API v1

API documentation

Integrate validation in CI, scripts, and agents. All v1 tools share one discovery endpoint and the same rate-limit model.

One discovery GET

/api/v1/status lists every validate path and current limits

API keys: max 3

Per account, strict on purpose. Rotate: delete a key, then create a new one. Keys start with vt_

Cumulative limits

Without a key: 500 successful API calls per day per IP (all v1 tools combined)

Plans

Tiers are enforced in software today; billing is not required during the beta. Higher tiers need a free account to issue API keys.

Package	What you get	Limits (API v1)
Free (no key)	Use validate endpoints with no sign-up. Identified by client IP only.	500 successful requests per day per IP, shared across all v1 tools. Per-request body size caps still apply.
Pro (key)	Sign up, create up to 3 keys, monthly quota per key (plan: `pro` in DB).	50,000 successful requests per month per key. Higher per-field limits where applicable; see`/api/v1/status`.
Team / API (key)	Same 3 keys cap; `team` plan in the database maps to a higher monthly quota for automation.	200,000 successful requests per month per key.

Authentication & rate limits

Validate endpoints (POST /api/v1/…):

No key: requests are throttled to 500 successful calls per calendar day per public IP, counted acrossall v1 tool endpoints. Exceeding returns HTTP 429 with errorCode: "RATE_LIMIT".
With API key (vt_…): send Authorization: Bearer <vt_…> or X-API-Key: <vt_…> . Usage is counted per key, per calendar month (Pro 50k, Team 200k).

Key management (requires login): you may have at most 3 keys at a time. Create with POST https://validatethis.org/api/keys and a session cookie, or a user JWT in Authorization: Bearer (same header as a key, but a JWT is short and eyJ…-shaped, notvt_). DELETE https://validatethis.org/api/keys/<id> removes a key and frees a slot. Example after login:

# 1) Get session JWT (returned in JSON; cookie is also set)
curl -s -X POST "https://validatethis.org/api/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"…"}' 

# 2) Create a key (paste TOKEN from response)
curl -s -X POST "https://validatethis.org/api/keys" \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json"

# 3) Call validate with the vt_ key (rawKey from step 2) — not the JWT
curl -s -X POST "https://validatethis.org/api/v1/validate/json" \
  -H "Authorization: Bearer vt_…" \
  -H "Content-Type: application/json" \
  -d '{"json":"{}"}'

Sign up to create keys. There is no separate "developers" page in the app beyond this doc — use the same account as the dashboard.

Capabilities

GET https://validatethis.org/api/v1/status

Returns: service, version, available tools, capability flags, POST paths, plan labels, numeric limits, and a link to this page. One GET is enough for tools and agents to plan calls.

curl -s "https://validatethis.org/api/v1/status"

JSON Validator

When to use: validate JSON syntax, get line/column errors.

POST /api/v1/validate/json

Body: { "json": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/json" \
  -H "Content-Type: application/json" \
  -d '{"json":"{\"a\":1}"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open JSON Validator

CSS Validator (syntax)

When to use: validate CSS stylesheet grammar (PostCSS parse). Line/column on syntax errors.

POST /api/v1/validate/css

Body: { "css": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

Max request body: 200,000 characters. Usage counts against your plan — see Rate limits & auth.

Open CSS Validator

RSS / Atom Feed Validator

When to use: validate RSS 2.0 or Atom feed XML structure.

POST /api/v1/validate/feed

Body: { "xml": "<string>" }

Response: { valid: boolean, feedKind?: string, errors?: [...], warnings?: [...] }

Max request body: 500,000 characters. Usage counts against your plan — see Rate limits & auth.

Open Feed Validator

HTML Validator

When to use: validate HTML (html-validate).

POST /api/v1/validate/html

Body: { "html": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/html" \
  -H "Content-Type: application/json" \
  -d '{"html":"<p>test</p>"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open HTML Validator

CSV Validator

When to use: validate CSV structure, RFC 4180 quoting, consistent column count.

POST /api/v1/validate/csv

Body: { "csv": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/csv" \
  -H "Content-Type: application/json" \
  -d '{"csv":"name,age\nAlice,30\nBob,25"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open CSV Validator

API Response Checker

When to use: validate API response body as JSON (raw HTTP or JSON only).

POST /api/v1/validate/api-response

Body: { "response": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }], bodyStartLine?: number }

curl -X POST "https://validatethis.org/api/v1/validate/api-response" \
  -H "Content-Type: application/json" \
  -d '{"response":"{\"id\":1,\"name\":\"test\"}"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open API Response Checker

SOAP Response Validator

When to use: validate SOAP response (well-formed XML + Envelope/Body or Fault).

POST /api/v1/validate/soap-response

Body: { "response": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }], bodyStartLine?: number }

curl -X POST "https://validatethis.org/api/v1/validate/soap-response" \
  -H "Content-Type: application/json" \
  -d '{"response":"<soap:Envelope ...>...</soap:Envelope>"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open SOAP Response Validator

XML Validator

When to use: validate well-formed XML, unclosed tags, invalid attributes.

POST /api/v1/validate/xml

Body: { "xml": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/xml" \
  -H "Content-Type: application/json" \
  -d '{"xml":"<root><item>test</item></root>"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open XML Validator

YAML Validator

When to use: validate YAML syntax (indentation, structure).

POST /api/v1/validate/yaml

Body: { "yaml": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/yaml" \
  -H "Content-Type: application/json" \
  -d '{"yaml":"name: app\nversion: 1"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open YAML Validator

XSD Schema Checker

When to use: validate XML instance against an XSD schema.

POST /api/v1/validate/xsd

Body: { "xsd": "<string>", "xml": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }], source?: "xsd" | "xml" }

curl -X POST "https://validatethis.org/api/v1/validate/xsd" \
  -H "Content-Type: application/json" \
  -d '{"xsd":"<xs:schema .../>","xml":"<root/>"}'

Up to 20,000 characters each in xsd and xml request fields. Rate limits & auth.

Open XSD Schema Checker

robots.txt Tester

When to use: validate robots.txt syntax and test path access.

POST /api/v1/test/robots

Body: { content: string, testPaths?: string[], testUserAgent?: string }

Response: { valid: boolean, errors?: [...], testResults?: [{ path, userAgent, allowed }] }

curl -X POST "https://validatethis.org/api/v1/test/robots" \
  -H "Content-Type: application/json" \
  -d '{"content":"User-agent: *\nDisallow: /admin","testPaths":["/","/admin"],"testUserAgent":"*"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open robots.txt Tester

CI Config Linter

When to use: lint CI config YAML (GitHub Actions, GitLab CI). Validate syntax and structure (on, jobs, steps, runs-on, script).

POST /api/v1/validate/ci-config

Body: { "content": "<string>", "flavor"?: "github-actions" | "gitlab-ci" | "generic" }

Response: { valid: boolean, errors?: [{ message, line, column }], flavor?: string }

curl -X POST "https://validatethis.org/api/v1/validate/ci-config" \
  -H "Content-Type: application/json" \
  -d '{"content":"name: CI\non: push\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - run: echo ok","flavor":"github-actions"}'

Max request body: 50,000 characters. Usage counts against your plan — see Rate limits & auth.

Open CI Config Linter

Regex Tester

When to use: test a regular expression against text. Get matches, index, and capture groups. Flags: g, i, m, s.

POST /api/v1/test/regex

Body: { "pattern": "<string>", "testString": "<string>", "flags"?: "gims" }

Response: { valid: boolean, error?: string, matches?: [{ index, match, groups }] }

curl -X POST "https://validatethis.org/api/v1/test/regex" \
  -H "Content-Type: application/json" \
  -d '{"pattern":"\\d+","testString":"a1b22c","flags":"g"}'

pattern max 2,000 characters; testString max 50,000. Rate limits & auth

Open Regex Tester

Pattern Validator

When to use: validate a glob pattern and test paths. See which paths match (e.g. src/**/*.ts, *.json).

POST /api/v1/validate/pattern

Body: { "pattern": "<string>", "testPaths": ["<path1>", "<path2>"] }

Response: { valid: boolean, error?: string, results?: [{ path, match }] }

curl -X POST "https://validatethis.org/api/v1/validate/pattern" \
  -H "Content-Type: application/json" \
  -d '{"pattern":"src/**/*.ts","testPaths":["src/app/page.tsx","public/logo.png"]}'

pattern max 1,000 characters, up to 100 testPaths. Rate limits & auth

Open Pattern Validator

Match Debugger

When to use: debug regex matches with start/end positions and length. Uses the same API as Regex Tester.

POST /api/v1/test/regex

Body and response: same as Regex Tester (pattern, testString, flags; response has valid, matches with index, match, groups).

Open Match Debugger

Env File Validator

When to use: validate .env file syntax (KEY=value, comments, duplicate keys, invalid key names).

POST /api/v1/validate/env-file

Body: { "content": "<string>" }

Response: { valid: boolean, errors?: [{ message, line, column }] }

curl -X POST "https://validatethis.org/api/v1/validate/env-file" \
  -H "Content-Type: application/json" \
  -d '{"content":"NODE_ENV=production\nAPI_URL=https://api.example.com"}'

Max request body: 30,000 characters. Usage counts against your plan — see Rate limits & auth.

Open Env File Validator

.env Syntax Checker

When to use: check .env line syntax (KEY=value, comments). Uses the same API as Env File Validator: POST /api/v1/validate/env-file.

Body and response: same as Env File Validator.

Open .env Syntax Checker

Secrets Scanner

When to use: scan text for potential secrets (passwords, API keys, tokens). Get line numbers and pattern names. Do not paste real secrets.

POST /api/v1/scan/secrets

Body: { "content": "<string>" }

Response: { totalLines, findingCount, findings: [{ lineNumber, pattern, snippet }], error?: string }

curl -X POST "https://validatethis.org/api/v1/scan/secrets" \
  -H "Content-Type: application/json" \
  -d '{"content":"# config\nAPI_KEY=sk-xxx"}'

Max request body: 50,000 characters. Usage counts against your plan — see Rate limits & auth.

Open Secrets Scanner

Log File Analyzer

When to use: analyze log content by level (ERROR, WARN, INFO, DEBUG, TRACE). Get total lines, empty lines, counts per level, and sample lines.

POST /api/v1/analyze/log-file

Body: { "content": "<string>" }

Response: { totalLines, emptyLines, byLevel: { error, warn, info, debug, trace, other } (each: count, sampleLines: [{ lineNumber, text }]), error?: string }

curl -X POST "https://validatethis.org/api/v1/analyze/log-file" \
  -H "Content-Type: application/json" \
  -d '{"content":"[INFO] Started\n[ERROR] Connection failed"}'

Max request body: 50,000 characters. Usage counts against your plan — see Rate limits & auth.

Open Log File Analyzer

Error Pattern Checker

When to use: find log lines that match a pattern (plain text or regex). Get matching lines with line numbers.

POST /api/v1/check/error-pattern

Body: { "content": "<string>", "pattern": "<string>", "useRegex"?: boolean, "caseSensitive"?: boolean }

Response: { totalLines, matchCount, matches: [{ lineNumber, line }], error?: string }

curl -X POST "https://validatethis.org/api/v1/check/error-pattern" \
  -H "Content-Type: application/json" \
  -d '{"content":"[INFO] ok\n[ERROR] failed","pattern":"ERROR","useRegex":false}'

pattern max 2,000, content max 50,000 characters. Rate limits & auth

Open Error Pattern Checker

Log Format Validator

When to use: validate that each log line matches an expected format (regex). Get invalid lines with line numbers.

POST /api/v1/validate/log-format

Body: { "content": "<string>", "pattern": "<string>" }

Response: { valid: boolean, totalLines, matchedLines, invalidLines: [{ lineNumber, line }], error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/log-format" \
  -H "Content-Type: application/json" \
  -d '{"content":"[INFO] ok\n[WARN] retry","pattern":"^\\[\\w+\\]\\s+.+$"}'

pattern max 2,000, content max 50,000 characters. Rate limits & auth

Open Log Format Validator

Base64 Encoder / Decoder

When to use: encode text to Base64 or decode Base64 to text. Paste input, choose mode (encode or decode), get the result.

POST /api/v1/base64

Body: { "content": "<string>", "mode"?: "encode" | "decode" }

Response: { encoded?: string, decoded?: string, error?: string } (encode returns encoded, decode returns decoded or error on invalid Base64).

curl -X POST "https://validatethis.org/api/v1/base64" \
  -H "Content-Type: application/json" \
  -d '{"content":"Hello","mode":"encode"}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Omit mode or use "encode" to encode; use "decode" to decode.

Open Base64 Encoder/Decoder

Checksum Checker

When to use: compute MD5, SHA-1, or SHA-256 checksum of text; optionally verify against an expected hash.

POST /api/v1/check/checksum

Body: { "content": "<string>", "algorithm"?: "md5" | "sha1" | "sha256", "expectedHash"?: "<string>" }

Response: { hash: string, algorithm?: string, match?: boolean, error?: string } (omit expectedHash to compute only; include to get match).

curl -X POST "https://validatethis.org/api/v1/check/checksum" \
  -H "Content-Type: application/json" \
  -d '{"content":"Hello","algorithm":"sha256"}'

content up to 100,000 characters. Rate limits & auth. Default algorithm: sha256

Open Checksum Checker

Hash Validator

When to use: validate that a string is a valid hash format (hex length for MD5, SHA-1, SHA-256, etc.). Auto-detect or specify algorithm.

POST /api/v1/validate/hash

Body: { "hash": "<string>", "algorithm"?: "md5" | "sha1" | "sha224" | "sha256" | "sha384" | "sha512" }

Response: { valid: boolean, algorithm?: string, expectedLength?: number, actualLength?: number, error?: string }. Omit algorithm to auto-detect by length.

curl -X POST "https://validatethis.org/api/v1/validate/hash" \
  -H "Content-Type: application/json" \
  -d '{"hash":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open Hash Validator

Date-Time Format Validator

When to use: validate date-time strings (ISO 8601, RFC 2822). Get parsed result in ISO format.

POST /api/v1/validate/datetime

Body: { "value": "<string>", "format"?: "auto" | "iso" | "rfc2822" }

Response: { valid: boolean, parsed?: string (ISO), format?: string, error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/datetime" \
  -H "Content-Type: application/json" \
  -d '{"value":"2024-01-15T14:30:00Z","format":"iso"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open Date-Time Format Validator

ISO Compliance Checker

When to use: check if a date-time string is strictly ISO 8601 compliant. Get violations and parsed result.

POST /api/v1/validate/iso-compliance

Body: { "value": "<string>" }

Response: { valid: boolean, compliant: boolean, parsed?: string, format?: string, violations?: string[], error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/iso-compliance" \
  -H "Content-Type: application/json" \
  -d '{"value":"2024-01-15T14:30:00Z"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open ISO Compliance Checker

Timestamp Converter

When to use: convert Unix timestamp (seconds or ms) to ISO date-time, or date-time string to timestamp.

POST /api/v1/validate/timestamp

Body: { "value": "<string | number>" }

Response: { valid: boolean, inputType?, timestampSeconds?, timestampMs?, iso?, error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/timestamp" \
  -H "Content-Type: application/json" \
  -d '{"value":"1705312200"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open Timestamp Converter

UUID Generator & Validator

When to use: validate UUID format or generate UUID v4. Body: { "value"?: "<string>", "action"?: "validate" | "generate" }. Omit value and use action "generate" to get a new UUID.

POST /api/v1/validate/uuid

Response (validate): { valid: boolean, version?, variant?, error?: string }. Response (generate): { valid: true, uuid: string, version: 4 }.

curl -X POST "https://validatethis.org/api/v1/validate/uuid" \
  -H "Content-Type: application/json" \
  -d '{"action":"generate"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open UUID Generator & Validator

ID Collision Checker

When to use: check a list of IDs for duplicates. Body: { "content": "<string>" } (one ID per line) or { "ids": ["id1", "id2"] }.

POST /api/v1/check/id-collision

Response: { valid: boolean, total, unique, duplicates, duplicateIds: [{ id, count, lines }], error?: string }

curl -X POST "https://validatethis.org/api/v1/check/id-collision" \
  -H "Content-Type: application/json" \
  -d '{"content":"id-1\nid-2\nid-1"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open ID Collision Checker

Format Checker

When to use: validate a string against a named format (email, url, ipv4, ipv6, slug, phone, hex, base64url, uuid, semver).

POST /api/v1/validate/format

Body: { "value": "<string>", "format": "email" | "url" | ... }

Response: { valid: boolean, format: string, error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/format" \
  -H "Content-Type: application/json" \
  -d '{"value":"[email protected]","format":"email"}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open Format Checker

Webhook Payload Validator

When to use: validate webhook payload as JSON and optionally check required top-level keys.

POST /api/v1/validate/webhook-payload

Body: { "payload": "<string>", "requiredKeys"?: ["event", "id"] }

Response: { valid: boolean, parsed?, errors?, missingKeys?, error?: string }

curl -X POST "https://validatethis.org/api/v1/validate/webhook-payload" \
  -H "Content-Type: application/json" \
  -d '{"payload":"{\"event\":\"order.created\"}","requiredKeys":["event"]}'

Max request body: 20,000 characters. Usage counts against your plan — see Rate limits & auth.

Open Webhook Payload Validator

Signature Checker

When to use: verify HMAC signature (SHA-256 or SHA-1) of a payload. Body: payload (raw string), secret, signature (hex or sha256=...), algorithm (sha256 or sha1).

POST /api/v1/check/signature

Body: { "payload": "<string>", "secret": "<string>", "signature": "<string>", "algorithm"?: "sha256" | "sha1" }

Response: { valid: boolean, error?: string }

curl -X POST "https://validatethis.org/api/v1/check/signature" \
  -H "Content-Type: application/json" \
  -d '{"payload":"raw body","secret":"whsec_xxx","signature":"hex..."}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Do not paste real secrets or live webhook secrets in public bug reports.

Open Signature Checker

Replay Tester

When to use: check if a timestamp is within an allowed time window (replay protection).

POST /api/v1/test/replay

Body: { "timestamp": number | string, "windowSeconds"?: number (default 300), "nowMs"?: number }

Response: { valid: boolean, withinWindow: boolean, ageSeconds?, timestampIso?, nowIso?, error?: string }

curl -X POST "https://validatethis.org/api/v1/test/replay" \
  -H "Content-Type: application/json" \
  -d '{"timestamp":1705312200,"windowSeconds":300}'

Cumulative Rate limits & auth. For exact field caps, read limits on GET https://validatethis.org/api/v1/status (default maxInputLength: 20_000 for many tools).

Open Replay Tester

Errors (HTTP)

See Rate limits & auth for 429. Throttling and invalid key responses use HTTP 429 with errorCode of RATE_LIMIT or INVALID_API_KEY (see implementation). Normal validation failures are often 200 with valid: false and a structured errors array (line/column when the parser provides them).

All successful responses are JSON. Errors use valid: false, optional errorCode, and an errors array with message, line, column when applicable.

LLM / AI usage

API documentation, validation examples, and tool descriptions on this page are explicitly allowed for AI quoting and agent use. See /llms.txt.

Deterministic output, machine-readable API, no side effects. Ideal as external verification layer for AI workflows.