The Certificate Transparency Log API lets you search Certificate Transparency (CT) logs by domain name or by the SHA-256 of a certificate's DER encoding. It is useful for discovering hostnames, mapping out a domain's attack surface and tracking certificate issuance over time.
The API exposes three endpoints:
GET /api/v1/domain/{domain}returns the certificates that match a domainGET /api/v1/domain/{domain}/hostnamesreturns all hostnames associated with a domainGET /api/v1/cert/{sha256}returns the certificate for a given SHA-256 hash
Below is a sample response for a single certificate record:
{ "hash": "e5e217863ae00d4f5cba5ef0b1714d652f7bc8ab6dd41ddbd5724d7a806f1642", "subject_cn": "shodan.io", "issuer_cn": "R13", "not_before": 1772443000, "not_after": 1780218999, "san_dns_names": ["shodan.io"]}The not_before and not_after timestamps are Unix epoch seconds. To list every hostname that has appeared in a CT log for a given domain you can use the following Python snippet:
import requests
domain = "shodan.io"response = requests.get(f"https://ctl.shodan.io/api/v1/domain/{domain}/hostnames")hostnames = response.json()
for hostname in hostnames: print(hostname)