Subscription Tiers & Features#
HashWatch has one public surface and one private surface:
- The public dashboard (“hash of the day”) is free and needs no account, key, or sign-in.
- The private threat-intel API and the admin console are reached with an API key or a console sign-in, and what they unlock is governed by your account’s tier.
The tiers form a ladder: free → basic → teams → enterprise . Every step includes everything below it. A key carries both a role (what actions it may take) and a tier (which features are unlocked); a request must satisfy both.
teamswas formerly calledpaid(renamed 2026-06-17).paidis still accepted as a deprecated alias and folds toteamsautomatically.
Feature matrix#
| Feature | free | basic | teams | enterprise |
|---|---|---|---|---|
| Public “hash of the day” dashboard (no sign-in) | ✓ | ✓ | ✓ | ✓ |
| Private API access (an API key) | — | ✓ | ✓ | ✓ |
Known-good hash lookup — BinTrust + NSRL (intel:lookup) | — | ✓ | ✓ | ✓ |
Platform statistics (intel:stats) | — | ✓ | ✓ | ✓ |
Historical hash queries (intel:history) | — | — | ✓ | ✓ |
Download / provenance audit trail (intel:downloads) | — | — | ✓ | ✓ |
RevokeRadar revocation feed (intel:revocations) | — | — | ✓ | ✓ |
Admin console for your account (self-service, tenant:manage) | — | — | ✓ | ✓ |
| Multiple console users (invite Viewers / Analysts) | — | — | ✓ | ✓ |
| Account Administrators (web-UI admin seats) | — | — | up to 2 | up to 2 |
| Organization-scale provisioning & white-label labels | — | — | — | ✓ |
The per-feature gates above are the authoritative ones the API enforces
(PermMinTier); they are not marketing copy. The endpoint-by-endpoint version is in
Authentication → Permissions.
What each tier is for#
free Free — the public dashboard#
The “hash of the day”: verified cryptographic hashes of common executables, sourced daily from official vendor channels. No account, no key, no sign-in. This is the only surface that needs nothing.
basic Basic — API access + known-good lookups#
The entry point to the private API. A Basic account can authenticate a key and run the two core intel calls — hash lookup against the BinTrust/NSRL corpus and platform statistics. Ideal for a single analyst or an automated triage pipeline that just needs “is this file known-good?” answers.
teams Teams — full intel + multi-user self-service#
Everything in Basic, plus the full intel set — historical hashes, the download / provenance audit trail, and the RevokeRadar revocation feed — and the self-service admin console: invite multiple console users (Viewers and Analysts), and have up to two Account Administrators manage your own account’s members and keys. This is the tier at which an account becomes a team rather than a single key.
enterprise Enterprise — Teams at organization scale#
Enterprise includes the complete Teams feature set and is aimed at whole-organization deployments: the single shared organization API key model (see below) across the company, and white-label role/tier labels so the console can carry your own terminology. Customer-facing intel capabilities are the same as Teams — Enterprise is the commercial tier for scale, onboarding, and branding rather than a separate set of gated endpoints.
How keys and users fit together#
- Every paid account is auto-provisioned one shared organization API key at signup, carrying the account’s tier (an Account Administrator key). The raw secret is shown once at creation. This single key is the org’s programmatic credential — even a Basic account gets one, so there is no tier at which “you can pay but still have no API access.” Additional keys can be issued later if you need them.
- People use the web console through individual invites (Teams and Enterprise), each enrolling their own passkey/authenticator — so multiple humans share the console while the organization keeps one API key for automation. An account is capped at two Account Administrators (one primary, one backup).
HashWatch-operated capabilities (for awareness)#
Some capabilities exist on the platform but are never customer features — they are operated by HashWatch staff only and are listed here purely for transparency:
- Tenant impersonation (
tenant:impersonate) — support staff can view-as or manage-as your tenant to help troubleshoot; every such action is recorded in the audit log with the staff member as the actor. - Platform administration (
platform:keys,platform:settings,platform:admins) — managing keys across all tenants, platform settings, and platform administrators.
These will never appear in a customer console regardless of tier; the API rejects them for any customer key.