{"openapi":"3.1.0","info":{"title":"security.txt API","version":"1.0.0","description":"Fetch and parse any domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. Pass a domain and the service locates the file (the canonical .well-known path with a legacy root fallback), parses every field — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring and CSAF — and reports whether it is valid (has at least one Contact and a single, non-expired Expires), whether it is PGP-signed, whether it has expired (with the number of days remaining) and a list of issues with concrete advice. A companion endpoint returns the raw file. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for security audits, vendor and third-party risk assessment, attack-surface reviews and vulnerability-disclosure-policy compliance checks. A security.txt parser and validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No upstream key, no cache.","contact":{"name":"PremiumApi","url":"https://www.oanor.com/by/premiumapi"}},"servers":[{"url":"https://api.oanor.com/securitytxt-api","description":"oanor gateway"}],"tags":[{"name":"security.txt"},{"name":"Meta"}],"components":{"securitySchemes":{"oanorKey":{"type":"apiKey","in":"header","name":"x-oanor-key","description":"Get your key at https://www.oanor.com/developer/keys"}}},"security":[{"oanorKey":[]}],"paths":{"/v1/check":{"get":{"operationId":"get_v1_check","tags":["security.txt"],"summary":"Parse & validate a domain's security.txt","description":"","parameters":[{"name":"url","in":"query","required":true,"description":"Domain or URL","schema":{"type":"string"},"example":"google.com"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"found":true,"valid":true,"domain":"google.com","fields":{"csaf":[],"hiring":["https://g.co/SecurityPrivacyEngJobs"],"policy":["https://g.co/vrp"],"contact":["https://g.co/vulnz","mailto:security@google.com"],"expires":"2030-04-01T00:00:00z","canonical":[],"encryption":["https://services.google.com/corporate/publickey.txt"],"acknowledgments":["https://bughunters.google.com/"]},"issues":["no Canonical field (recommended)","not PGP-signed (recommended, not required)"],"signed":false,"expired":false,"location":"https://google.com/.well-known/security.txt","expires_in_days":1399},"meta":{"timestamp":"2026-06-01T23:40:50.817Z","request_id":"9dbf6860-2787-48ed-bdee-5bf14a5ca2b0"},"status":"ok","message":"security.txt checked","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/raw":{"get":{"operationId":"get_v1_raw","tags":["security.txt"],"summary":"Raw security.txt content","description":"","parameters":[{"name":"url","in":"query","required":true,"description":"Domain or URL","schema":{"type":"string"},"example":"google.com"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"domain":"google.com","content":"Contact: https://g.co/vulnz\nContact: mailto:security@google.com\nEncryption: https://services.google.com/corporate/publickey.txt\nAcknowledgments: https://bughunters.google.com/\nPolicy: https://g.co/vrp\nHiring: https://g.co/SecurityPrivacyEngJobs\nExpires: 2030-04-01T00:00:00z\n","location":"https://google.com/.well-known/security.txt","content_type":"text/plain"},"meta":{"timestamp":"2026-06-01T23:40:50.970Z","request_id":"86ace3f8-0f3d-4b01-a62f-b176a4d6fe23"},"status":"ok","message":"security.txt retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/meta":{"get":{"operationId":"get_v1_meta","tags":["Meta"],"summary":"RFC 9116 fields & locations","description":"","parameters":[],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"note":"Fetch and parse a domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. /v1/check?url=google.com locates the file (canonical .well-known path with legacy root fallback), parses every field (Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring, CSAF), and reports whether it is valid (has a Contact and a single non-expired Expires), whether it is PGP-signed, whether it has expired (with days remaining) and a list of issues with advice. /v1/raw returns the raw file. The request is made server-side; private/internal targets are refused (SSRF-guarded). Ideal for security audits, vendor-assessment, attack-surface reviews and disclosure-policy compliance checks. A security.txt parser/validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No key, no cache.","spec":"RFC 9116 (security.txt)","fields":["Contact (required, repeatable)","Expires (required)","Encryption","Acknowledgments","Preferred-Languages","Canonical","Policy","Hiring","CSAF"],"endpoints":["/v1/check","/v1/raw","/v1/meta"],"locations":["/.well-known/security.txt","/security.txt (legacy)"]},"meta":{"timestamp":"2026-06-01T23:40:51.072Z","request_id":"3aeaeed6-67ac-4d16-a683-0ea2a68d94e5"},"status":"ok","message":"Meta retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}}},"x-oanor-pricing":[{"slug":"free","name":"Free","price_cents_month":0,"monthly_call_quota":2400,"rps_limit":2,"hard_limit":true},{"slug":"starter","name":"Starter","price_cents_month":695,"monthly_call_quota":48000,"rps_limit":8,"hard_limit":true},{"slug":"pro","name":"Pro","price_cents_month":2180,"monthly_call_quota":244000,"rps_limit":20,"hard_limit":true},{"slug":"mega","name":"Mega","price_cents_month":5750,"monthly_call_quota":888000,"rps_limit":50,"hard_limit":true}],"x-oanor-marketplace-url":"https://www.oanor.com/api/securitytxt-api"}