# security.txt API
> Fetch and parse any domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. Pass a domain and the service locates the file (the canonical .well-known path with a legacy root fallback), parses every field — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring and CSAF — and reports whether it is valid (has at least one Contact and a single, non-expired Expires), whether it is PGP-signed, whether it has expired (with the number of days remaining) and a list of issues with concrete advice. A companion endpoint returns the raw file. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for security audits, vendor and third-party risk assessment, attack-surface reviews and vulnerability-disclosure-policy compliance checks. A security.txt parser and validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No upstream key, no cache.

## Authentication
All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys.

```bash
curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/securitytxt-api/..."
```

## Pricing
- **Free** (Free) — 2,400 calls/Mo, 2 req/s
- **Starter** ($7/Mo) — 48,000 calls/Mo, 8 req/s
- **Pro** ($22/Mo) — 244,000 calls/Mo, 20 req/s
- **Mega** ($58/Mo) — 888,000 calls/Mo, 50 req/s

## Endpoints

### security.txt

#### `GET /v1/check` — Parse & validate a domain's security.txt

**Parameters:**
- `url` (query, required, string) — Domain or URL Example: `google.com`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/securitytxt-api/v1/check?url=google.com"
```

#### `GET /v1/raw` — Raw security.txt content

**Parameters:**
- `url` (query, required, string) — Domain or URL Example: `google.com`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/securitytxt-api/v1/raw?url=google.com"
```

### Meta

#### `GET /v1/meta` — RFC 9116 fields & locations

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/securitytxt-api/v1/meta"
```


---
Marketplace page: https://www.oanor.com/api/securitytxt-api
OpenAPI spec: https://www.oanor.com/api/securitytxt-api/openapi.json