#security

Live on-chain data for Shentu (chain id shentu-2.2) — the security-focused Cosmos-SDK Layer-1 of the CertiK ecosystem, whose native token is CTK — served directly from public LCD/REST nodes with multi-node failover. The status endpoint returns the latest block height and time, chain id, the staking bond denom and the current minting inflation rate. The validators endpoint lists the active bonded validator set ranked by stake, each with its moniker, operator address, self-plus-delegated CTK, commission rate and jailed flag. The supply endpoint returns the total CTK supply, the amount bonded in staking and the resulting bonded ratio. The governance endpoint returns the most recent on-chain proposals with their id, title, status and voting window. Token amounts are converted from base micro-CTK (6 decimals) into whole CTK, and every figure is read live from the chain — nothing bundled or modelled — behind a short server-side cache with keep-warm so the feed stays fast and fresh. Ideal for staking dashboards, validator and delegator tooling, explorers, governance trackers and portfolio or analytics apps across the Cosmos and security-infrastructure ecosystem. Live keyless upstream. 5 endpoints.

api.oanor.com/shentu-api

Inspect deployed Solana programs live from public Solana RPC — no key — and answer the question that matters most for safety: can this program still be changed, and by whom? For any program address it resolves the loader it runs under, whether it is executable, its on-chain ProgramData account, the upgrade authority (or that it has been made immutable / frozen), and the slot it was last deployed at. A batch endpoint audits up to twelve programs at once — perfect for checking the upgrade authority of every program a protocol depends on before you trust it — and a loaders endpoint documents Solana's program loaders. Distinct from balance, token and transaction APIs: this is the program and upgrade-authority layer that auditors, wallets and security tooling rely on to judge whether a Solana program is safe. Live from the chain; short cache only.

api.oanor.com/solanaprogram-api

Tell whether a domain is a known crypto phishing or scam site before a wallet or user connects to it — using MetaMask's canonical eth-phishing-detect blocklist, the same list that protects millions of MetaMask users, read keyless and live. It runs the real detection logic: an exact and subdomain match against the blocklist and allowlist, plus a Levenshtein fuzzy match against high-value lookalike targets to catch typosquats like "myetherwaliet.com" or "app-wallet-uniswap.org". Check a domain or URL for a verdict (blocked, allowed, fuzzy or unknown) with the reason, search the 190,000-entry blocklist, or read its stats. The dApp-connection safety layer every wallet, browser extension, Telegram bot and security tool needs to warn users before they sign. Live, lightly cached.

api.oanor.com/phishingcheck-api

Read any smart contract's raw EVM storage live via the chain's public JSON-RPC, decode each 32-byte word as an address, uint or bool, and resolve proxy implementation pointers across every common proxy standard — EIP-1967, EIP-1822/UUPS and the legacy OpenZeppelin/zeppelinos slot, plus beacon proxies. This is how you find out what a proxy actually points to, who its admin is, or what a contract is storing — even for unverified contracts where source and ABI are unavailable. Give it a chain and an address: read one slot, scan the first N slots to peek at the state layout, or auto-resolve the proxy implementation. The on-chain state-inspection layer for auditors, upgrade monitors and security tooling, across Ethereum, Base, Arbitrum, Optimism, BNB, Polygon and more. Live, short cache only.

api.oanor.com/storageslot-api

Fetch any smart contract's deployed EVM bytecode live from the chain's public JSON-RPC, disassemble it into human-readable opcodes, and extract the 4-byte function selectors from its dispatcher. Unlike source-verification or 4-byte directories, this works on ANY deployed contract — verified or not — so it reveals the raw on-chain logic of contracts nobody has published source for. Give it a chain and an address and get the runtime bytecode, a full offset-by-offset opcode disassembly (paged), and the detected function selectors. The reverse-engineering layer for auditors, MEV searchers and security tooling. Reads straight from the chain across Ethereum, Base, Arbitrum, Optimism, BNB, Polygon and more. Live, short cache only.

api.oanor.com/bytecode-api

Inspect any Safe (formerly Gnosis Safe) multisig smart wallet, keyless. For any Safe address on any supported chain it returns the multisig configuration — the owner signers, the signature threshold (the M-of-N), the current nonce, the enabled modules, guard and contract version — and the Safe token balances (native + ERC-20, with symbols and amounts). The multisig-inspection layer for DAO treasuries, security, due-diligence, wallet and dashboard tooling. Live, nothing stored. Backed by the open Safe Transaction Service.

api.oanor.com/safe-api

Check whether any EVM smart contract source code is verified and pull its ABI, source files and deployment details, keyless. Give it a chain id and contract address and get the verification status (full / partial / not verified), the compiler and contract name, the deployment info (deployer, transaction, block), the contract ABI (the JSON interface every integration needs), and the verified Solidity source. Live, nothing stored. The contract-verification / ABI layer for security, due-diligence, block-explorer, wallet and dapp tooling — backed by the open Sourcify registry, distinct from price, TVL and chain-registry APIs.

api.oanor.com/contractverify-api

Live audit of the token approvals (allowances) a crypto wallet has granted, and the risk of the contracts it has approved to spend its tokens — powered by the public GoPlus Security data, no key, nothing stored. Token approvals are the single most common way wallets get drained: once you approve a contract to move a token, a malicious or compromised spender can take it whenever it likes. This is the allowance-hygiene layer — the data behind tools like revoke.cash. The approvals endpoint lists every token a wallet has approved, who it approved (the spender contract), how much was approved and when, and whether that spender is flagged as malicious, trusted or unverified, together with a risk summary counting the dangerous approvals to revoke. The contract endpoint profiles a single spender contract before you approve it — its name, whether it is open-source, its creator, deploy time and risk tags. The chains endpoint lists the 40-plus supported blockchains. Catch wallet-draining allowances before they cost a user everything. This is the approval / allowance-risk cut — distinct from the token-contract-security, scam-detection and on-chain APIs in the catalogue.

api.oanor.com/approvalsecurity-api

Live crypto scam, phishing and dApp-safety checks for the things a user actually clicks or buys — the consumer-protection layer, powered by the public GoPlus Security data, no key, nothing stored. Before you connect a wallet to a website, sign a transaction or mint an NFT, ask whether it is safe. The phishing endpoint checks whether a URL is a known crypto phishing site. The dapp endpoint returns a decentralized app's audit and trust status — its project name, whether it has been audited, whether GoPlus lists it as a trusted project, and the audit firms and dates. The nft endpoint scans an NFT collection contract for risk — whether it is verified or a fake, open-source or a proxy, whether the owner can mint, burn or move tokens without approval, whether the metadata is frozen, plus its item, holder and 24-hour trading-volume figures. Stop phishing sites, fake NFT collections and unaudited dApps before they cost a user their funds. This is the website / dApp / NFT scam-detection cut — distinct from the token-contract-and-wallet security, the historical-exploit database and the price APIs in the catalogue.

api.oanor.com/scamcheck-api

Live smart-contract risk and safety analysis for crypto tokens and wallet addresses — the on-chain due-diligence check to run before you buy a token or interact with an address, powered by the public GoPlus Security data, no key, nothing stored. The token endpoint scans an ERC-20-style contract on any supported chain and returns whether it is a honeypot, its buy and sell tax, whether it is mintable or has a hidden or privileged owner who can pause trading or take back ownership, whether it is open-source or a proxy, and its holder and LP-holder counts. The address endpoint screens a wallet address against twenty risk signals — cybercrime, money laundering, phishing, sanctions, stealing attacks, honeypot-related addresses and more — and reports exactly which, if any, are flagged. The chains endpoint lists the 40+ supported blockchains. Catch scam tokens, honeypots and tainted addresses before they cost you. This is the real-time contract-security and risk-screening cut of crypto — distinct from the historical exploit database, the price and the on-chain APIs in the catalogue.

api.oanor.com/tokensecurity-api

A live database of cryptocurrency and DeFi hacks, exploits and thefts — every major on-chain theft on record, powered by the public DeFiLlama hacks dataset, no key, nothing stored. Each incident carries the victim, the amount stolen in US dollars, the date, the attack technique (flash-loan oracle manipulation, reentrancy, private-key compromise, access-control exploit and more), a higher-level classification, the chain or chains involved, the target type (DeFi protocol, centralized exchange, bridge, wallet, token) and how much, if any, was later returned. The hacks endpoint returns the incident list newest-first, filterable by chain, technique, target type, classification, year and minimum loss. The biggest endpoint ranks the largest exploits of all time by dollars stolen — from the multi-billion-dollar bridge and exchange breaches down. The stats endpoint aggregates the whole dataset: total stolen, incident count, funds returned, and breakdowns by attack technique, chain, target type and year. This is the crypto-security and exploit-history cut — risk and post-mortem data distinct from the price, market, TVL, fees and on-chain APIs in the catalogue.

api.oanor.com/cryptohacks-api

Birthday-paradox and collision-probability maths as an API, computed locally and deterministically. The probability endpoint computes the chance that at least two of n people share a birthday among d equally likely days, P = 1 − Π(1 − i/d), evaluated in log space for accuracy — the famous result that just 23 people give about a 50.7 % chance, 50 people about 97 % and 70 people about 99.9 %. The people-needed endpoint inverts it: the smallest group size to reach a target probability (23 for 50 %, 57 for 99 %), with the √(2·d·ln(1/(1−p))) approximation. The collision endpoint generalises the birthday bound to any space — pass a number of buckets or a hash size in bits — and returns the collision probability P ≈ 1 − e^(−n²/2d), the rule behind hash collisions and UUID-uniqueness estimates, where a 50 % chance needs roughly 1.177·√d items. Days and buckets default to 365. Everything is computed locally and deterministically, so it is instant and private. Ideal for probability-education, security, cryptography, hashing, data-engineering and statistics app developers, collision-risk and birthday-problem tools, and teaching material. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This is the birthday/collision probability; for full distributions use a probability API.

api.oanor.com/birthdayparadox-api

Build correct CORS response headers and evaluate preflight requests — without re-reading the spec every time. The headers endpoint turns a simple policy (allowed origins, methods, request headers, whether credentials are allowed, a preflight max-age and any exposed response headers) into the exact set of Access-Control-* headers to return, and it handles the parts people get wrong: you cannot combine a wildcard origin with credentials, so it reflects the specific request origin and adds Vary: Origin instead; it omits the allow-origin header when an origin is not on your list; and it warns when a configuration would not behave as expected. The check endpoint takes an incoming request — its Origin, the (requested) method and the Access-Control-Request-Headers — and tells you whether it would pass CORS, the precise reason if it fails, and the response headers you should send back. Everything is computed locally and deterministically, so it is instant and private. Ideal for API gateways and backends, edge and serverless functions, debugging browser CORS errors, and getting a security policy exactly right. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and checks the headers; it does not make a cross-origin request — to inspect a live site's security headers use a security-headers API.

api.oanor.com/cors-api

Detect and redact personally identifiable information (PII) in free text. It finds email addresses, phone numbers, credit-card numbers (Luhn-validated to cut false positives), IPv4 and IPv6 addresses, US Social Security numbers and IBANs, and masks each one — with a per-type label like [EMAIL], a fixed replacement string, or a single character repeated to the original length. A detect endpoint returns every match with its type and position without changing the text. Perfect for scrubbing logs and support transcripts, sanitising data before sharing or sending to a third party, and privacy and compliance pre-checks. Pure local computation — text never leaves the server, no key, no third party, instant; up to 200,000 characters via POST. Live, nothing stored. 3 endpoints. Regex-based and best-effort — review before relying on it for legal compliance. Distinct from sentiment, profanity and general text tooling.

api.oanor.com/redact-api

Escape a string so it is safe to drop into a specific context. Pick a target — a regular expression (so the text matches literally), a shell command (POSIX single-quote wrapping), a JSON string, a CSV field (RFC 4180 quoting) or a SQL string literal — and get back the correctly escaped value, plus a short note on the rule applied. The contexts endpoint lists every target with a worked example. Perfect for code generation, building commands and queries, templating and data export, and safely interpolating user input. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. The SQL context is a quoted literal for convenience, not a replacement for parameterised queries. Distinct from base64/hex/URL/HTML-entity encoders.

api.oanor.com/escape-api

Generate cryptographic key pairs on demand — RSA (2048/3072/4096), elliptic-curve (P-256, P-384, P-521, secp256k1), Ed25519 and Ed448 — returned as PEM (SPKI public key, PKCS#8 private key) and, optionally, as JWK. Perfect for spinning up JWT/JWS signing keys, TLS and SSH experiments, test fixtures and demos. Pure local generation with Node's crypto (no third-party service). Note: for development, testing and education — generate keys for production systems offline or in an HSM, never trust a remote API with real private keys. Live, nothing stored. 3 endpoints. Distinct from JWT signing, password generation and hashing.

api.oanor.com/keypair-api

Make untrusted HTML safe to display. Send any HTML — a comment, a rich-text submission, a snippet from an email or a scraped page — and get back a clean, XSS-free version: <script> tags, inline event handlers (onclick, onerror), javascript: URLs, <iframe>, <style> and anything not on the allowlist are removed. Override the allowed tags and attributes to fit your needs, or drop links entirely. A strip endpoint returns plain text with all markup removed. Pure local sanitization — no key, no third-party service, instant. Live. 3 endpoints. Built for user-generated content, comment systems, rich-text editors, email rendering and any place untrusted HTML reaches a browser. Distinct from a Markdown renderer or an HTML data extractor.

api.oanor.com/htmlsanitize-api

Detect the true type of a file from its content — its magic bytes / binary signature — not from its name. Send a file by URL or base64 and get back the real extension and MIME type, recognising 100+ binary formats: images (PNG, JPEG, GIF, WebP, AVIF, HEIC), audio and video (MP3, MP4, WAV, FLAC, MKV), archives (ZIP, GZIP, 7z, RAR, TAR), documents (PDF, DOCX, XLSX), fonts and more. Optionally pass a filename to flag a spoofed extension (e.g. a PNG renamed to .txt). Text formats like TXT, CSV, JSON and SVG have no signature and return detected=false. Detection is local — no key, no third-party service. Live, nothing stored. 2 endpoints. Built for secure upload validation, anti-spoofing checks, content pipelines and forensics. Distinct from an extension-to-MIME lookup.

api.oanor.com/filetype-api

Inspect a domain's SMTP transport-security posture — whether mail servers are required to deliver inbound mail over authenticated TLS, protecting it from downgrade and man-in-the-middle attacks. Pass a domain and the service fetches the MTA-STS policy file from mta-sts.<domain>/.well-known/mta-sts.txt (its version, mode, the permitted MX hosts and max_age), the _mta-sts DNS TXT record (its policy id) and the _smtp._tls TLS-RPT record (the rua reporting address), then reports whether MTA-STS is actually enforced and a prioritised list of issues — no policy file, no DNS record, a mode of only "testing", or a missing TLS-RPT record. A second endpoint returns just the parsed policy file. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for email-deliverability and anti-downgrade-attack audits, vendor and third-party assessment, and compliance. An MTA-STS / TLS-RPT checker — the SMTP transport-security counterpart to the email-authentication analyzer (emailsec, which covers SPF, DKIM and DMARC), and distinct from raw DNS lookup (dns). No upstream key, no cache.

api.oanor.com/mtasts-api

Inspect any OpenID Connect / OAuth 2.0 provider. Pass an issuer (a domain, an issuer URL, or the full discovery URL) and the service fetches the provider's discovery document at /.well-known/openid-configuration, parses every endpoint — authorization, token, userinfo, jwks, registration, end-session, introspection, revocation and device-authorization — together with the supported scopes, response types, grant types, ID-token signing algorithms, PKCE methods and claims, then fetches the JWKS and summarises its signing keys (count, algorithms, key types and key IDs), and reports a validity check with any issues. A second endpoint fetches and summarises any JSON Web Key Set on its own. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for SSO and OAuth/OIDC integration, identity-provider configuration debugging (Auth0, Okta, Keycloak, Azure AD, Google), security review and monitoring of signing-key rotation. An OIDC discovery / JWKS inspector — distinct from the JWT toolkit (jwt), the security.txt parser (securitytxt) and the HTTP security-header grader (secheaders). No upstream key, no cache.

api.oanor.com/oidc-api

Generate Subresource Integrity (SRI) hashes for any web asset, so browsers can verify that a CDN-hosted script or stylesheet has not been tampered with. Pass a URL and the service fetches the asset and returns its sha256, sha384 and sha512 SRI hashes, the chosen integrity value (sha384 by default, or pass your preferred algorithm), the asset's size and content type, and a ready-to-paste <script> or <link> tag complete with the integrity and crossorigin attributes. A verify endpoint re-fetches the asset and tells you whether it still matches a known integrity string — catching silent CDN changes or supply-chain tampering before your users hit them. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for securing third-party scripts, supply-chain hardening, build pipelines and CSP/SRI compliance. A Subresource Integrity generator and verifier — distinct from raw cryptographic hashing of input data (hash), the HTTP security-header grader (secheaders) and the SSL/TLS certificate check (sslcheck). No upstream key, no cache.

api.oanor.com/sri-api

Prioritise CVEs by real-world exploitation risk — not just severity. Combines the FIRST.org EPSS score (the probability, 0 to 1, that a CVE will be exploited in the next 30 days, with its percentile rank) and the CISA KEV catalog (vulnerabilities confirmed to be actively exploited in the wild — with the vendor, product, date added, remediation due date and whether the flaw is used in ransomware campaigns), and derives a single priority level for each CVE. Look up to 25 CVEs in one call, browse the full CISA Known Exploited Vulnerabilities catalog filtered by vendor, product or ransomware use, or list the CVEs with the highest current EPSS scores. Built for vulnerability management, patch prioritisation, risk scoring and security dashboards — answering not "how bad could this be?" but "how likely is it to actually be exploited?". A vulnerability-prioritisation layer — distinct from raw CVE details and CVSS severity (cve), password-breach checks (pwned) and the HTTP security-header grader (secheaders). Data live from FIRST.org and CISA. No upstream key, no cache.

api.oanor.com/vulnintel-api

Inspect any domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. Pass a domain and the service looks up and validates SPF (the v=spf1 record, its all-qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, plus sp, pct and rua/ruf reporting addresses), DKIM (probing the common selectors at selector._domainkey, or pass your own), BIMI and the MX servers — then returns an A+-to-F grade with a prioritised list of issues and concrete advice. A second endpoint parses the DMARC record tag by tag with a plain-English interpretation of the policy. Built for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, security onboarding and continuous monitoring. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). Pure live DNS, no upstream key, no cache.

api.oanor.com/emailsec-api

Fetch and parse any domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. Pass a domain and the service locates the file (the canonical .well-known path with a legacy root fallback), parses every field — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring and CSAF — and reports whether it is valid (has at least one Contact and a single, non-expired Expires), whether it is PGP-signed, whether it has expired (with the number of days remaining) and a list of issues with concrete advice. A companion endpoint returns the raw file. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for security audits, vendor and third-party risk assessment, attack-surface reviews and vulnerability-disclosure-policy compliance checks. A security.txt parser and validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No upstream key, no cache.

api.oanor.com/securitytxt-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

Look up the live Tor network as an API — powered by the Tor Project's official Onionoo service and the canonical bulk exit-node list. Check whether any IPv4 or IPv6 address is a Tor relay (is_tor_relay) and whether it is an exit node that clients leave the network through (is_exit_node, corroborated against the bulk exit list), returning the full matching relay record(s): nickname, fingerprint, flags, country, autonomous system, advertised bandwidth, exit-policy summary and first/last-seen dates. Or search the public relay list by nickname, fingerprint, IP, country or flag (Exit, Guard, Fast, Stable…) with paging. Built for fraud and abuse triage, login-risk scoring, comment- and registration-filtering, and network research — knowing at a glance whether a connection originates from the Tor network. Range data is fetched live from the Tor Project, so it is always current. A Tor-network lookup — distinct from cloud/CDN attribution (cloudips), IP geolocation (ipgeo), ASN/BGP ownership (asn, ripestat) and open-port exposure (internetdb). No upstream key, no cache.

api.oanor.com/tor-api

Attribute any IP address to the cloud provider, CDN, region and service that owns it — from the official, publicly-published IP-range lists of AWS, Google Cloud, Cloudflare, Oracle Cloud (OCI), Fastly and GitHub. Pass an IPv4 or IPv6 address and get every matching prefix with its provider, region/scope and service, plus an is_cloud flag that tells you at a glance whether the address belongs to a known cloud or CDN — or list a single provider's published ranges, filtered by region, service and IP version. Built for firewall allow-lists, abuse and fraud triage, bot and egress classification, SSRF defence and knowing whether inbound or outbound traffic originates from a cloud or CDN. Range data is fetched live from each provider's canonical public list, so it is always current. A cloud/CDN IP-attribution service — distinct from IP geolocation (ipgeo), ASN/BGP ownership (asn, ripestat), open-port exposure (internetdb) and the IANA port/protocol registries (netports, ipprotocols). No upstream key, no cache.

api.oanor.com/cloudips-api

See what any host exposes to the internet — as an API over Shodan's free InternetDB. Give it an IPv4/IPv6 address (or a hostname, which is resolved to its IP) and get that host's attack surface: the open ports (annotated with common service names), the products and technologies detected on it (CPEs), its reverse hostnames, Shodan's classification tags, and the known vulnerabilities (CVE identifiers) observed on its services. A dedicated vulnerabilities view returns just the CVEs and whether the host appears vulnerable. It is fast, requires no key, and is built for security, asset-discovery, external attack-surface monitoring and reconnaissance workflows. A network-exposure / attack-surface resource — distinct from IP geolocation (where an address is), the IANA port registry (what a port number means) and CVE databases (what a vulnerability is). Data from Shodan InternetDB (free / non-commercial use).

api.oanor.com/internetdb-api

Check whether a password has appeared in known data breaches — as an API over Have I Been Pwned's Pwned Passwords corpus (800+ million unique compromised passwords). It uses k-anonymity: only the first 5 characters of a password's SHA-1 hash are ever sent upstream, so the password itself never leaves in full. Pass a password (hashed in memory, never stored or logged — send it via POST so it never appears in a URL/log) or a SHA-1 hash to learn whether it has been breached and how many times; or fetch a raw k-anonymity range for a 5-character hash prefix and do the matching entirely on your own side for zero password exposure. Screening sign-ups and password resets against breached-password lists is recommended by NIST 800-63b, and this makes it a one-call check. A breach / credential-security resource — distinct from password generators, cryptographic hashing and bcrypt. Open data from Have I Been Pwned (Troy Hunt), CC BY 4.0.

api.oanor.com/pwned-api

Software supply-chain and dependency intelligence as an API, powered by deps.dev — Google's Open Source Insights service. Across six package ecosystems (npm, PyPI, Maven, Cargo, Go and NuGet) it answers the questions a registry cannot: what does installing this package actually pull in, and how healthy is the project behind it. List a package's published versions and its default version; read a specific version's declared licenses, the keys of any known security advisories, useful links (source repository, homepage, issue tracker) and related projects; resolve a version's complete TRANSITIVE dependency graph — the total dependency count, the direct dependencies and every transitive node with its exact resolved version and whether it is a direct or indirect dependency; and look up a source project's OpenSSF Scorecard — the overall security score plus per-check results for Maintained, Code-Review, Branch-Protection, Dangerous-Workflow, Vulnerabilities and more — alongside its stars, forks, open issues, license and homepage. For Go modules and Maven artifacts the package name is the full module path or group:artifact (URL-encoded automatically). Ideal for dependency auditing, software-bill-of-materials (SBOM) enrichment, supply-chain risk assessment and license-compliance tooling. Data from deps.dev (Google, CC-BY).

api.oanor.com/depsdev-api

The Open Source Vulnerabilities database (OSV / osv.dev) as an API — the supply-chain security check for open-source dependencies. Scan any package version (PyPI, npm, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Hex and more) and instantly learn whether it is affected by known vulnerabilities, with each advisory's severity, CVSS score, CVE aliases, CWE weakness and references; list every advisory ever published for a package; and look up a single advisory (GHSA, PYSEC, GO, RUSTSEC, CVE…) in full detail, including the affected packages and version ranges. Live from Google's official OSV.dev database, which aggregates GitHub Security Advisories, PyPA, RustSec, Go and many other sources. Ideal for dependency scanning, SBOM and supply-chain tooling, CI security gates and devsecops dashboards. Open data.

api.oanor.com/osv-api

Check any website's SSL/TLS certificate as an API. Pass a domain and the service performs a live TLS handshake and returns the certificate's subject and issuer, the validity window, the exact number of days until it expires, whether it is currently valid and trusted by a standard CA chain, the negotiated TLS protocol, serial number, SHA-256 fingerprint, key size and the full list of Subject Alternative Names (SANs). A lean expiry endpoint returns a simple ok / expiring_soon / expired status, perfect for uptime and certificate-expiry monitoring, dashboards, CI checks and security tooling. Self-contained — no third-party service. IP addresses and internal hosts are not supported.

api.oanor.com/sslcheck-api

Look up software vulnerabilities by their CVE identifier and get clean, structured details — title, description, CVSS score, severity and vector, CWE weakness types, affected vendors and products with version ranges, and reference links — plus search every CVE that affects a given vendor or product, and stream the most recently published CVEs. Sourced from the CIRCL CVE Search service over the official CVE Record 5.1 data and returned as tidy JSON through a fast, reliable API. Ideal for vulnerability management and SOC tooling, DevSecOps and SCA pipelines, security dashboards, compliance and asset-risk monitoring.

api.oanor.com/cve-api

Hash and verify passwords with bcrypt, server-side. Generate a salted bcrypt hash at a cost factor you choose (4–14), check a plaintext password against an existing hash, or inspect a hash to read its bcrypt version, cost factor and salt. Fully compatible with bcrypt hashes from PHP ($2y$), Node, Python and others, so you can verify and migrate existing credentials. Pure server-side computation with no third-party upstream, so it is always available — and it offloads the deliberately CPU-intensive hashing work from your own servers. Ideal for adding password authentication, credential migration, auth tooling, testing and no-code backends.

api.oanor.com/bcrypt-api

Add and test two-factor authentication without wrangling a crypto library. Generate a fresh base32 secret with a ready-to-scan otpauth URI, compute the current time-based one-time code (RFC 6238), verify a code submitted by a user with an adjustable drift window, or build an otpauth:// URI for any secret. Supports SHA-1, SHA-256 and SHA-512, 6 to 8 digits and a custom period, and is fully compatible with Google Authenticator, Authy, 1Password and other authenticator apps. Pure server-side computation with no third-party upstream, so responses are instant and the service is always available. Ideal for adding 2FA to apps, authentication tooling, QA and testing, and no-code automation.

api.oanor.com/totp-api

A fast, fully-local JSON Web Token toolkit: sign a JSON payload into a JWT, verify a token signature together with its exp and nbf claims using a constant-time comparison, and decode a token header and payload without verifying. Supports the HMAC algorithms HS256, HS384 and HS512, automatically adds the iat claim and an exp claim from expires_in. Built on Node crypto and secrets are never logged, so responses are instant, private and always available. Every endpoint accepts input via the query string or the request body. Ideal for authentication, API gateways, session and token tooling, microservices and webhooks.

api.oanor.com/jwt-api

A fast, fully-local MIME and file-type toolkit: look up the MIME type, charset and category for a filename or extension, list every file extension registered for a MIME type, and detect a file's real type from its leading magic bytes (over 40 signatures, including RIFF container disambiguation for WEBP, WAV and AVI), accepting hex or base64 input. Every endpoint accepts input via the query string or the request body. Pure server-side compute, no third-party upstream, so responses are instant and always available. Ideal for upload validation, security (verify a file's real type against its claimed extension), CDNs and content pipelines.

api.oanor.com/mime-api

A fast, fully-local password toolkit: generate cryptographically-secure random passwords (configurable length, character classes and exclude-similar), estimate password strength (entropy bits, a 0-4 score, character-class breakdown, common-password detection, an offline crack-time estimate and actionable feedback), and create memorable diceware-style passphrases. Built on Node crypto, no third-party upstream, and inputs are never logged — so responses are instant, private and always available. Ideal for signup and account flows, admin tools, password managers and security features.

api.oanor.com/password-api

Browse and search the official FBI Wanted list — fugitives, missing persons, terrorists and seeking-information cases — with charges, cautions, rewards, physical descriptions, field offices and photos. Useful for news, public-safety, security-research and OSINT apps.

api.oanor.com/fbi-api

Resolve DNS records — A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR — for any domain, fetch all common records in a single call, or run a reverse PTR lookup for an IPv4 address. Backed by Google DNS-over-HTTPS. Ideal for devops tooling, uptime and email-deliverability checks (SPF/DKIM/DMARC), security research and domain monitoring.

api.oanor.com/dns-api