Public pull feeds#
All feeds are public, read-only, and cover the current verified hash set. Poll politely (hourly is plenty — responses are cache-friendly).
| Format | URL |
|---|---|
| JSON | https://api.hashwatch.us/public/feed.json |
| RSS | https://api.hashwatch.us/public/feed.rss |
| STIX 2.1 | https://api.hashwatch.us/public/feed/stix |
| TAXII 2.1 (discovery) | https://api.hashwatch.us/taxii2/ |
JSON#
{
"feed": "hashwatch-verified",
"date": "2026-06-28",
"count": 420,
"transparency": "https://api.hashwatch.us/public/transparency/2026-06-28",
"records": [
{ "executable_name": "...", "vendor": "...", "version": "...",
"platform": "windows", "arch": "amd64",
"sha256": "…", "sha1": "…", "md5": "…", "signer": "…",
"source_url": "…", "valid_from": "2026-06-28T10:00:00Z" }
]
}Each JSON feed links the matching transparency root.
STIX / TAXII#
Records are emitted as STIX 2.1 indicator objects with indicator_types: ["benign"] and a
[file:hashes.'SHA-256' = '…'] pattern — an allowlist of known-good software for suppressing
false positives in EDR/SIEM. Object IDs are deterministic, so re-pulls are idempotent.
TAXII 2.1 collection: 5f8a1c3e-0b2d-4e6f-8a1b-2c3d4e5f6a7b
(/taxii2/api/collections/{id}/objects/).
Custom HTTP clients must send an
Acceptheader (most clients do by default).