# Subresource Integrity API
> Generate Subresource Integrity (SRI) hashes for any web asset, so browsers can verify that a CDN-hosted script or stylesheet has not been tampered with. Pass a URL and the service fetches the asset and returns its sha256, sha384 and sha512 SRI hashes, the chosen integrity value (sha384 by default, or pass your preferred algorithm), the asset's size and content type, and a ready-to-paste <script> or <link> tag complete with the integrity and crossorigin attributes. A verify endpoint re-fetches the asset and tells you whether it still matches a known integrity string — catching silent CDN changes or supply-chain tampering before your users hit them. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for securing third-party scripts, supply-chain hardening, build pipelines and CSP/SRI compliance. A Subresource Integrity generator and verifier — distinct from raw cryptographic hashing of input data (hash), the HTTP security-header grader (secheaders) and the SSL/TLS certificate check (sslcheck). No upstream key, no cache.

## Authentication
All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys.

```bash
curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/sri-api/..."
```

## Pricing
- **Free** (Free) — 2,300 calls/Mo, 2 req/s
- **Starter** ($7/Mo) — 45,500 calls/Mo, 8 req/s
- **Pro** ($21/Mo) — 234,000 calls/Mo, 20 req/s
- **Mega** ($56/Mo) — 865,000 calls/Mo, 50 req/s

## Endpoints

### Subresource Integrity

#### `GET /v1/generate` — SRI hashes + tag for an asset

**Parameters:**
- `url` (query, required, string) — Asset URL (script/style/file) Example: `https://example.com`
- `algorithm` (query, optional, string) — sha256, sha384 (default) or sha512

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/sri-api/v1/generate?url=https%3A%2F%2Fexample.com"
```

#### `GET /v1/verify` — Verify a URL matches an integrity

**Parameters:**
- `url` (query, required, string) — Asset URL Example: `https://example.com`
- `integrity` (query, required, string) — Expected sha256/384/512-... value Example: `sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/sri-api/v1/verify?url=https%3A%2F%2Fexample.com&integrity=sha384-oqVuAfXRKap7fdgcCY5uykM6%2BR9GqQ8K%2Fuxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
```

### Meta

#### `GET /v1/meta` — Algorithms & limits

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/sri-api/v1/meta"
```


---
Marketplace page: https://www.oanor.com/api/sri-api
OpenAPI spec: https://www.oanor.com/api/sri-api/openapi.json