host.tools
REST API · v1

Every tool, scriptable.

JSON in, JSON out. Identical payloads to the web UI. Public, rate-limited, no key required for the free tier. 80 endpoints across 13 categories.

/api/v1/tools.json /api/v1/detect
1. Discover
GET /api/v1/tools.json

Every tool with its slug, category, accepted inputs, and live-stream support.

2. Smart-detect
GET /api/v1/detect?q=…

Type detector + default tool slug + suggested related tools.

3. Run
GET /api/v1/<slug>?q=…

Universal envelope: {ok, slug, ms, source, data}.

Universal response envelope

Every successful tool call returns this shape:

{
  "ok": true,                   // false on validation/runtime error
  "slug": "dns/lookup",         // the tool you called
  "title": "DNS lookup (dig)",  // human-readable name
  "ms": 42,                     // server-side time spent
  "source": "live" | "cache",   // whether the answer was memoised
  "data": { ... },              // the tool-specific payload
  "meta": { ... }               // optional extras
}

Endpoint reference

All 80 tools, organised by category. Click any slug for the live web view.

DNS

— Records, propagation, trace, DNSSEC, zone transfer 7 tools
Method Endpoint Description Streams?
GET /api/v1/dns/lookup Query A, AAAA, MX, TXT, CNAME, NS, SOA, SRV, CAA, PTR — all types at once.
GET /api/v1/dns/propagation Query 15 global resolvers — see if your DNS change has propagated worldwide. SSE
GET /api/v1/dns/reverse Find the PTR / hostname for an IPv4 or IPv6 address.
GET /api/v1/dns/trace Walk the resolution chain: TLD → authoritative NS → final answer.
GET /api/v1/dns/wildcard Detect catch-all wildcard records on a domain.
GET /api/v1/dns/zone-transfer Check whether your authoritative name servers leak the full zone via AXFR.
GET /api/v1/dns/dnssec Check the DS / DNSKEY chain to see whether DNSSEC is signed for a zone.

IP

— Geolocation, WHOIS, ASN, reverse, subnet calc 7 tools
Method Endpoint Description Streams?
GET /api/v1/ip/asn Resolve an IP or AS number to its autonomous system, prefixes, country.
GET /api/v1/ip/geo Country, region, city, ASN, org, timezone, abuse contact for any IP.
GET /api/v1/ip/reverse Find other domains that resolve to the same IP.
GET /api/v1/ip/subnet Network, broadcast, host range, mask, wildcard, hex, binary, total hosts.
GET /api/v1/ip/type Datacenter, residential, mobile, Tor, VPN or proxy classification.
GET /api/v1/ip/whois Direct port-43 WHOIS at the appropriate RIR (ARIN, RIPE, APNIC, LACNIC, AFRINIC).
GET /api/v1/ip/me Show your public IPv4/IPv6 with geolocation and ASN.

Domain

— WHOIS, availability, IDN, TLD info, subdomains 4 tools
Method Endpoint Description Streams?
GET /api/v1/domain/availability Check if a name is available across 20+ popular TLDs.
GET /api/v1/domain/punycode Convert internationalised domain names to/from xn-- ASCII form.
GET /api/v1/domain/whois Registrar, dates, name servers, contacts, DNSSEC status.
GET /api/v1/domain/subdomains Discover subdomains via Certificate Transparency logs (crt.sh).

SSL/TLS

— Certificate info, chain, HSTS, expiry 2 tools
Method Endpoint Description Streams?
GET /api/v1/ssl/hsts Is your domain on the Chromium HSTS preload list?
GET /api/v1/ssl/cert Issuer, SAN, validity, fingerprints, full chain — for any TLS endpoint.

HTTP

— Headers, security headers, redirects, robots, sitemap 13 tools
Method Endpoint Description Streams?
GET /api/v1/http/hreflang Find every <link rel="alternate" hreflang="…"> on a page and validate it.
GET /api/v1/http/headers Capture every response header, follow redirects, time each hop.
GET /api/v1/http/open-graph Preview how your URL looks when shared on Facebook, Twitter, LinkedIn, Slack.
GET /api/v1/http/page-weight Real-network fetch with full timing breakdown — DNS / connect / TLS / TTFB / total / payload size / compression.
GET /api/v1/http/redirects Step-by-step view of every redirect with status, latency and location.
GET /api/v1/http/robots Fetch and parse robots.txt — User-agent groups, Disallow/Allow, Sitemap, Crawl-delay.
GET /api/v1/http/schema Pull JSON-LD blocks from a page and validate the @type / required fields.
GET /api/v1/http/security-headers A+ to F grade for HSTS, CSP, X-Frame-Options, COOP, Referrer-Policy and more.
GET /api/v1/http/sitemap Fetch and parse sitemap or sitemap-index, list URLs with lastmod, priority.
GET /api/v1/http/status Quick, single-shot status code + content-type for any URL.
GET /api/v1/http/tech CMS, framework, server, CDN, analytics fingerprints.
GET /api/v1/http/inspect Indexability, canonical, robots, hreflang, schema, security — all in one.
GET /api/v1/http/well-known Probe RFC 8615 .well-known files: security.txt, change-password, openid, mta-sts, etc.

Email

— MX, SMTP, SPF, DKIM, DMARC, blacklists 7 tools
Method Endpoint Description Streams?
GET /api/v1/email/blacklist Query 16+ public RBLs in parallel — Spamhaus, Barracuda, Spamcop, SORBS, more.
GET /api/v1/email/dkim Look up DKIM keys for any selector. Auto-tries common selectors.
GET /api/v1/email/dmarc Parse the DMARC record, classify policy, list aggregate/forensic recipients.
GET /api/v1/email/auth SPF + DKIM + DMARC + BIMI + MTA-STS + TLS-RPT in a single shot.
GET /api/v1/email/mx Resolve mail-exchange records, sort by priority, banner-test SMTP.
GET /api/v1/email/smtp Connect, EHLO, STARTTLS, capture banner & supported extensions.
GET /api/v1/email/spf Inspect, validate, expand a domain's SPF record. Lookup-budget aware.

Network

— Ping, traceroute, port scan, multi-region live checks 5 tools
Method Endpoint Description Streams?
GET /api/v1/network/http TTFB, status, redirect chain from each region. SSE
GET /api/v1/network/ping Ping from probe nodes worldwide. Streams per region. SSE
GET /api/v1/network/tcp Open / closed / filtered status of any TCP port from each region. SSE
GET /api/v1/network/port Probe the most-common 20 service ports — or a custom list.
GET /api/v1/network/traceroute Stream every hop with RTT — Windows tracert / Linux traceroute under the hood. SSE

Security

— Cookies, CORS, CSP analyser 2 tools
Method Endpoint Description Streams?
GET /api/v1/security/cookies Inspect Set-Cookie headers — Secure / HttpOnly / SameSite / domain / path.
GET /api/v1/security/cors Probe Access-Control-* headers from a chosen Origin & method.

Encoders

— Base64, URL, HTML entities, hash, HMAC, JWT, data: URI 7 tools
Method Endpoint Description Streams?
GET /api/v1/utility/base64 Standard and URL-safe Base64 in both directions.
GET /api/v1/utility/hash MD5, SHA1, SHA224, SHA256, SHA384, SHA512, CRC32, BLAKE2 — for any text.
GET /api/v1/utility/hmac HMAC-SHA1/256/512 of any text with any key.
GET /api/v1/utility/html-entities Encode special characters to entities, or decode them back.
GET /api/v1/utility/data-uri Fetch an image from URL and base64-encode it as a data: URI for inlining.
GET /api/v1/utility/jwt Decode header, payload, signature. Show alg, typ, claims, expiry status.
GET /api/v1/utility/url percent-encode + parse a URL into scheme, host, path, query.

Generators

— Passwords, UUIDs, QR, lorem, .htaccess, robots, sitemap, CSP, htpasswd 9 tools
Method Endpoint Description Streams?
GET /api/v1/utility/csp-builder Build a Content-Security-Policy from sane defaults — strict, modern, copy-paste ready.
GET /api/v1/utility/htaccess Generate .htaccess for HTTPS redirect, www canonicalisation, gzip, headers, hotlink block.
GET /api/v1/utility/htpasswd Apache htpasswd hashes (bcrypt, SHA, APR1) for any user/password.
GET /api/v1/utility/lorem Filler text in paragraphs, sentences, words or list items.
GET /api/v1/utility/password Strong passwords with adjustable length, charset, entropy meter.
GET /api/v1/utility/qr Generate a QR code for any URL or text — PNG/SVG download.
GET /api/v1/utility/robots-gen Generate a robots.txt with sensible disallows, sitemap declaration, optional bot blocks.
GET /api/v1/utility/sitemap-gen Build a sitemap.xml from a URL list. Supports lastmod, priority, changefreq.
GET /api/v1/utility/uuid Generate UUID v4 / v7 / nil. Decode UUIDv1 timestamp.

Converters

— JSON / YAML / CSV, color, case, number-base, timestamp, markdown 8 tools
Method Endpoint Description Streams?
GET /api/v1/utility/case camelCase, snake_case, kebab-case, PascalCase, SCREAMING_SNAKE, Title Case, sentence case.
GET /api/v1/utility/color HEX ↔ RGB ↔ HSL ↔ HSV ↔ CMYK with on-the-fly preview.
GET /api/v1/utility/csv-json Auto-detect and convert CSV to JSON, or JSON to CSV. Handles quoted fields, custom delimiters.
GET /api/v1/utility/json Pretty-print, validate, minify JSON. Reports the exact error position.
GET /api/v1/utility/markdown Render markdown to safe HTML, or strip HTML tags back to plain markdown.
GET /api/v1/utility/number-base Convert between binary, octal, decimal, hex (base 2 / 8 / 10 / 16) plus arbitrary base.
GET /api/v1/utility/timestamp Unix epoch ↔ ISO 8601 ↔ RFC 2822, multiple timezones.
GET /api/v1/utility/yaml-json Convert between YAML and JSON. Auto-detects direction.

Text

— Diff, regex, text stats, slug 4 tools
Method Endpoint Description Streams?
GET /api/v1/utility/regex Test PCRE patterns, capture groups, named captures and replacement.
GET /api/v1/utility/slug URL-safe slugs from any text — handles unicode, whitespace, casing.
GET /api/v1/utility/diff Line-by-line diff between two text blocks. Insertions, deletions, unchanged.
GET /api/v1/utility/text-stats Characters, words, sentences, lines, reading time, byte length.

Reference

— HTTP status codes, well-known ports, User-Agent, MAC OUI, cron 5 tools
Method Endpoint Description Streams?
GET /api/v1/utility/cron Translate cron syntax to plain English and preview the next 10 fire times.
GET /api/v1/utility/http-status Quick reference for every HTTP status — 100 to 599. RFC reference + safe to retry.
GET /api/v1/utility/mac-oui Identify the manufacturer behind a MAC address (first 24 bits = OUI).
GET /api/v1/utility/ports TCP/UDP service-port reference. Lookup a number, see the protocol.
GET /api/v1/utility/user-agent Parse User-Agent strings — browser, engine, OS, device, bot detection.

Hands-on examples

Real curl commands, real responses (live).

DNS
# All record types
curl -s 'https://host.tools/api/v1/dns/lookup?q=host.com&type=ALL'

# MX records only
curl -s 'https://host.tools/api/v1/dns/lookup?q=host.com&type=MX'

# Multi-resolver propagation
curl -s 'https://host.tools/api/v1/dns/propagation?q=host.com&type=A'

# Live stream from 15 global resolvers
curl -N 'https://host.tools/stream/dns/propagation?q=host.com&type=A'
IP & ASN
# Geolocation, ASN, ISP, org, abuse
curl -s 'https://host.tools/api/v1/ip/geo?q=1.1.1.1'

# RIR WHOIS
curl -s 'https://host.tools/api/v1/ip/whois?q=8.8.8.8'

# ASN lookup (Team Cymru)
curl -s 'https://host.tools/api/v1/ip/asn?q=AS13335'

# CIDR calculator
curl -s 'https://host.tools/api/v1/ip/subnet?q=10.0.0.0/8'
SSL / TLS
# Certificate inspector
curl -s 'https://host.tools/api/v1/ssl/cert?q=host.com'

# HSTS preload status
curl -s 'https://host.tools/api/v1/ssl/hsts?q=host.com'
HTTP / SEO
# Headers + redirect chain + tech
curl -s 'https://host.tools/api/v1/http/headers?q=https://host.com'

# Security-headers grader (A+ … F)
curl -s 'https://host.tools/api/v1/http/security-headers?q=https://host.com'

# GSC-style URL inspector
curl -s 'https://host.tools/api/v1/http/inspect?q=https://host.com'

# robots.txt + sitemap.xml
curl -s 'https://host.tools/api/v1/http/robots?q=host.com'
curl -s 'https://host.tools/api/v1/http/sitemap?q=host.com'
Email auth
# Everything at once: SPF + DKIM + DMARC + BIMI + MTA-STS + TLS-RPT
curl -s 'https://host.tools/api/v1/email/auth?q=host.com'

# Individual
curl -s 'https://host.tools/api/v1/email/spf?q=host.com'
curl -s 'https://host.tools/api/v1/email/dmarc?q=host.com'
curl -s 'https://host.tools/api/v1/email/dkim?q=host.com&selector=google'

# 16+ blacklist (RBL) check
curl -s 'https://host.tools/api/v1/email/blacklist?q=8.8.8.8'
Network — live multi-region
# Streaming ping from every probe region
curl -N 'https://host.tools/stream/network/ping?q=host.com'

# HTTP availability across regions
curl -N 'https://host.tools/stream/network/http?q=https://host.com'

# Port scanner (top-20 services)
curl -s 'https://host.tools/api/v1/network/port?q=host.com'

# Live traceroute (SSE stream of hops)
curl -N 'https://host.tools/stream/network/traceroute?q=host.com'
Utilities
# Hash everything (md5, sha1, sha256, sha512, …)
curl -s 'https://host.tools/api/v1/utility/hash?text=hello'

# JWT decoder
curl -s 'https://host.tools/api/v1/utility/jwt?token=eyJhbGc...'

# UUID v4/v7 generator
curl -s 'https://host.tools/api/v1/utility/uuid?count=5&version=7'

# Password generator with entropy meter
curl -s 'https://host.tools/api/v1/utility/password?length=24&count=3'
Domain
# Direct port-43 WHOIS at the right registry
curl -s 'https://host.tools/api/v1/domain/whois?q=host.com'

# Multi-TLD availability sweep
curl -s 'https://host.tools/api/v1/domain/availability?q=mygreatname'

# Subdomain enumeration via CT logs
curl -s 'https://host.tools/api/v1/domain/subdomains?q=host.com'

Server-Sent Events (live streams)

Long-running tools (DNS propagation, multi-region ping/HTTP/TCP, traceroute) push frames as nodes report. Subscribe with EventSource:

// Browser
const es = new EventSource('https://host.tools/stream/network/ping?q=host.com');
es.addEventListener('node', e => console.log('region:', JSON.parse(e.data)));
es.addEventListener('done', e => es.close());

# Shell
curl -N 'https://host.tools/stream/network/ping?q=host.com'

Rate limits & auth

Free
100 / hour, no key required
x-ratelimit-bucket: ip
Pro
10,000 / day, X-API-Key header
x-ratelimit-bucket: key
Enterprise
100,000+ / day, custom limits
private probe nodes available

Standard error codes

StatuserrorWhen
200success ({"ok": true})
400missing_input / invalid_*malformed parameters
404not_foundunknown slug or zero records
429rate_limitedover per-bucket quota
500tool_failedruntime error inside the tool

SDK snippets

JavaScript
const r = await fetch(
  'https://host.tools/api/v1/dns/lookup?q=host.com&type=MX'
);
const data = await r.json();
console.log(data.data.records);
Python
import requests
r = requests.get(
  'https://host.tools/api/v1/dns/lookup',
  params={'q': 'host.com', 'type': 'MX'}
).json()
print(r['data']['records'])
PHP
$j = json_decode(file_get_contents(
  'https://host.tools/api/v1/dns/lookup?q=host.com&type=MX'
), true);
print_r($j['data']['records']);