CT Logs
developer/v1/domain/ct-logsSearches Certificate Transparency (CT) logs for certificates issued for a domain via the crt.sh aggregator. Supports cursor-style pagination (offset, limit up to 100) and ISO-8601 `since` filtering for polling-style CT monitoring. Default cache TTL is 30 minutes so newly-issued certs surface quickly.
What It Does
Queries crt.sh for CT log entries matching the domain. Returns deduplicated entries with issuer name, log entry timestamp, and crt.sh certificate ID. When `truncated: true`, the `pagination.next_offset` field gives the cursor for the next page. The optional `since` parameter filters to entries logged at or after the supplied timestamp — pair it with a short polling interval to detect unauthorized issuance in near real time.
Why It's Useful
CT log entries reveal patterns invisible in the active certificate alone: CA changes over time, certificate churn rates, subdomain discovery through historical SANs, and detection of unauthorized issuance. With `since` filtering plus the 30-minute cache, this endpoint becomes a polling-friendly monitor rather than a one-shot historical view.
Use Cases
Historical Subdomain Enumeration
Discover subdomains from expired and historical certificates that no longer appear in the active certificate or DNS records.
Find forgotten subdomains and legacy infrastructure not visible through current DNS enumeration.
Unauthorized Issuance Detection
Search CT log history for certificates issued by unauthorized CAs or for unexpected subdomains.
Detect rogue certificate issuance that could indicate domain compromise or CA misbehavior.
Certificate Lifecycle Analysis
Analyze CA usage patterns over time — certificate rotation frequency, issuer changes, and automation effectiveness.
Optimize certificate management by identifying lifecycle patterns and automation gaps.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to search CT logs forExample: example.com |
offset | number | Optional | Cursor — skip the first N entries (use response.pagination.next_offset to advance).Example: 0 |
limit | number | Optional | Page size, 1–100 (default: 20).Example: 20 |
since | string | Optional | ISO-8601 timestamp; only return entries logged at or after this time. Use with periodic polling for unauthorized-issuance monitoring.Example: 2026-05-01T00:00:00Z |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
certificates | array | Certificate entries from CT logs with issuer, timestamp, and id |
scts | array | [deprecated] Alias for certificates — will be removed once clients migrate. |
hasSCTs | boolean | Whether certificate entries were found in CT logs |
count | number | Total certificate entries returned in this page |
truncated | boolean | Whether results were truncated — more entries exist beyond the current page. See pagination.next_offset. |
source | string | Data source (crt.sh aggregator) |
note | string | Additional context about the CT log search |
pagination | object | { offset, limit, next_offset } — next_offset is the cursor to use for the next page when truncated is true. |
since | string | null | Echo of the since filter that was applied (null when unset). |
embedded_sct | object | null | Phase 2: real embedded SCT count parsed from the cert's 1.3.6.1.4.1.11129.2.4.2 extension. { count, chrome_compliant, note }. Chrome policy requires ≥2 SCTs from distinct operators (≥3 for ≥180-day certs issued after 2022-04-15). Distinct-operator verification is approximated by raw count — full op-distinctness needs the CT log registry (Phase 2 follow-on). |
Code Examples
curl "https://api.edgedns.dev/v1/domain/ct-logs" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/ct-logs?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/ct-logs',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full CT Logs guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.