#security

Look up software vulnerabilities by their CVE identifier and get clean, structured details — title, description, CVSS score, severity and vector, CWE weakness types, affected vendors and products with version ranges, and reference links — plus search every CVE that affects a given vendor or product, and stream the most recently published CVEs. Sourced from the CIRCL CVE Search service over the official CVE Record 5.1 data and returned as tidy JSON through a fast, reliable API. Ideal for vulnerability management and SOC tooling, DevSecOps and SCA pipelines, security dashboards, compliance and asset-risk monitoring.

api.oanor.com/cve-api

Hash and verify passwords with bcrypt, server-side. Generate a salted bcrypt hash at a cost factor you choose (4–14), check a plaintext password against an existing hash, or inspect a hash to read its bcrypt version, cost factor and salt. Fully compatible with bcrypt hashes from PHP ($2y$), Node, Python and others, so you can verify and migrate existing credentials. Pure server-side computation with no third-party upstream, so it is always available — and it offloads the deliberately CPU-intensive hashing work from your own servers. Ideal for adding password authentication, credential migration, auth tooling, testing and no-code backends.

api.oanor.com/bcrypt-api

Add and test two-factor authentication without wrangling a crypto library. Generate a fresh base32 secret with a ready-to-scan otpauth URI, compute the current time-based one-time code (RFC 6238), verify a code submitted by a user with an adjustable drift window, or build an otpauth:// URI for any secret. Supports SHA-1, SHA-256 and SHA-512, 6 to 8 digits and a custom period, and is fully compatible with Google Authenticator, Authy, 1Password and other authenticator apps. Pure server-side computation with no third-party upstream, so responses are instant and the service is always available. Ideal for adding 2FA to apps, authentication tooling, QA and testing, and no-code automation.

api.oanor.com/totp-api

A fast, fully-local JSON Web Token toolkit: sign a JSON payload into a JWT, verify a token signature together with its exp and nbf claims using a constant-time comparison, and decode a token header and payload without verifying. Supports the HMAC algorithms HS256, HS384 and HS512, automatically adds the iat claim and an exp claim from expires_in. Built on Node crypto and secrets are never logged, so responses are instant, private and always available. Every endpoint accepts input via the query string or the request body. Ideal for authentication, API gateways, session and token tooling, microservices and webhooks.

api.oanor.com/jwt-api

A fast, fully-local MIME and file-type toolkit: look up the MIME type, charset and category for a filename or extension, list every file extension registered for a MIME type, and detect a file's real type from its leading magic bytes (over 40 signatures, including RIFF container disambiguation for WEBP, WAV and AVI), accepting hex or base64 input. Every endpoint accepts input via the query string or the request body. Pure server-side compute, no third-party upstream, so responses are instant and always available. Ideal for upload validation, security (verify a file's real type against its claimed extension), CDNs and content pipelines.

api.oanor.com/mime-api

A fast, fully-local password toolkit: generate cryptographically-secure random passwords (configurable length, character classes and exclude-similar), estimate password strength (entropy bits, a 0-4 score, character-class breakdown, common-password detection, an offline crack-time estimate and actionable feedback), and create memorable diceware-style passphrases. Built on Node crypto, no third-party upstream, and inputs are never logged — so responses are instant, private and always available. Ideal for signup and account flows, admin tools, password managers and security features.

api.oanor.com/password-api

Browse and search the official FBI Wanted list — fugitives, missing persons, terrorists and seeking-information cases — with charges, cautions, rewards, physical descriptions, field offices and photos. Useful for news, public-safety, security-research and OSINT apps.

api.oanor.com/fbi-api

Resolve DNS records — A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR — for any domain, fetch all common records in a single call, or run a reverse PTR lookup for an IPv4 address. Backed by Google DNS-over-HTTPS. Ideal for devops tooling, uptime and email-deliverability checks (SPF/DKIM/DMARC), security research and domain monitoring.

api.oanor.com/dns-api