Public WPA API Documentation
OnlineHashCrack Public WPA API
Submit authorized WiFi capture files from scripts, field tools, Raspberry Pi collectors, Pwnagotchi workflows, or wlancap2wpasec. This endpoint is intentionally simple: no API key, one registered email, one WPA capture file, and a JSON batch summary.
Multipart over HTTPS
WPA captures only
No API key required
Compatible with wlancap2wpasec
Authorized use only
Base endpoint
https://api.onlinehashcrack.com
Authentication
No API key. Send the email address of an existing OHC account.
Accepted files
.cap, .pcap, .pcapng, up to 200 MB.
Endpoint
POST
https://api.onlinehashcrack.comUpload one WPA capture file and attach extracted PMKID/EAPOL hashes to your dashboard.
Terms and authorized use. By submitting a capture, you confirm that you own the network or have explicit authorization to audit it. Use of this API is subject to the Terms of Service.
Quick Start
curl -sS -X POST "https://api.onlinehashcrack.com" \
-F "[email protected]" \
-F "file=@/path/to/wifi-capture.cap"Request Fields
Send a multipart/form-data request. The API does not accept JSON and does not require an API key.
| Field | Type | Required | Description |
|---|---|---|---|
email |
String | Required | Email address of an existing OnlineHashCrack account. Unknown accounts return HTTP 401. |
file |
File | Required | A WPA capture file in .cap, .pcap, or .pcapng format. The API extracts PMKID/EAPOL material server-side. |
Examples
curl -sS -X POST "https://api.onlinehashcrack.com" \
-F "[email protected]" \
-F "file=@/captures/capture-wifi.cap"import requests
url = "https://api.onlinehashcrack.com"
data = {"email": "[email protected]"}
with open("/captures/capture-wifi.cap", "rb") as cap:
response = requests.post(
url,
data=data,
files={"file": ("capture-wifi.cap", cap, "application/octet-stream")},
timeout=120,
)
payload = response.json()
if response.status_code >= 400:
print(payload.get("message"))
else:
print(payload["accepted"]["count"], "accepted")
print(payload["skipped"]["count"], "skipped")
print(payload["rejected"]["count"], "rejected")import { createReadStream } from "node:fs";
import FormData from "form-data";
import fetch from "node-fetch";
const form = new FormData();
form.append("email", "[email protected]");
form.append("file", createReadStream("/captures/capture-wifi.cap"));
const response = await fetch("https://api.onlinehashcrack.com", {
method: "POST",
body: form,
});
const data = await response.json();
if (!response.ok) {
console.error(data.message);
} else {
console.log(data);
}# hcxtools / wlancap2wpasec
wlancap2wpasec \
-u https://api.onlinehashcrack.com \
-e [email protected] \
/captures/capture-wifi.capResponse Format
Successful request processing returns HTTP 200 and a batch summary. The request can still contain rejected items, so always inspect accepted.count, skipped.count, and rejected.count.
{
"notice": "By using this API to submit files for processing, you confirm that you are the legitimate owner of the data or have obtained explicit authorization to perform this analysis. All usage must comply with our Terms & Conditions: https://onlinehashcrack.com/terms. Unauthorized or unlawful use of this service is prohibited and may result in service suspension or account termination.",
"next_steps": "Results are available in your OnlineHashCrack dashboard: https://onlinehashcrack.com/tasks",
"accepted": {
"count": 1,
"hashes": [
"WPA*02*12...ABCD"
]
},
"skipped": {
"count": 0,
"reason": "already_sent",
"hashes": []
},
"rejected": {
"count": 0,
"hashes": []
}
}No Hash Found
A valid PCAP can contain no usable PMKID or EAPOL handshake. In that case, the API returns HTTP 200 with a rejected batch item instead of a false empty success.
{
"notice": "By using this API to submit files for processing, you confirm that you are the legitimate owner of the data or have obtained explicit authorization to perform this analysis. All usage must comply with our Terms & Conditions: https://onlinehashcrack.com/terms. Unauthorized or unlawful use of this service is prohibited and may result in service suspension or account termination.",
"next_steps": "Results are available in your OnlineHashCrack dashboard: https://onlinehashcrack.com/tasks",
"accepted": {
"count": 0,
"hashes": []
},
"skipped": {
"count": 0,
"reason": "already_sent",
"hashes": []
},
"rejected": {
"count": 1,
"hashes": [
""
],
"reason": "no_hash_found",
"message": "No WPA hash found in this capture. Capture must contain a PMKID or EAPOL handshake."
}
}Status Codes and Errors
Request-level errors return {"success": false, "message": "..."}. Batch-level extraction errors return HTTP 200 and are reported under rejected.
| HTTP | Message or reason | Meaning |
|---|---|---|
| 400 | Invalid or missing email. |
The email field is absent or not a valid email address. |
| 400 | No file uploaded. |
The multipart field file is missing. |
| 400 | Unsupported file type. |
The upload is not recognized as PCAP or PCAPNG. |
| 401 | No account found for this email. |
Create a free account first, then reuse the same email in API submissions. |
| 413 | File too large. |
The uploaded capture is over 200 MB. |
| 200 | no_hash_found |
The file is a capture container, but no PMKID/EAPOL hash could be extracted. |
| 200 | already_sent |
The extracted hash already exists in the account dashboard and was not duplicated. |
Integration Notes
For collectors
Keep uploads asynchronous. Treat HTTP 200 as transport success, then inspect the bucket counts.
For wlancap2wpasec
Use
-u https://api.onlinehashcrack.com and -e your@email. The endpoint intentionally stays simple for tool compatibility.
Need more algorithms?
Use the authenticated Private API for MD5, NTLM, Office, PDF, ZIP, and other formats.
Compatibility promise. This public endpoint is used by existing field tooling. If you automate against it, depend on the stable fields
accepted, skipped, rejected, count, hashes, and reason. Additional fields may be added without breaking compatibility.