API Reference

Last updated: May 2, 2026

Rate Limit Bypass Access To ensure service stability, strict rate limits (10 req/min, 100 req/hr) are now enforced. If you are building a tool and require an X-Bypass-Token to override these limits, please make an issue on the GitHub repository explaining your specific use case.

OSMA exposes two REST APIs — one for the NPM package dataset, one for PyPI. Both are identical in structure. All endpoints return JSON and support cross-origin requests (CORS open). No authentication required.

No auth required CORS open JSON responses Snapshot data — frozen 2026-04-29

Base URLs

NPM API

https://notamitgamer-osma-npm-api.hf.space

PyPI API

https://notamitgamer-osma-pypi-api.hf.space

NPM API Counting...

GET /ping Uptime check — always returns 200

Lightweight endpoint for UptimeRobot or health monitors. Does not query the database. Always responds instantly.

Example Request

# curl
curl https://notamitgamer-osma-npm-api.hf.space/ping

Example Response

                    {

                      "ping": "pong"

                    }

Try it live

GET /health Server status + total package count

Returns 200 OK with package count when the database is ready. Returns 503 if the database is still initializing after a cold start.

Example Request

curl https://notamitgamer-osma-npm-api.hf.space/health

Example Response

                    {

                      "status": "ok",

                      "total_packages": 3881465

                    }

Try it live

GET /stats Dataset metadata and package count

Returns total package count plus metadata about the dataset source and snapshot nature. Intended for display in dashboard stats bars.

Example Request

curl https://notamitgamer-osma-npm-api.hf.space/stats

Example Response

                    {

                      "total_npm_packages": 3881465,

                      "source": "npmjs.com",

                      "note": "Snapshot dataset — updated periodically."

                    }

Try it live

GET /browse Paginated package list ordered by package number

Returns packages in stable order by package_no. Use page and limit to paginate through the full dataset.

Parameters

Parameter	Type	Default	Max	Required	Description
page	integer	1	—	optional	Page number, 1-indexed
limit	integer	200	500	optional	Rows per page

Example Request

curl "https://notamitgamer-osma-npm-api.hf.space/browse?page=1&limit=5"

Example Response

                    {

                      "page": 1,

                      "limit": 5,

                      "results": [

                        { "no": 1, "name": "--123hoodmane-pyodide", "version": "latest", "url": "https://www.npmjs.com/package/..." },

                        ...

                      ]

                    }

Try it live

page

limit (max 500)

GET /search Ranked search across all packages

Searches package names and returns results ranked by match quality: exact match first (rank 0), starts-with second (rank 1), contains last (rank 2). Results are sorted by rank then alphabetically within each rank.

Parameters

Parameter	Type	Default	Max	Required	Description
q	string	—	100 chars	required	Search query. Min 2 characters.
limit	integer	250	500	optional	Max results to return

Example Request

curl "https://notamitgamer-osma-npm-api.hf.space/search?q=react&limit=5"

Example Response

                    {

                      "query": "react",

                      "count": 250,

                      "results": [

                        { "no": 42, "name": "react", "version": "18.3.1", "url": "...", "rank": 0 },

                        { "no": 88, "name": "react-dom", "version": "18.3.1", "url": "...", "rank": 1 },

                        ...

                      ]

                    }

Try it live

q (min 2 chars)

limit (max 500)

PyPI API Counting...

GET /ping Uptime check — always returns 200

Lightweight endpoint for UptimeRobot or health monitors. Does not query the database. Always responds instantly.

Example Request

curl https://notamitgamer-osma-pypi-api.hf.space/ping

Example Response

{ "ping": "pong" }

Try it live

GET /health Server status + total package count

Returns 200 OK with package count when database is ready. Returns 503 during cold start initialization.

Example Request

curl https://notamitgamer-osma-pypi-api.hf.space/health

Example Response

                    {

                      "status": "ok",

                      "total_packages": 780432

                    }

Try it live

GET /stats Dataset metadata and package count

Returns total package count and dataset source metadata.

Example Request

curl https://notamitgamer-osma-pypi-api.hf.space/stats

Example Response

                    {

                      "total_pypi_packages": 780432,

                      "source": "pypi.org",

                      "note": "Snapshot dataset — updated periodically."

                    }

Try it live

GET /browse Paginated package list ordered by package number

Returns packages in stable order by package_no. Paginate using page and limit.

Parameters

Parameter	Type	Default	Max	Required	Description
page	integer	1	—	optional	Page number, 1-indexed
limit	integer	200	500	optional	Rows per page

Example Request

curl "https://notamitgamer-osma-pypi-api.hf.space/browse?page=1&limit=5"

Example Response

                    {

                      "page": 1,

                      "limit": 5,

                      "results": [

                        { "no": 1, "name": "0", "version": "0.1.0", "url": "https://pypi.org/project/0/" },

                        ...

                      ]

                    }

Try it live

page

limit (max 500)

GET /search Ranked search across all packages

Searches package names and returns results ranked by match quality. Rank 0 = exact, 1 = starts-with, 2 = contains.

Parameters

Parameter	Type	Default	Max	Required	Description
q	string	—	100 chars	required	Search query. Min 2 characters.
limit	integer	250	500	optional	Max results to return

Example Request

curl "https://notamitgamer-osma-pypi-api.hf.space/search?q=requests&limit=5"

Example Response

                    {

                      "query": "requests",

                      "count": 87,

                      "results": [

                        { "no": 512, "name": "requests", "version": "2.31.0", "url": "...", "rank": 0 },

                        ...

                      ]

                    }

Try it live

q (min 2 chars)

limit (max 500)

Utility Endpoints

GET /debug-ip Check connection IP and headers

Returns the actual IP address that the API proxy recorded for your request, along with the parsed headers. Helpful for troubleshooting rate limit blocks across networks.

Example Request

curl https://notamitgamer-osma-npm-api.hf.space/debug-ip

GET /get-bypass Generate a temporary rate limit bypass token

Issues a cryptographically signed bypass token that allows you to skip all rate limits for 1 hour. This endpoint requires the correct secret parameter. Include the returned token in subsequent requests as the X-Bypass-Token header.

Parameters

Parameter	Type	Required	Description
secret	string	required	The developer bypass secret.

Example Request

curl "https://notamitgamer-osma-npm-api.hf.space/get-bypass?secret=YOUR_SECRET_HERE"

Example Response

                    {

                      "bypass_token": "1714420000:a1b2c3d4...",

                      "valid_for_seconds": 3600,

                      "usage": "Send as header: X-Bypass-Token: "

                    }

GET /rebuild Trigger an async database rebuild

Forces the server to re-download the latest CSV dataset from HuggingFace and rebuild the SQLite database in the background. Requires the secret parameter. Responses with 503 while rebuilding.

Limits & Notes

Rate Limits

APIs are strictly rate-limited to 10 requests per minute and 100 requests per hour per IP to protect the free-tier infrastructure. Send the X-Bypass-Token header to override this.

Data Freshness

Both datasets are snapshots. NPM frozen 2026-04-29 09:42 IST. PyPI frozen 2026-04-29 08:45 IST. Packages published after these dates are not indexed.

CORS

Both APIs have Access-Control-Allow-Origin: *. You can call them directly from any browser-based frontend with no proxy needed.

Cold Starts

On first boot after a deployment, each server downloads its dataset and builds a SQLite index (~1 min). The /health endpoint returns 503 during this window. UptimeRobot prevents this in normal operation.

Response Schema

When querying the /browse or /search endpoints, the returned results array contains objects with the following fields:

Field	Type	Description
no	integer	The stable, sequential ID/rank of the package within the snapshot database.
name	string	The exact, registered name of the package.
version	string	The version string available at the time the snapshot was taken.
url	string	The absolute link to the package on the official registry website.
rank	integer	(Only in `/search`) The match quality. `0` = Exact match, `1` = Starts with query, `2` = Contains query.

Common Errors

404 Not Found

Why it happens: The API URL path is incorrect or misspelled (e.g., trying to access /searc instead of /search).

422 Unprocessable Entity

Why it happens: You called the /search endpoint without providing the required q query parameter, or the search query was less than 2 characters long.

429 Too Many Requests

Why it happens: You exceeded the 10/min or 100/hour rate limit block. The JSON response will include an error string, and the HTTP headers will include a Retry-After value indicating how many seconds you need to wait before making another request.

503 Service Unavailable

Why it happens: The server was asleep and is experiencing a "Cold Start". It is currently downloading the multi-gigabyte dataset and building the in-memory SQLite index. This is completely normal on free-tier hosting and usually resolves within 1 minute. Please wait and try your request again.

Still having trouble? If you are experiencing continuous 500 Internal Server Errors or found a bug, please open an issue on GitHub or contact me directly at mail@amit.is-a.dev.

Frequently Asked Questions

OSMA (Open Source Module Archive) is a heavily optimized, static API that serves historical snapshots of the NPM and PyPI registries. It allows you to search packages and view base version data instantly without dealing with live registry rate limits or CAPTCHAs.

The datasets are frozen snapshots taken on April 29, 2026. Any packages published, renamed, or deleted after this specific date will not appear in the search results.

Yes. Because the service is hosted on free-tier infrastructure, strict rate limits of 10 requests per minute and 100 requests per hour per IP are enforced using SlowAPI. If you need this disabled for your application, please open an issue on GitHub to request an X-Bypass-Token.

No! The APIs are completely open, public, and require zero authentication headers or keys for standard usage within the rate limits.

Yes. Both the NPM and PyPI APIs are configured with open CORS (Access-Control-Allow-Origin: *), meaning browser-based frontend applications can fetch data directly without encountering CORS blocking.

The search endpoint sorts results algorithmically based on match strength. A rank of 0 means the query exactly matches the package name. 1 means the package name starts with the query. 2 means the package name contains the query somewhere inside it.

If the server hasn't been accessed in a while, it goes to sleep. When it wakes up (a "cold start"), it needs about 1-2 minutes to download the multi-gigabyte CSV snapshot and build its memory index. It returns a 503 status while loading.

As of the current snapshots, there are roughly 3.88 million NPM packages and 793,000 PyPI packages indexed. You can check the /stats endpoint for the exact, live metadata.

Right now, the focus is strictly on NPM and PyPI. If there is enough demand, we may consider generating static snapshots for other ecosystems in the future.

For general bugs, UI issues, or missing documentation, please open an issue on the GitHub repository. For security vulnerabilities, please email mail@amit.is-a.dev directly instead of opening a public issue.