Docs
API Documentation
REST + TAXII 2.1 access to the HackerFeeds threat-intelligence feeds. JSON responses, Bearer-key auth, rate-limited per plan.
Quick start
The API works without auth for casual browsing (limited to 50 results per request, ~10 req/min per IP). For higher caps, generate an API key in your account settings.
# anonymous (rate-limited)
curl https://api.hackerfeeds.com/api/ransomware?limit=10
# authenticated
curl -H "Authorization: Bearer hf_XXXXXXXX" \
https://api.hackerfeeds.com/api/ransomware?limit=500The base URL above is illustrative — your deployment may differ. The current production endpoint is https://hackersfeeds-api.secaware.workers.dev while we transition to the custom domain.
Authentication
Authenticated requests carry a Bearer token issued from your account:
Authorization: Bearer hf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKeys are 32 random bytes prefixed with hf_. Generated keys are shown once; store them somewhere safe. Each key carries scopes (see below) and an optional rate-limit override.
Manage keys: /account/api-keys
Scopes
Each key declares which operations it can perform. Older keys default to api:read + taxii:read.
| Scope | Description |
|---|---|
| api:read | Read public REST endpoints (ransomware, cves, defacements, breaches, search) |
| api:write | Reserved for future POST endpoints |
| taxii:read | Pull STIX 2.1 bundles via TAXII 2.1 |
| reports:read | Read previously generated reports |
| reports:write | Generate new reports programmatically |
| subscriptions:write | Create / delete watchlists |
| integrations:write | Configure outgoing integrations (Slack, webhooks, etc.) |
Endpoints
All responses include { rows, total, limit, capped, tier } so you can paginate + know when you’re hitting your plan cap.
| Method | Path | Description |
|---|---|---|
| GET | /api/ransomware?limit=N&country=US&group=qilin&severity=critical | Ransomware victim feed (ransomware.live + custom sources) |
| GET | /api/cves?limit=N&severity=critical&kev=1 | CVE feed from NVD + KEV catalog |
| GET | /api/defacements?limit=N&country=DE&tier=gov | Web defacements aggregated from Zone-H + mirrors |
| GET | /api/breaches?limit=N&severity=critical | Data-breach index (HIBP + paste-site crawlers) |
| GET | /api/search?q=lockbit&type=ransomware&limit=50 | Cross-feed full-text search |
| GET | /api/rl/groups?limit=N | Threat actor group directory (ransomware.live Pro) |
| GET | /api/rl/groups/:name | Detailed dossier for a single group |
| GET | /api/rl/iocs?limit=N&type=domain | IOCs (indicators of compromise) — IPs, domains, hashes |
| GET | /api/rl/press?limit=N | Threat-actor press statements + group communications |
Example response (ransomware feed):
{
"rows": [
{
"id": "evt_abc123",
"victim": "Acme Corp",
"group": "qilin",
"country": "US",
"sector": "Technology",
"severity": "critical",
"published_at": "2026-05-24T08:12:00Z",
"description": "..."
}
],
"total": 234,
"limit": 50,
"capped": true,
"tier": "anon"
}Rate limits & result caps
| Tier | Request rate | Result cap |
|---|---|---|
| Anonymous | 10 req/min | 50 results / request |
| Free | 100 req/hour | 500 results / request |
| Pro | 10 000 req/hour | 5 000 results / request |
| Business | 100 000 req/hour | 50 000 results / request |
When your response is capped, capped: true + total tells you how many rows matched. Upgrade your plan or paginate via ?offset=N (where supported).
Errors
Standard HTTP semantics. All errors return JSON:
{ "error": "Plan limit reached: max_subscriptions=5",
"limit_key": "max_subscriptions",
"current": 5 }| 400 | Invalid params / malformed JSON |
| 401 | Missing or invalid Bearer token (when scope required) |
| 402 | Plan limit reached — see limit_key for which one |
| 403 | Key lacks required scope |
| 429 | Rate-limited; check Retry-After header |
| 5xx | Server error — retry with backoff |
TAXII 2.1 / STIX 2.1
We also speak TAXII 2.1 for direct ingestion into MISP, OpenCTI, Splunk and other CTI platforms. Each feed is a TAXII collection; you receive STIX 2.1 bundles.
# TAXII discovery
curl -H "Authorization: Bearer hf_XXXX" \
https://api.hackerfeeds.com/taxii2/
# List collections
curl -H "Authorization: Bearer hf_XXXX" \
https://api.hackerfeeds.com/taxii2/api/collections/
# Pull a feed
curl -H "Authorization: Bearer hf_XXXX" \
https://api.hackerfeeds.com/taxii2/api/collections/ransomware/objects/TAXII access requires the taxii:read scope and a paid plan.
Outgoing webhooks
Configure outbound webhooks for alerts in /account/integrations. Every request is signed:
POST https://your-server.example/hackerfeeds-webhook
Content-Type: application/json
X-HackerFeeds-Event-Id: evt_abc123
X-HackerFeeds-Timestamp: 1779621487
X-HackerFeeds-Signature: sha256=<hex>
{"id":"evt_abc123","kind":"ransomware","title":"...","severity":"critical","ts":"..."}The signature is HMAC-SHA256(signing_secret, raw_body). Reject any request where the signature doesn’t match — the secret is shown once on integration creation.
SDKs & tools
No official SDKs yet — the API is small enough to call from any HTTP client. A few known-good integrations:
- MISP / OpenCTI — configure HackerFeeds as a TAXII 2.1 source
- Splunk / Sentinel / Sumo — wire as an integration in /account/integrations; we’ll push alerts via their HEC/REST APIs
- Tines / XSOAR — same; native dispatchers ship out of the box
- n8n / Zapier — use the generic webhook integration kind