Public REST API

The Hackless Public REST API exposes integration-safe platform data and authenticated user actions under:

https://hackless.dev/api/public

The full OpenAPI specification is available here:

Authentication

Read-only public endpoints such as health, challenges, leaderboard, and public profiles can be called without authentication.

Authenticated endpoints accept either:

Authorization: Bearer hk_your_api_key

or:

X-API-Key: hk_your_api_key

The same request context can also resolve a logged-in Hackless session cookie when called from the web app.

Endpoints

Health

GET /api/public/health

Returns { "ok": true }. Use this for uptime checks and smoke tests.

Challenges

GET /api/public/challenges

Lists public challenge summaries. Each item includes metadata such as slug, categories, difficulty, points, solve state, solve count, and review average.

GET /api/public/challenges/{slug}

Returns a challenge detail object. If authenticated, the response includes user-specific state such as solved, unlocked, submittedFlag, and myReview.

Flag submission

POST /api/public/challenges/{slug}/submit

Submits a flag for the authenticated user.

{
  "flag": "hackless{example_flag}"
}

Successful responses include:

{
  "result": {
    "success": true,
    "points": 100,
    "newBadges": []
  }
}

{
  "error": "Unauthorized"
}

Common status codes:

Status	Meaning
`400`	Invalid request body or bad flag
`401`	Missing or invalid authentication
`403`	Authenticated but not allowed
`404`	Resource not found
`409`	Conflict, for example already solved
`500`	Unexpected server error

Authentication

Endpoints

Health

Challenges

Flag submission

Challenge writeups

Leaderboard

Current user profile

Public profile

Error format

On this page