Skip to main content
Every request to the OSM API requires an API token passed as a Bearer token in the Authorization header. Tokens are tied to your OSM account, so all API activity is associated with your profile.

Get an API token

To generate a token, you need an OSM account. If you don’t have one yet, sign in at opensourcemalware.com/auth using your GitHub account or email address. Once signed in:
  1. Go to your profile settings.
  2. Find the API tokens section.
  3. Generate a new token.
Your token is displayed once at generation time. It uses the osm_ prefix — for example, osm_a1b2c3d4e5f6.
Copy your token immediately after generating it. OSM does not display the full token value again after you leave the page. If you lose a token, revoke it and generate a new one.

Use the token in API requests

Pass your token in the Authorization header as a Bearer token on every request: 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=domain&resource_identifier=c2-server.malware.net" \
  -H "Authorization: Bearer osm_your_token"
The header format is always: 
Authorization: Bearer osm_your_token

Rate limits

OSM enforces rate limits per account to ensure reliable service for all users. Limits are based on your account plan:
PlanRequests per minute
Standard60
Pro180
If you exceed your rate limit, the API returns a 429 Too Many Requests response. See the rate limits reference for details on headers, retry behavior, and upgrading your plan.

Invalid or missing token

If your token is missing, malformed, or has been revoked, the API returns a 401 Unauthorized response: 
{
  "error": "Unauthorized",
  "message": "Missing or invalid Authorization header"
}
Common causes:
  • The Authorization header is not included in the request
  • The token was revoked or deleted from your profile settings
  • The header value is malformed (for example, missing the Bearer prefix)
If you receive a 401, verify that the header is formatted correctly and that the token is still active in your profile settings.
Tokens are scoped to your account. Do not share tokens across team members — each person should generate their own token so activity can be tracked accurately and tokens can be revoked independently.