical field (recommended)", "not PGP-signed (recommended, not required)" ], "signed": false, "expired": false, "location": "https://google.com/.well-known/security.txt", "expires_in_days": 1399 }, "meta": { "timestamp": "2026-06-01T23:40:50.817Z", "request_id": "9dbf6860-2787-48ed-bdee-5bf14a5ca2b0" }, "status": "ok", "message": "security.txt checked", "success": true } ``` #### `GET /v1/raw` — Raw security.txt content **Parameters:** - `url` (query, required, string) — Domain or URL Example: `google.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/securitytxt-api/v1/raw?url=google.com" ``` **Response:** ```json { "data": { "domain": "google.com", "content": "Contact: https://g.co/vulnz\nContact: mailto:security@google.com\nEncryption: https://services.google.com/corporate/publickey.txt\nAcknowledgments: https://bughunters.google.com/\nPolicy: https://g.co/vrp\nHiring: https://g.co/SecurityPrivacyEngJobs\nExpires: 2030-04-01T00:00:00z\n", "location": "https://google.com/.well-known/security.txt", "content_type": "text/plain" }, "meta": { "timestamp": "2026-06-01T23:40:50.970Z", "request_id": "86ace3f8-0f3d-4b01-a62f-b176a4d6fe23" }, "status": "ok", "message": "security.txt retrieved", "success": true } ``` ### Meta #### `GET /v1/meta` — RFC 9116 fields & locations **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/securitytxt-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Fetch and parse a domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. /v1/check?url=google.com locates the file (canonical .well-known path with legacy root fallback), parses every field (Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring, CSAF), and reports whether it is valid (has a Contact and a single non-expired Expires), whether it is PGP-signed, whether it has expired (with days remaining) and a list of issues with advice. /v1/raw returns the raw file. The request is made server-side; private/internal targets are refused (SSRF-guarded). Ideal for security audits, vendor-assessment, attack-surface reviews and disclosure-policy compliance checks. A security.txt parser/validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No key, no cache.", "spec": "RFC 9116 (security.txt)", "fields": [ "Contact (required, repeatable)", "Expires (required)", "Encryption", "Acknowledgments", "Preferred-Languages", "Canonical", "Policy", "Hiring", "CSAF" ], "endpoints": [ "/v1/check", "/v1/raw", "/v1/meta" ], "locations": [ …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/securitytxt-api OpenAPI spec: https://www.oanor.com/api/securitytxt-api/openapi.json