CT Watch

The search model

CT Watch archives certificates from the Certificate Transparency logs and lets you query them by domain. Search is the same whether you use the website, the ctw CLI, or the HTTP API directly.

What you query

You search by domain. By default CT Watch matches the apex and its subdomains, so a query for example.com returns certificates for example.com, www.example.com, api.example.com, and so on. Restrict it to the exact host with the CLI’s --exact flag (or subdomains=false on the API).

Internally domains are stored as a reversed apex (example.comcom.example) so a whole subtree is one contiguous range — that’s why subdomain search is cheap.

Local archive, then backfill

A query is answered in two steps:

  1. Local archive. CT Watch first serves matches from what it has already archived. The response’s source is local.
  2. Lazy backfill. On a miss (or a thin result), CT Watch reaches out to crt.sh, pulls the domain’s history, returns it, and archives it so the next query is local. That response’s source is backfill.

You can turn backfill off with backfill=false on the API, to query only what’s already archived and never reach out to crt.sh.

The HTTP endpoint

GET /search?q=example.com&subdomains=true&backfill=true&limit=100

| Param | Default | Meaning | |---|---|---| | q | — | the domain to search (required) | | subdomains | true | include subdomains of the apex | | backfill | true | allow a lazy crt.sh backfill on a miss | | limit | 100 | max rows (clamped to 1–10,000) |

The response:

{
  "query": "example.com",
  "source": "local",
  "count": 3,
  "certs": [ /* … */ ]
}

/search is public — no credential needed. An optional Bearer access token attributes the query to your account, counts it against your plan, and lifts the anonymous rate limit (see limits).

What’s in a result

Each cert carries its log_id and leaf_index, the entry_type (x509 or precert), the names it covers (reversed_apex + sans), the issuer, the validity window (not_before / not_after, epoch seconds), and the hex fingerprint and serial. The same shape appears in webhook payloads.