Concurrent WHOIS, DNS, SSL, HTTP header, screenshot, reputation, email security, subdomain, certificate transparency, BGP/ASN, technology fingerprinting, threat intelligence, and DNS security lookups for any domain — with an aggregate risk score in every response.
Requests are rate-limited per API key using a sliding window. Every response includes rate limit headers:
Header
Description
X-RateLimit-Limit
Maximum requests allowed per minute
X-RateLimit-Remaining
Requests remaining in the current window
Retry-After
Seconds until the window resets (only present on 429 responses)
When the limit is exceeded, the API returns 429 Too Many Requests. Wait until the Retry-After period expires before retrying.
Domain Intelligence
POST/v1/domain/lookup
Look up one or more domains concurrently. Returns WHOIS, DNS, SSL, and HTTP header data by default for each domain. Optional flags enable additional lookups. All lookups run concurrently with a 30-second timeout.
Request Body
Field
Type
Required
Default
Description
domains
string[]
Required
--
Domain names to look up. Max count depends on plan (1 / 5 / 20).
screenshot
bool
Optional
false
Capture a page screenshot. Pro
reputation
bool
Optional
false
Check domain against threat blocklists. Pro
email_security
bool
Optional
false
Check SPF, DMARC, and DKIM records.
subdomains
bool
Optional
false
Enumerate subdomains via Certificate Transparency logs.
ct_logs
bool
Optional
false
Query Certificate Transparency logs for issued certificates.
bgp
bool
Optional
false
Look up BGP/ASN information for the domain's IP addresses.
fingerprint
bool
Optional
false
Detect web technologies from HTTP response headers.
threat_intel
bool
Optional
false
Query threat intelligence feeds (VirusTotal, URLhaus, AlienVault OTX). Pro
dns_security
bool
Optional
false
Check DNSSEC deployment (DS/DNSKEY records) and CAA records.
Domain Normalization
Domain names are normalized automatically. You can pass bare domains or full URLs with any scheme — the API extracts the hostname by stripping scheme prefixes, userinfo, ports, paths, query strings, and fragments. The result is lowercased. The domain field in the response shows exactly what was looked up. Raw IP addresses are rejected — use the IP Intelligence endpoint instead.
The response is always a JSON array, even for single-domain requests. Each element contains the core lookup results plus any optional fields that were requested.
Optional fields (screenshot, reputation, email_security, subdomains, ct_logs, bgp, fingerprint, threat_intel, dns_security) are only present in the response when requested. The risk object is computed automatically for every lookup — no request flag needed.
Invalid Domains
Invalid domains in a multi-domain request do not fail the entire request. They are included in the response with a validation error while valid domains return normally:
The following blocklists are checked: Spamhaus DBL, SURBL, URIBL, and Spamhaus ZEN.
Risk Levels
Risk
Score Range
clean
0
low
1 -- 29
medium
30 -- 59
high
60 -- 100
email_security -- Email Authentication
spf -- Sender Policy Framework
Field
Type
Description
raw
string
Full SPF TXT record
version
string
SPF version (typically spf1)
mechanisms
string[]
Parsed mechanisms (include:, ip4:, etc.)
all
string
Terminal qualifier: -all, ~all, ?all, or +all
dmarc -- DMARC Policy
Field
Type
Description
raw
string
Full DMARC TXT record
version
string
DMARC version (typically DMARC1)
policy
string
none, quarantine, or reject
pct
int
Percentage of messages the policy applies to
rua
string
Aggregate report destination
ruf
string
Forensic report destination
sp
string
Subdomain policy
dkim -- DKIM Records
Field
Type
Description
selector
string
Selector name probed
found
bool
Whether a DKIM record exists for this selector
raw
string
Full DKIM TXT record (only when found)
mta_sts -- MTA Strict Transport Security
Only present when a record exists at _mta-sts.<domain>. When the TXT record is found, the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt is fetched for the mode and MX patterns.
Field
Type
Description
raw
string
Full MTA-STS TXT record
id
string
Policy version identifier (id= tag)
policy_fetched
bool
Whether the well-known policy file was retrieved
mode
string
enforce, testing, or none (from the policy file)
max_age
int
Policy cache lifetime in seconds
mx_patterns
string[]
MX host patterns the policy allows
tls_rpt -- SMTP TLS Reporting
Only present when a record exists at _smtp._tls.<domain>.
DKIM probes 8 common selectors: google, default, selector1, selector2, k1, s1, mail, dkim. The mta_sts, tls_rpt, and bimi objects are omitted when the corresponding DNS record does not exist.
Identifies who owns the IP behind the domain. Useful for pivot analysis and detecting bulletproof hosting.
fingerprint -- Technology Fingerprinting
Detects web servers, frameworks, CDNs, CMS platforms, and programming languages from HTTP response headers. No extra HTTP requests are made -- detection uses the headers already fetched. Approximately 90 technologies are covered.
Field
Type
Description
count
int
Number of detected technologies
technologies
array
Detected technologies
Technology Entry
Field
Type
Description
name
string
Technology name (e.g., Nginx, PHP, Cloudflare)
category
string
Category (see below)
version
string
Version extracted from header value (empty if not detectable)
The aggregate score is a weighted average across providers: VirusTotal (50%), URLhaus (30%), AlienVault OTX (20%). Risk levels map from the aggregate score: 0 = none, 1--20 = low, 21--50 = medium, 51--80 = high, 81--100 = critical.
dns_security -- DNSSEC & CAA
Checks DNSSEC deployment (DS records at the parent zone, DNSKEY records at the zone, signing algorithms) and CAA records via raw DNS queries. Available to all plans. Missing DNSSEC means DNS responses can be spoofed; missing CAA means any certificate authority can issue certificates for the domain.
dnssec
Field
Type
Description
enabled
bool
true when both DS (parent) and DNSKEY (zone) records exist
ds_records
int
Number of DS records at the parent zone
dnskey_records
int
Number of DNSKEY records at the zone
algorithms
string[]
Signing algorithms from DS records (e.g., ECDSAP256SHA256)
caa
Field
Type
Description
present
bool
Whether any CAA records exist
records
array
CAA records: flag (int), tag (issue, issuewild, or iodef), value
A computed 0--100 weighted risk score included in every domain lookup response — no request flag needed and no extra network calls made. The score is derived from whichever lookups are present in the response and renormalized over the weights of the components that have data.
Field
Type
Description
score
int
Weighted aggregate risk score (0--100)
risk_level
string
none, low, medium, high, or critical
components
array
Per-component breakdown (see below)
Risk Component
Field
Type
Description
component
string
Which signal contributed (see weights below)
score
int
This component's 0--100 score
weight
float
The component's weight in the aggregate
detail
string
Human-readable explanation (e.g., certificate expires in 12 days)
Components only contribute when their underlying lookup ran and returned data. A base lookup scores from SSL, security headers, and domain age alone; requesting threat_intel or reputation makes those signals dominate.
Individual lookups can fail without blocking the rest of the response. Each error contains:
Field
Type
Description
lookup
string
Which lookup failed (e.g., whois, dns, ssl)
message
string
Human-readable error description
Full Response Example
A complete response with all optional features enabled (screenshot, reputation, email_security, subdomains, ct_logs, bgp, fingerprint, threat_intel, dns_security):
Partial failures within a domain lookup are different from HTTP error responses. When individual lookups fail (e.g., a WHOIS server is unreachable), the request still returns 200 OK with the successful lookups populated and failures listed in the errors array.
Request Correlation
You can pass an optional X-Client-Request-ID header with your own correlation ID for end-to-end tracing. The API echoes it back in the response headers and includes it in server-side logs.
Header
Direction
Description
X-Client-Request-ID
Request
Your correlation ID (max 64 chars; alphanumeric, hyphens, underscores, dots, colons)
X-Request-ID
Response
Server-generated UUID for every request. Reference this when contacting support.
What's New
v0.53.0 2026-06-12
Improved reliability under load: heavy lookups are now bounded and isolated so one slow or failing lookup can't affect other requests
v0.52.0 2026-06-11
Every domain lookup now includes an aggregate risk score (0–100 with risk level and per-component breakdown) computed from all returned data
New dns_security option — DNSSEC deployment (DS/DNSKEY, signing algorithms) and CAA records, available on all plans
email_security now also checks MTA-STS (including the published policy), TLS-RPT, and BIMI
New GET /v1/usage — view your own request counts, cache hit rate, and feature usage
New POST /v1/keys/rotate — self-service API key rotation; old keys keep working for a 24h grace window
Machine-readable OpenAPI 3.1 spec now served at /docs/openapi.yaml
All responses now include Strict-Transport-Security, Referrer-Policy, and Content-Security-Policy headers
Failed lookups are now retried sooner: error responses cache for a short negative TTL instead of the full cache window
v0.51.0 2026-04-16
Subdomain enumeration is now subject to a tighter per-plan domain cap (subdomain.max_domains.*). The config keys and defaults shipped earlier; this is the missing enforcement
v0.50.1 2026-04-04
Domain normalization now strips any URL scheme (ftp, ssh, etc.), not just http/https
v0.50.0 2026-04-04
Domain inputs with paths, ports, query strings, and fragments are now normalized instead of rejected
v0.44.0 2026-04-03
DNS lookups now use external resolvers (Google, Cloudflare, OpenDNS) with automatic fallback
v0.41.0 2026-03-29
New endpoint: POST /v1/ip/lookup — GeoIP, ASN, reverse DNS, abuse contact, and threat intelligence for IP addresses
IP threat intelligence requires a pro plan (same as domain threat_intel)
GeoIP and ASN data powered by MaxMind GeoLite2 databases (loaded from disk, refreshable via admin endpoint)
v0.40.0 2026-03-28
Domain input validation now rejects ports, paths, query strings, fragments, and userinfo
v0.38.0 2026-03-22
Partial lookup failures now include error_count in the response for better client-side observability
v0.36.0 2026-03-19
VirusTotal provider is now best-effort when rate-limited instead of failing the whole lookup
Added threat intelligence section to API docs
v0.34.0 2026-03-17
Added Stripe billing integration with webhook handling and API key provisioning
New /billing/success page for post-checkout key retrieval
Customer Portal link for subscription management
v0.33.0 2026-03-16
Added threat intelligence lookups — VirusTotal, URLhaus, and AlienVault OTX with weighted scoring
Threat intel available for pro and admin plans via threat_intel option
v0.32.0 2026-03-15
Added BGP/ASN lookups with origin AS, prefix, and RIR information
BGP data available for all plans via bgp option
v0.31.0 2026-03-14
Added certificate transparency log lookups via crt.sh
CT log data available for all plans via ct_logs option
v0.30.0 2026-03-13
Added technology fingerprinting — detects web servers, frameworks, CDNs, and more from HTTP headers
~90 built-in detection rules, hot-reloadable via admin endpoint
v0.19.0 2026-03-05
Added subdomain enumeration via certificate transparency data
Subdomain results included in domain lookup response via subdomains option
v0.18.0 2026-03-04
Added X-Client-Request-ID header support for client-supplied request correlation
v0.16.0 2026-03-02
Added email security analysis — SPF, DKIM, and DMARC record validation
Email security available for all plans via email_security option
v0.15.0 2026-02-28
Plan-based limits on domains per request — free: 1, basic: 5, pro: 20