API Reference

SPYDER exposes a REST API on the metrics port (default :9090) for runtime control, monitoring, and querying discovered data.

Interactive Reference

v1.0.0

SPYDER Control API

Download OpenAPI Document

JSON

Download OpenAPI Document

YAML

REST API for controlling and inspecting a running SPYDER DNS reconnaissance probe.
The API runs on the same port as the Prometheus metrics endpoint (default :9090).

All endpoints require a Bearer token in the Authorization header. Tokens are
scoped to one of three permission levels: read, write, or admin.
Admin scope is a superset of write, which is a superset of read.

Servers

http://localhost:9090Default local instance

---

Control

Submit domains and control crawl lifecycle (pause/resume/stop)

Operations

POST/api/v1/domainsPOST/api/v1/domains/bulkPOST/api/v1/control/pausePOST/api/v1/control/resumePOST/api/v1/control/stop

---

Submit a single domain for crawling

POST

/api/v1/domains

Enqueues a single domain hostname into the crawl task channel. The domain will be picked up by the next available worker. Returns 503 if the task channel is full.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"host": "example.com"

}

Responses

Domain accepted

Content-Type

application/json

{

  

"accepted": true,

  

"host": "example.com"

}

POST

/api/v1/domains

Playground

Authorization

bearerAuth

Body

Samples

---

Submit multiple domains for crawling

POST

/api/v1/domains/bulk

Enqueues multiple domains at once. Accepts JSON array or newline-delimited text/plain. Domains that cannot be enqueued (channel full) are counted as rejected.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

[

  

[

  

  

"example.com",

  

  

"acme.org"

  

]

]

Responses

Bulk submission result

Content-Type

application/json

{

  

"accepted": 2,

  

"rejected": 0,

  

"total": 2

}

POST

/api/v1/domains/bulk

Playground

Authorization

bearerAuth

Body

Samples

---

Pause all crawl workers

POST

/api/v1/control/pause

Pauses all workers in the pool. Workers finish their current task but do not pick up new ones until resumed.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Workers paused

Content-Type

application/json

{

  

"status": "paused"

}

POST

/api/v1/control/pause

Playground

Authorization

bearerAuth

Samples

---

Resume paused crawl workers

POST

/api/v1/control/resume

Resumes all paused workers so they begin pulling tasks from the queue again.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Workers resumed

Content-Type

application/json

{

  

"status": "resumed"

}

POST

/api/v1/control/resume

Playground

Authorization

bearerAuth

Samples

---

Gracefully stop the probe process

POST

/api/v1/control/stop

Initiates a graceful shutdown of the entire SPYDER process by cancelling the root context. The response is sent before shutdown begins.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Stop initiated

Content-Type

application/json

{

  

"status": "stopping"

}

POST

/api/v1/control/stop

Playground

Authorization

bearerAuth

Samples

---

Config

Read and hot-patch runtime configuration

Operations

GET/api/v1/configPATCH/api/v1/config

---

Get the current runtime configuration snapshot

GET

/api/v1/config

Returns the full current runtime configuration as a JSON object, including all nested sections (crawling, batch, output, etc.).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Current configuration

Content-Type

application/json

{

  

"domains": "string",

  

"probe": "local-1",

  

"run": "run-1741824000",

  

"ua": "string",

  

"exclude_tlds": [

  

  

"string"

  

],

  

"crawling": {

  

  

"continuous": true,

  

  

"max_domains": 0,

  

  

"concurrency": 256,

  

  

"rate_per_host": 1,

  

  

"rate_burst": 1,

  

  

"http_timeout": "15s",

  

  

"tls_timeout": "8s",

  

  

"body_max_bytes": 524288

  

},

  

"batch": {

  

  

"max_edges": 10000,

  

  

"flush_interval": "2s",

  

  

"node_threshold_ratio": 0.5,

  

  

"channel_buffer": 1024

  

},

  

"output": {

  

  

"format": "json",

  

  

"ingest": "",

  

  

"spool_dir": "spool"

  

},

  

"circuit_breaker": {

  

  

"max_requests": 3,

  

  

"interval": "60s",

  

  

"timeout": "30s",

  

  

"threshold": 5,

  

  

"failure_ratio": 0.6

  

},

  

"http_client": {

  

  

"timeout": "15s",

  

  

"response_header_timeout": "10s",

  

  

"idle_conn_timeout": "30s",

  

  

"max_idle_conns": 1024,

  

  

"max_conns_per_host": 128

  

},

  

"robots": {

  

  

"cache_size": 4096,

  

  

"cache_ttl": "24h0m0s"

  

},

  

"dedup": {

  

  

"ttl": "24h0m0s"

  

},

  

"redis": {

  

  

"addr": "localhost:6379",

  

  

"queue_addr": "string",

  

  

"queue_key": "spyder:queue",

  

  

"queue_lease_ttl": "2m0s"

  

},

  

"mongodb": {

  

  

"uri": "mongodb://localhost:27017",

  

  

"database": "spyder"

  

},

  

"telemetry": {

  

  

"metrics_addr": ":9090",

  

  

"otel_endpoint": "string",

  

  

"otel_insecure": true,

  

  

"otel_service": "spyder-probe"

  

},

  

"logging": {

  

  

"level": "info",

  

  

"quiet": true,

  

  

"verbose": true,

  

  

"progress": true

  

},

  

"api": {

  

  

"rate_limit": 100,

  

  

"rate_burst": 20,

  

  

"keys": [

  

  

  

{

  

  

  

  

"key": "spyder_a1b2c3...",

  

  

  

  

"name": "ci-pipeline",

  

  

  

  

"scope": "write"

  

  

  

}

  

  

]

  

}

}

GET

/api/v1/config

Playground

Authorization

bearerAuth

Samples

---

Hot-patch runtime configuration

PATCH

/api/v1/config

Applies a partial configuration update. Tier 1 fields are applied immediately, Tier 2 fields produce warnings, and Tier 3 fields (e.g. Redis, mTLS) are rejected as they require a restart.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"ua": "string",

  

"exclude_tlds": [

  

  

"string"

  

],

  

"crawling": {

  

  

"concurrency": 0,

  

  

"rate_per_host": 0,

  

  

"rate_burst": 0,

  

  

"max_domains": 0,

  

  

"continuous": true,

  

  

"http_timeout": "string",

  

  

"tls_timeout": "string",

  

  

"body_max_bytes": 0

  

},

  

"batch": {

  

  

"max_edges": 0,

  

  

"flush_interval": "string",

  

  

"node_threshold_ratio": 0

  

},

  

"output": {

  

  

"format": "string",

  

  

"ingest": "string",

  

  

"spool_dir": "string"

  

},

  

"api": {

  

  

"rate_limit": 0,

  

  

"rate_burst": 0

  

},

  

"logging": {

  

  

"level": "string"

  

},

  

"redis": {

  

  

"addr": "string",

  

  

"queue_addr": "string"

  

},

  

"mtls": {

  

  

"cert": "string",

  

  

"key": "string",

  

  

"ca": "string"

  

},

  

"mongodb": {

  

  

"uri": "string",

  

  

"database": "string"

  

},

  

"telemetry": {

  

  

"metrics_addr": "string"

  

}

}

Responses

Updated configuration and any warnings

Content-Type

application/json

{

  

"config": {

  

  

"domains": "string",

  

  

"probe": "local-1",

  

  

"run": "run-1741824000",

  

  

"ua": "string",

  

  

"exclude_tlds": [

  

  

  

"string"

  

  

],

  

  

"crawling": {

  

  

  

"continuous": true,

  

  

  

"max_domains": 0,

  

  

  

"concurrency": 256,

  

  

  

"rate_per_host": 1,

  

  

  

"rate_burst": 1,

  

  

  

"http_timeout": "15s",

  

  

  

"tls_timeout": "8s",

  

  

  

"body_max_bytes": 524288

  

  

},

  

  

"batch": {

  

  

  

"max_edges": 10000,

  

  

  

"flush_interval": "2s",

  

  

  

"node_threshold_ratio": 0.5,

  

  

  

"channel_buffer": 1024

  

  

},

  

  

"output": {

  

  

  

"format": "json",

  

  

  

"ingest": "",

  

  

  

"spool_dir": "spool"

  

  

},

  

  

"circuit_breaker": {

  

  

  

"max_requests": 3,

  

  

  

"interval": "60s",

  

  

  

"timeout": "30s",

  

  

  

"threshold": 5,

  

  

  

"failure_ratio": 0.6

  

  

},

  

  

"http_client": {

  

  

  

"timeout": "15s",

  

  

  

"response_header_timeout": "10s",

  

  

  

"idle_conn_timeout": "30s",

  

  

  

"max_idle_conns": 1024,

  

  

  

"max_conns_per_host": 128

  

  

},

  

  

"robots": {

  

  

  

"cache_size": 4096,

  

  

  

"cache_ttl": "24h0m0s"

  

  

},

  

  

"dedup": {

  

  

  

"ttl": "24h0m0s"

  

  

},

  

  

"redis": {

  

  

  

"addr": "localhost:6379",

  

  

  

"queue_addr": "string",

  

  

  

"queue_key": "spyder:queue",

  

  

  

"queue_lease_ttl": "2m0s"

  

  

},

  

  

"mongodb": {

  

  

  

"uri": "mongodb://localhost:27017",

  

  

  

"database": "spyder"

  

  

},

  

  

"telemetry": {

  

  

  

"metrics_addr": ":9090",

  

  

  

"otel_endpoint": "string",

  

  

  

"otel_insecure": true,

  

  

  

"otel_service": "spyder-probe"

  

  

},

  

  

"logging": {

  

  

  

"level": "info",

  

  

  

"quiet": true,

  

  

  

"verbose": true,

  

  

  

"progress": true

  

  

},

  

  

"api": {

  

  

  

"rate_limit": 100,

  

  

  

"rate_burst": 20,

  

  

  

"keys": [

  

  

  

  

{

  

  

  

  

  

"key": "spyder_a1b2c3...",

  

  

  

  

  

"name": "ci-pipeline",

  

  

  

  

  

"scope": "write"

  

  

  

  

}

  

  

  

]

  

  

}

  

},

  

"warnings": [

  

  

[

  

  

]

  

]

}

PATCH

/api/v1/config

Playground

Authorization

bearerAuth

Body

Samples

---

Stats

Aggregate statistics and history from the hub

Operations

GET/api/v1/statsGET/api/v1/stats/historyGET/api/v1/status

---

Get aggregate crawl statistics

GET

/api/v1/stats

Returns aggregate hub statistics including total batches processed, edges, domains, IPs, and certificates seen.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Current stats snapshot from the hub

Content-Type

application/json

{

  

"additionalProperties": "string"

}

GET

/api/v1/stats

Playground

Authorization

bearerAuth

Samples

---

Get batch event history

GET

/api/v1/stats/history

Returns the recent batch history ring buffer from the hub, ordered newest first.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Array of recent batch events

Content-Type

application/json

[

  

{

  

  

"additionalProperties": "string"

  

}

]

GET

/api/v1/stats/history

Playground

Authorization

bearerAuth

Samples

---

Get high-level probe status

GET

/api/v1/status

Returns a combined status snapshot including uptime, worker pool state, pending emitter counts, and discovery progress.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Probe status overview

Content-Type

application/json

{

  

"uptime_seconds": 3600.5,

  

"workers": {

  

  

"active": 128,

  

  

"idle": 128,

  

  

"total": 256,

  

  

"paused": false

  

},

  

"pending_edges": 42,

  

"pending_nodes": 17,

  

"discovered": 1500

}

GET

/api/v1/status

Playground

Authorization

bearerAuth

Samples

---

Workers

Worker pool inspection and scaling

Operations

GET/api/v1/workersPOST/api/v1/workers/scale

---

Get worker pool statistics

GET

/api/v1/workers

Returns the current worker pool statistics: target count, active count, and paused state.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Worker pool stats

Content-Type

application/json

{

  

"active": 128,

  

"idle": 128,

  

"total": 256,

  

"paused": false

}

GET

/api/v1/workers

Playground

Authorization

bearerAuth

Samples

---

Scale the worker pool to a target count

POST

/api/v1/workers/scale

Dynamically scales the worker pool to the specified count. Workers are added or drained gracefully.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"count": 128

}

Responses

Scaling result

Content-Type

application/json

{

  

"scaled_to": 128,

  

"workers": {

  

  

"active": 128,

  

  

"idle": 128,

  

  

"total": 256,

  

  

"paused": false

  

}

}

POST

/api/v1/workers/scale

Playground

Authorization

bearerAuth

Body

Samples

---

Breakers

Circuit breaker state and reset

Operations

GET/api/v1/breakersPOST/api/v1/breakers/resetPOST/api/v1/breakers/{host}/reset

---

List all circuit breaker states

GET

/api/v1/breakers

Returns circuit breaker state for all known hosts, including current state (closed/open/half-open) and failure counts.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Map of host to circuit breaker state

Content-Type

application/json

{

  

"additionalProperties": {

  

  

"state": "closed",

  

  

"failures": 0,

  

  

"successes": 42,

  

  

"requests": 42

  

}

}

GET

/api/v1/breakers

Playground

Authorization

bearerAuth

Samples

---

Reset all circuit breakers

POST

/api/v1/breakers/reset

Resets all circuit breakers to the closed state, allowing requests to resume to previously-failing hosts.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

All breakers reset

Content-Type

application/json

{

  

"reset": "all",

  

"count": 5

}

POST

/api/v1/breakers/reset

Playground

Authorization

bearerAuth

Samples

---

Reset a single circuit breaker by host

POST

/api/v1/breakers/{host}/reset

Resets the circuit breaker for a specific host back to the closed state.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

Breaker reset

Content-Type

application/json

{

  

"reset": "example.com"

}

POST

/api/v1/breakers/{host}/reset

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

RateLimits

Per-host rate limit inspection and adjustment

Operations

GET/api/v1/ratelimitsPUT/api/v1/ratelimitsPOST/api/v1/ratelimits/{host}/reset

---

Get per-host rate limit configuration and active hosts

GET

/api/v1/ratelimits

Returns the global per-host rate limit configuration and per-host limiter statistics.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Current rate limit settings and per-host stats

Content-Type

application/json

{

  

"per_host_rate": 1,

  

"per_host_burst": 5,

  

"hosts": {

  

  

"additionalProperties": {

  

  

}

  

}

}

GET

/api/v1/ratelimits

Playground

Authorization

bearerAuth

Samples

---

Update global per-host rate limit settings

PUT

/api/v1/ratelimits

Updates the global per-host rate limit and burst values. Also patches the runtime config to persist the change.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"rate_per_host": 2,

  

"rate_burst": 10

}

Responses

Updated rate limit settings

Content-Type

application/json

{

  

"rate_per_host": 0,

  

"rate_burst": 0

}

PUT

/api/v1/ratelimits

Playground

Authorization

bearerAuth

Body

Samples

---

Notify that a per-host rate limiter will expire via TTL

POST

/api/v1/ratelimits/{host}/reset

Per-host rate limiter entries expire automatically via TTL and cannot be individually reset.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

Informational response

Content-Type

application/json

{

  

"message": "string",

  

"host": "string"

}

POST

/api/v1/ratelimits/{host}/reset

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

Dedup

Deduplication cache inspection and management

Operations

GET/api/v1/dedup/{key}DELETE/api/v1/dedup/{key}DELETE/api/v1/dedup

---

Check whether a dedup key has been seen

GET

/api/v1/dedup/{key}

Checks whether a given deduplication key has been seen. The call itself marks the key as seen (side effect of the Seen() method).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

key*

Type

string

Required

Example"domain|example.com"

Responses

Dedup check result

Content-Type

application/json

{

  

"key": "string",

  

"seen": true

}

GET

/api/v1/dedup/{key}

Playground

Authorization

bearerAuth

Variables

Key

Value

key*

Samples

---

Delete a specific dedup key

DELETE

/api/v1/dedup/{key}

Removes a single key from the dedup store. Only supported by backends that implement the Delete interface.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

key*

Type

string

Required

Responses

Key deleted

Content-Type

application/json

{

  

"deleted": "string"

}

DELETE

/api/v1/dedup/{key}

Playground

Authorization

bearerAuth

Variables

Key

Value

key*

Samples

---

Clear all dedup entries (admin only)

DELETE

/api/v1/dedup

Clears the entire dedup store. Only supported by backends that implement the Clear interface. Admin scope required.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Dedup store cleared

Content-Type

application/json

{

  

"cleared": true

}

DELETE

/api/v1/dedup

Playground

Authorization

bearerAuth

Samples

---

Robots

robots.txt cache status

Operations

GET/api/v1/robotsDELETE/api/v1/robots

---

Get robots.txt cache status

GET

/api/v1/robots

Returns the status of the robots.txt LRU cache. Individual entries cannot be listed.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Cache status message

Content-Type

application/json

{

  

"message": "string",

  

"status": "active"

}

GET

/api/v1/robots

Playground

Authorization

bearerAuth

Samples

---

Attempt to clear the robots.txt cache (TTL-based; informational)

DELETE

/api/v1/robots

Robots cache entries expire via TTL; explicit clear is not currently supported.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Informational response

Content-Type

application/json

{

  

"message": "string"

}

DELETE

/api/v1/robots

Playground

Authorization

bearerAuth

Samples

---

Spool

Spool directory inspection and management

Operations

GET/api/v1/spoolDELETE/api/v1/spoolPOST/api/v1/spool/retry

---

List spooled batch files

GET

/api/v1/spool

Lists all files in the spool directory (failed batch deliveries awaiting retry), with file names, sizes, and timestamps.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Spool directory listing

Content-Type

application/json

{

  

"spool_dir": "spool",

  

"count": 3,

  

"files": [

  

  

{

  

  

  

"name": "string",

  

  

  

"size": 0,

  

  

  

"modified": "string"

  

  

}

  

]

}

GET

/api/v1/spool

Playground

Authorization

bearerAuth

Samples

---

Delete all spooled batch files

DELETE

/api/v1/spool

Deletes all files in the spool directory.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Number of files deleted

Content-Type

application/json

{

  

"cleared": 0

}

DELETE

/api/v1/spool

Playground

Authorization

bearerAuth

Samples

---

Retry delivery of spooled batches

POST

/api/v1/spool/retry

Triggers a retry of all spooled batches by calling the emitter's Drain method.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Retry initiated

Content-Type

application/json

{

  

"message": "spool retry initiated"

}

POST

/api/v1/spool/retry

Playground

Authorization

bearerAuth

Samples

---

Emitter

Emitter (batch output) status and flush

Operations

GET/api/v1/emitterPOST/api/v1/emitter/flush

---

Get emitter status and pending batch counts

GET

/api/v1/emitter

Returns the emitter's current state including pending edge and node counts, ingest URL, and spool directory path.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Emitter status

Content-Type

application/json

{

  

"pending_edges": 0,

  

"pending_nodes": 0,

  

"ingest": "http://ingest.example.com/batch",

  

"spool_dir": "spool"

}

GET

/api/v1/emitter

Playground

Authorization

bearerAuth

Samples

---

Force-flush the current in-memory batch

POST

/api/v1/emitter/flush

Forces the emitter to immediately flush any buffered edges and nodes to the ingest endpoint.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Flush triggered

Content-Type

application/json

{

  

"flushed": true

}

POST

/api/v1/emitter/flush

Playground

Authorization

bearerAuth

Samples

---

Excludes

TLD exclusion list management

Operations

GET/api/v1/excludesPUT/api/v1/excludesPOST/api/v1/excludesDELETE/api/v1/excludes/{tld}

---

Get the current TLD exclusion list

GET

/api/v1/excludes

Returns the list of TLDs currently excluded from crawling.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Current exclusion list

Content-Type

application/json

{

  

"exclude_tlds": [

  

  

[

  

  

  

"gov",

  

  

  

"mil",

  

  

  

"int"

  

  

]

  

]

}

GET

/api/v1/excludes

Playground

Authorization

bearerAuth

Samples

---

Replace the entire TLD exclusion list

PUT

/api/v1/excludes

Replaces the entire TLD exclusion list with the provided array.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"exclude_tlds": [

  

  

[

  

  

  

"gov",

  

  

  

"mil"

  

  

]

  

]

}

Responses

Updated exclusion list

Content-Type

application/json

{

  

"exclude_tlds": [

  

  

"string"

  

]

}

PUT

/api/v1/excludes

Playground

Authorization

bearerAuth

Body

Samples

---

Add a single TLD to the exclusion list

POST

/api/v1/excludes

Adds a single TLD to the exclusion list if not already present.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"tld": "edu"

}

Responses

Updated exclusion list

Content-Type

application/json

{

  

"exclude_tlds": [

  

  

"string"

  

],

  

"message": "string"

}

POST

/api/v1/excludes

Playground

Authorization

bearerAuth

Body

Samples

---

Remove a TLD from the exclusion list

DELETE

/api/v1/excludes/{tld}

Removes a single TLD from the exclusion list.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

tld*

Type

string

Required

Example"edu"

Responses

Updated exclusion list

Content-Type

application/json

{

  

"exclude_tlds": [

  

  

"string"

  

]

}

DELETE

/api/v1/excludes/{tld}

Playground

Authorization

bearerAuth

Variables

Key

Value

tld*

Samples

---

Discovery

Discovery limit and continuity settings

Operations

GET/api/v1/discoveryPATCH/api/v1/discovery

---

Get discovery limits and counters

GET

/api/v1/discovery

Returns the current discovery state: number of domains discovered, max domain limit, and whether continuous mode is enabled.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Discovery settings

Content-Type

application/json

{

  

"discovered": 2500,

  

"max_domains": 0,

  

"continuous": false

}

GET

/api/v1/discovery

Playground

Authorization

bearerAuth

Samples

---

Update discovery limits

PATCH

/api/v1/discovery

Updates discovery settings. Can change max_domains (also updates the sink's atomic limit) and continuous mode.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"max_domains": 50000,

  

"continuous": true

}

Responses

Updated discovery settings

Content-Type

application/json

{

  

"discovered": 0,

  

"max_domains": 0,

  

"continuous": true

}

PATCH

/api/v1/discovery

Playground

Authorization

bearerAuth

Body

Samples

---

Queue

Work queue inspection (not yet implemented)

Operations

GET/api/v1/queueDELETE/api/v1/queueDELETE/api/v1/queue/{host}

---

Inspect the work queue (not implemented)

GET

/api/v1/queue

Queue introspection is not yet implemented.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

GET

/api/v1/queue

Playground

Authorization

bearerAuth

Samples

---

Clear the work queue (not implemented)

DELETE

/api/v1/queue

Queue clear is not yet implemented.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

DELETE

/api/v1/queue

Playground

Authorization

bearerAuth

Samples

---

Remove a host from the queue (not implemented)

DELETE

/api/v1/queue/{host}

Queue item removal is not yet implemented.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

DELETE

/api/v1/queue/{host}

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

Observability

Log level, metrics, telemetry, health checkers, and output config

Operations

GET/api/v1/logs/streamPUT/api/v1/logs/levelGET/api/v1/metricsPOST/api/v1/metrics/resetGET/api/v1/telemetryPATCH/api/v1/telemetryGET/api/v1/health/checkersPOST/api/v1/health/checkersDELETE/api/v1/health/checkers/{name}GET/api/v1/outputPATCH/api/v1/output

---

Stream log output (not yet implemented)

GET

/api/v1/logs/stream

Server-Sent Events log stream. Not yet implemented.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

GET

/api/v1/logs/stream

Playground

Authorization

bearerAuth

Samples

---

Change the log verbosity level at runtime

PUT

/api/v1/logs/level

Changes the runtime log level by patching the logging config.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"level": "debug"

}

Responses

Level applied

Content-Type

application/json

{

  

"level": "string"

}

PUT

/api/v1/logs/level

Playground

Authorization

bearerAuth

Body

Samples

---

Get metrics endpoint reference (use /metrics for Prometheus format)

GET

/api/v1/metrics

Returns a pointer to the Prometheus /metrics endpoint. Use that endpoint directly for scraping.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Metrics endpoint info

Content-Type

application/json

{

  

"message": "string",

  

"metrics_endpoint": ":9090/metrics"

}

GET

/api/v1/metrics

Playground

Authorization

bearerAuth

Samples

---

Reset Prometheus counters (not supported; requires restart)

POST

/api/v1/metrics/reset

Prometheus counters cannot be reset at runtime; a process restart is required.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Informational response

Content-Type

application/json

{

  

"message": "string"

}

POST

/api/v1/metrics/reset

Playground

Authorization

bearerAuth

Samples

---

Get current telemetry configuration

GET

/api/v1/telemetry

Returns the current OpenTelemetry configuration (endpoint, service name, insecure flag).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Telemetry config

Content-Type

application/json

{

  

"metrics_addr": ":9090",

  

"otel_endpoint": "string",

  

"otel_insecure": true,

  

"otel_service": "spyder-probe"

}

GET

/api/v1/telemetry

Playground

Authorization

bearerAuth

Samples

---

Update telemetry settings (informational; requires restart to take effect)

PATCH

/api/v1/telemetry

Telemetry configuration changes require a restart to take effect. Changes are stored but not applied.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"otel_endpoint": "string",

  

"otel_insecure": true,

  

"otel_service": "string"

}

Responses

Informational response with current telemetry config

Content-Type

application/json

{

  

"message": "string",

  

"telemetry": {

  

  

"metrics_addr": ":9090",

  

  

"otel_endpoint": "string",

  

  

"otel_insecure": true,

  

  

"otel_service": "spyder-probe"

  

}

}

PATCH

/api/v1/telemetry

Playground

Authorization

bearerAuth

Body

Samples

---

Get health checker registration status

GET

/api/v1/health/checkers

Health checkers are registered programmatically. Use GET /health for current status.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Checker info

Content-Type

application/json

{

  

"message": "string"

}

GET

/api/v1/health/checkers

Playground

Authorization

bearerAuth

Samples

---

Register a health checker (not supported)

POST

/api/v1/health/checkers

Dynamic checker registration via API is not supported.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

}

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

POST

/api/v1/health/checkers

Playground

Authorization

bearerAuth

Body

Samples

---

Remove a health checker (not supported)

DELETE

/api/v1/health/checkers/{name}

Dynamic checker removal via API is not supported.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

DELETE

/api/v1/health/checkers/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Get current output configuration

GET

/api/v1/output

Returns the current output configuration (format, ingest URL, spool directory).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

Output config

Content-Type

application/json

{

  

"format": "json",

  

"ingest": "",

  

"spool_dir": "spool"

}

GET

/api/v1/output

Playground

Authorization

bearerAuth

Samples

---

Update output configuration (Tier 2 — applied with warnings)

PATCH

/api/v1/output

Updates output configuration fields. Subject to tier-based validation.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"format": "string",

  

"ingest": "string",

  

"spool_dir": "string"

}

Responses

Updated output config and warnings

Content-Type

application/json

{

  

"output": {

  

  

"format": "json",

  

  

"ingest": "",

  

  

"spool_dir": "spool"

  

},

  

"warnings": [

  

  

"string"

  

]

}

PATCH

/api/v1/output

Playground

Authorization

bearerAuth

Body

Samples

---

Diagnostics

On-demand DNS resolution, TLS certificate fetch, HTTP client config

Operations

GET/api/v1/dns/{host}GET/api/v1/tls/{host}GET/api/v1/httpclientPATCH/api/v1/httpclient

---

Perform a live DNS lookup for a host

GET

/api/v1/dns/{host}

Performs a live DNS resolution for the given host, returning A/AAAA, NS, CNAME, MX, and TXT records.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

DNS resolution results

Content-Type

application/json

{

  

"host": "string",

  

"ips": [

  

  

[

  

  

  

"93.184.216.34"

  

  

]

  

],

  

"ns": [

  

  

"string"

  

],

  

"cname": "string",

  

"mx": [

  

  

"string"

  

],

  

"txt": [

  

  

"string"

  

]

}

GET

/api/v1/dns/{host}

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

Fetch the TLS certificate for a host

GET

/api/v1/tls/{host}

Fetches the TLS certificate from the given host on port 443 and returns parsed certificate metadata.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

TLS certificate details

Content-Type

application/json

{

  

"spki_sha256": "abc123...",

  

"subject_cn": "example.com",

  

"issuer_cn": "Let's Encrypt Authority X3",

  

"not_before": "string",

  

"not_after": "string"

}

GET

/api/v1/tls/{host}

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

Get HTTP client configuration

GET

/api/v1/httpclient

Returns the current HTTP client configuration (timeouts, connection pool settings).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

HTTP client config

Content-Type

application/json

{

  

"timeout": "15s",

  

"response_header_timeout": "10s",

  

"idle_conn_timeout": "30s",

  

"max_idle_conns": 1024,

  

"max_conns_per_host": 128

}

GET

/api/v1/httpclient

Playground

Authorization

bearerAuth

Samples

---

Update HTTP client configuration (requires restart)

PATCH

/api/v1/httpclient

HTTP client configuration changes require a restart.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

}

Responses

Endpoint not yet implemented

Content-Type

application/json

{

  

"code": "NOT_FOUND",

  

"error": "domain not found"

}

PATCH

/api/v1/httpclient

Playground

Authorization

bearerAuth

Body

Samples

---

Keys

API key management (admin only)

Operations

GET/api/v1/keysPOST/api/v1/keysDELETE/api/v1/keys/{key}

---

List all API keys (admin only)

GET

/api/v1/keys

Lists all configured API keys with their names and scopes. Admin scope required.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Responses

All registered API keys

Content-Type

application/json

{

  

"keys": [

  

  

{

  

  

  

"key": "spyder_a1b2c3...",

  

  

  

"name": "ci-pipeline",

  

  

  

"scope": "write"

  

  

}

  

]

}

GET

/api/v1/keys

Playground

Authorization

bearerAuth

Samples

---

Create a new API key (admin only)

POST

/api/v1/keys

Creates a new API key with a randomly generated token. Returns the key value (only shown once). Admin scope required.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "ci-pipeline",

  

"scope": "write"

}

Responses

Created API key (key value shown only on creation)

Content-Type

application/json

{

  

"key": "spyder_a1b2c3d4e5f6...",

  

"name": "string",

  

"scope": "string"

}

POST

/api/v1/keys

Playground

Authorization

bearerAuth

Body

Samples

---

Delete an API key (admin only)

DELETE

/api/v1/keys/{key}

Revokes and deletes an API key. Admin scope required.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

key*

The API key token to delete

Type

string

Required

Responses

Key deleted

Content-Type

application/json

{

  

"deleted": true

}

DELETE

/api/v1/keys/{key}

Playground

Authorization

bearerAuth

Variables

Key

Value

key*

Samples

---

Query

Query discovered graph data (domains, edges, IPs, certificates)

Operations

GET/api/v1/query/domainsGET/api/v1/query/domains/{host}GET/api/v1/query/edgesGET/api/v1/query/ipsGET/api/v1/query/certs

---

List discovered domain nodes

GET

/api/v1/query/domains

Lists discovered domains with optional filtering by apex domain or search string. Supports cursor-based pagination.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Query Parameters

cursor

Opaque pagination cursor from next_cursor in the previous response

Type

string

limit

Maximum items to return per page

Type

integer

Minimum

1

Maximum

1000

Default

50

apex

Filter by apex domain

Type

string

Example"example.com"

search

Substring search on hostname

Type

string

Responses

Paginated domain list

Content-Type

application/json

{

  

"items": [

  

  

{

  

  

  

"host": "www.example.com",

  

  

  

"apex": "example.com",

  

  

  

"first_seen": "string",

  

  

  

"last_seen": "string"

  

  

}

  

],

  

"next_cursor": "string",

  

"total": 0,

  

"store": "string"

}

GET

/api/v1/query/domains

Playground

Authorization

bearerAuth

Variables

Key

Value

cursor

limit

apex

search

Samples

---

Get a single domain with its edges

GET

/api/v1/query/domains/{host}

Returns details for a specific domain including all related edges (inbound and outbound).

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Path Parameters

host*

Type

string

Required

Example"example.com"

Responses

Domain detail with edges

Content-Type

application/json

{

  

"host": "www.example.com",

  

"apex": "example.com",

  

"first_seen": "string",

  

"last_seen": "string",

  

"edges": [

  

  

{

  

  

  

"type": "RESOLVES_TO",

  

  

  

"source": "www.example.com",

  

  

  

"target": "93.184.216.34",

  

  

  

"observed_at": "string",

  

  

  

"probe_id": "local-1",

  

  

  

"run_id": "run-1741824000"

  

  

}

  

]

}

GET

/api/v1/query/domains/{host}

Playground

Authorization

bearerAuth

Variables

Key

Value

host*

Samples

---

List discovered edges

GET

/api/v1/query/edges

Lists discovered edges with optional filtering by type, source, or target. Supports cursor-based pagination.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Query Parameters

cursor

Opaque pagination cursor from next_cursor in the previous response

Type

string

limit

Maximum items to return per page

Type

integer

Minimum

1

Maximum

1000

Default

50

type

Filter by edge type

Type

string

Valid values

"RESOLVES_TO""USES_NS""ALIAS_OF""USES_MX""LINKS_TO""USES_CERT"

source

Filter by source node

Type

string

target

Filter by target node

Type

string

Responses

Paginated edge list

Content-Type

application/json

{

  

"items": [

  

  

{

  

  

  

"type": "RESOLVES_TO",

  

  

  

"source": "www.example.com",

  

  

  

"target": "93.184.216.34",

  

  

  

"observed_at": "string",

  

  

  

"probe_id": "local-1",

  

  

  

"run_id": "run-1741824000"

  

  

}

  

],

  

"next_cursor": "string",

  

"total": 0,

  

"store": "string"

}

GET

/api/v1/query/edges

Playground

Authorization

bearerAuth

Variables

Key

Value

cursor

limit

type

source

target

Samples

---

List discovered IP nodes

GET

/api/v1/query/ips

Lists discovered IP addresses with optional search filtering. Supports cursor-based pagination.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Query Parameters

cursor

Opaque pagination cursor from next_cursor in the previous response

Type

string

limit

Maximum items to return per page

Type

integer

Minimum

1

Maximum

1000

Default

50

search

Substring or CIDR search on IP address

Type

string

Responses

Paginated IP list

Content-Type

application/json

{

  

"items": [

  

  

{

  

  

  

"ip": "93.184.216.34",

  

  

  

"first_seen": "string",

  

  

  

"last_seen": "string"

  

  

}

  

],

  

"next_cursor": "string",

  

"total": 0,

  

"store": "string"

}

GET

/api/v1/query/ips

Playground

Authorization

bearerAuth

Variables

Key

Value

cursor

limit

search

Samples

---

List discovered TLS certificate nodes

GET

/api/v1/query/certs

Lists discovered TLS certificates with optional search filtering by subject or issuer CN. Supports cursor-based pagination.

Authorizations

bearerAuth

API key issued by POST /api/v1/keys. Pass as Authorization: Bearer <key>.
Keys prefixed with spyder_ followed by 64 hex characters.

Type

HTTP (bearer)

Parameters

Query Parameters

cursor

Opaque pagination cursor from next_cursor in the previous response

Type

string

limit

Maximum items to return per page

Type

integer

Minimum

1

Maximum

1000

Default

50

search

Substring search on subject CN or issuer CN

Type

string

Responses

Paginated certificate list

Content-Type

application/json

{

  

"items": [

  

  

{

  

  

  

"spki_sha256": "abc123...",

  

  

  

"subject_cn": "example.com",

  

  

  

"issuer_cn": "Let's Encrypt Authority X3",

  

  

  

"not_before": "string",

  

  

  

"not_after": "string"

  

  

}

  

],

  

"next_cursor": "string",

  

"total": 0,

  

"store": "string"

}

GET

/api/v1/query/certs

Playground

Authorization

bearerAuth

Variables

Key

Value

cursor

limit

search

Samples

---

Authentication

All endpoints require an API key passed via the Authorization header:

Authorization: Bearer <api-key>

Keys have one of three scopes: read, write, or admin. See Authentication for details.

Base URL

http://localhost:9090/api/v1/