Endpoints#

Base URL: https://api.hashwatch.us

Public endpoints (no authentication)#

GET /public/hash-of-day#

Returns today’s known-good hashes for all tracked software. Results are cached for up to 1 hour.

curl https://api.hashwatch.us/public/hash-of-day

Add ?date=YYYY-MM-DD to retrieve a specific day’s snapshot:

curl "https://api.hashwatch.us/public/hash-of-day?date=2026-06-01"

Response:

{
  "date": "2026-06-05",
  "generated_at": "2026-06-05T02:14:37Z",
  "cache_hit": true,
  "hashes": [
    {
      "id": "...",
      "executable_name": "chrome-win64.msi",
      "version": "124.0.6367.82",
      "vendor": "Google LLC",
      "platform": "windows",
      "arch": "amd64",
      "hash_sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576e9e7c3e07ccb1e83",
      "hash_sha1": null,
      "hash_md5": null,
      "source_url": "https://dl.google.com/...",
      "download_verified": true,
      "valid_from": "2026-06-05T02:13:01Z",
      "sig_signer": "Google LLC",
      "sig_issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "sig_serial": "0a...",
      "sig_thumbprint": "1a2b..."
    }
  ]
}

Fields:

Field	Description
`executable_name`	Filename as distributed by the vendor
`version`	Release version string
`vendor`	Publisher name
`platform`	`windows`, `linux`, `darwin`, or `android`
`arch`	`amd64`, `arm64`, `arm`, `x86`, or `universal`
`hash_sha256`	SHA-256 fingerprint (always present)
`hash_sha1`	SHA-1 fingerprint — `null` for manifest-only vendors
`hash_md5`	MD5 fingerprint — `null` for manifest-only vendors
`source_url`	The exact file URL the hash was computed from
`download_verified`	`true` when HashWatch downloaded the binary itself
`sig_signer`	Authenticode subject DN — `null` for non-PE or manifest-only records
`sig_issuer`	Authenticode issuer DN — `null` when signer is null
`sig_serial`	Signing certificate serial (hex) — `null` when signer is null
`sig_thumbprint`	Signing certificate SHA-1 thumbprint — `null` when signer is null

GET /.well-known/jwks.json#

Returns the RSA public key used to verify HashWatch-issued JWT tokens, in JWKS format. Use this if you validate tokens locally.

curl https://api.hashwatch.us/.well-known/jwks.json

Authenticated endpoints#

All endpoints below require an API key (X-API-Key header) or a JWT Bearer token. See Authentication.

POST /api/v1/auth/token#

Exchange your API key for a short-lived JWT (15 minutes). Useful for high-throughput integrations.

Required permission: any valid key
Required tier: any

curl -X POST https://api.hashwatch.us/api/v1/auth/token \
  -H "X-API-Key: <team-id>.<secret>"

Response:

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_at": "2026-06-05T03:00:00Z"
}

POST /api/v1/auth/refresh#

Refresh a JWT before it expires. Returns a new token with a fresh 15-minute TTL.

Required permission: any valid JWT
Required tier: any

curl -X POST https://api.hashwatch.us/api/v1/auth/refresh \
  -H "Authorization: Bearer <current-token>"

GET /api/v1/intel/stats#

Returns platform statistics: total hashes tracked, vendors active, last ingestion timestamp.

Required permission: intel:stats
Required tier: free

curl https://api.hashwatch.us/api/v1/intel/stats \
  -H "X-API-Key: <team-id>.<secret>"

Response:

{
  "total_hashes": 312,
  "total_vendors": 56,
  "last_ingestion_at": "2026-06-05T02:14:37Z",
  "coverage": {
    "windows": 189,
    "linux": 147,
    "darwin": 98,
    "android": 24
  }
}

GET /api/v1/intel/history#

Returns the full historical record of hash values for a specific executable — every version ever seen, with valid_from / valid_until timestamps showing exactly when each version was current.

Required permission: intel:history
Required tier: paid

curl "https://api.hashwatch.us/api/v1/intel/history?name=chrome-win64.msi" \
  -H "X-API-Key: <team-id>.<secret>"

Query parameters:

Parameter	Type	Description
`name`	string	Executable name to look up (required)
`platform`	string	Filter by platform (`windows`, `linux`, `darwin`, `android`)
`limit`	integer	Max results (default 50, max 200)
`offset`	integer	Pagination offset

Response:

{
  "results": [
    {
      "executable_name": "chrome-win64.msi",
      "version": "124.0.6367.82",
      "hash_sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576e9e7c3e07ccb1e83",
      "valid_from": "2026-06-05T02:13:01Z",
      "valid_until": null,
      "status": "current"
    },
    {
      "executable_name": "chrome-win64.msi",
      "version": "124.0.6367.60",
      "hash_sha256": "a1b2c3d4...",
      "valid_from": "2026-05-29T02:11:43Z",
      "valid_until": "2026-06-05T02:13:01Z",
      "status": "superseded"
    }
  ],
  "total": 42,
  "limit": 50,
  "offset": 0
}

GET /api/v1/intel/revocations#

Returns every signing certificate that RevokeRadar has detected as revoked (via CRL). Each entry includes which vendors used the cert and whether any currently-active binary (still “current” on the dashboard) was signed with it.

currently_active: true is the high-priority signal — it means a binary visible on the public dashboard today was signed with a certificate the CA has since revoked.

Required permission: intel:revocations
Required tier: paid

curl https://api.hashwatch.us/api/v1/intel/revocations \
  -H "X-API-Key: <team-id>.<secret>"

Response:

{
  "revoked_certs": [
    {
      "thumbprint": "a1b2c3d4e5f6...",
      "signer": "Acme Corp",
      "issuer": "DigiCert EV Code Signing CA",
      "revoked_at": "2026-04-15T00:00:00Z",
      "revocation_reason": "keyCompromise",
      "check_method": "crl",
      "affected_vendors": ["AcmeTool", "AcmeSetup"],
      "currently_active": true
    }
  ],
  "total": 1
}

Revocation reasons follow RFC 5280 §5.3.1: unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold.

Public dashboard — The cert_revoked_at field also appears directly on each hash record in the /public/hash-of-day response and in the dashboard’s “Revoked Signers” panel, so no API key is required to see whether a binary’s signing cert is revoked.

GET /api/v1/intel/downloads#

Returns the immutable download audit trail — every time HashWatch streamed a vendor binary to compute its hash. Each record includes the URL, timestamp, file size, and confirmation that nothing was written to disk.

Required permission: intel:downloads
Required tier: paid

curl https://api.hashwatch.us/api/v1/intel/downloads \
  -H "X-API-Key: <team-id>.<secret>"

Query parameters:

Parameter	Type	Description
`vendor`	string	Filter by vendor name
`from`	ISO 8601	Start of time range
`until`	ISO 8601	End of time range
`limit`	integer	Max results (default 50, max 200)
`offset`	integer	Pagination offset

Response:

{
  "results": [
    {
      "downloaded_at": "2026-06-05T02:13:01Z",
      "deleted_at": "2026-06-05T02:13:01Z",
      "storage_method": "stream",
      "url": "https://dl.google.com/...",
      "size_bytes": 98345678,
      "hash_record_id": "..."
    }
  ],
  "total": 1240
}

storage_method: "stream" and deleted_at == downloaded_at confirm the binary was hashed in memory and never written to disk.