Breachsense CTI API Documentation

Stealer - focuses on credentials extracted from malware infected devices
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Sessions - focuses on session tokens extracted from malware infected devices
NHI - focuses on non-human identities (API keys, OAuth tokens, service credentials)
Darkweb - focuses on company data being leaked or sold on the darkweb
Radar - focuses on domains that threat actors are chatting about, either as a target or selling their data
Docs - focuses on full text search on leaked documents
ASM - attack surface management listing both assets and potential phishing domains
Account - manages monitored assets, notification recipients, license rotation, and audit-log export

If you’d rather query these endpoints in plain English from your terminal than write curl commands, install the Breachsense plugin for Claude Code. Same data, same backend, no flag-and-parameter recall required.

Getting Started

Authentication

Every request requires a license key, sent as either a query parameter or HTTP header:

curl "https://api.breachsense.com/stealer?lic=[LicenseKey]&s=example.com"
curl -H "lic: [LicenseKey]" "https://api.breachsense.com/stealer?s=example.com"

HTTP status codes

CodeMeaning
200Success, full result set returned
206Success, more results available, request next page with p=N+1
400Malformed request (missing required parameter, invalid format)
401Missing or invalid license key
403Endpoint or feature not included in your tier (e.g. premium-marketplace monitoring on Essentials)
422Required configuration missing (e.g. license rotation without a notification recipient set)
429Already performed within the rate-limit window (e.g. license rotation more than once per 24h)
500Server error, contact support@breachsense.com

Throttling

Each license is rate-limited to 1 request per second sustained, with short bursts of up to 5 requests absorbed without delay. Requests beyond that return HTTP 429 with a JSON body:

{"error": true, "message": "Rate limit exceeded. Please throttle to 1 request per second per license."}

The limit is keyed off your license, so multiple machines / processes sharing a license share the same rate budget. If your workflow legitimately needs higher throughput (for example, an MSSP onboarding many client domains in parallel), contact support@breachsense.com.

The total number of queries available per month is determined by your subscription tier and is independent of this rate limit.

Endpoint

Domain NamePath
api.breachsense.com/stealer

Supported Parameters

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
hidsearch for a given hardware ID.
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/stealer?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/stealer?s=[DomainName]
pThe system returns up to 1000 results per request. To access the next 1000 results, use the p parameter to specify the desired page. When an HTTP 206 response status is returned, increase the page number to view the next page. Numeric value.
pwdsearch for a given password.
rreturn the number of remaining monthly queries allowed
s / searchsearch term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234)
updatereturn the Unix timestamp the stealer database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
ccn*The disclosed credit card number
ccx*The exposed credit card number’s expiration date
cnt*The number of results available for the searched target
cwa*The exposed crypto wallet address
bid*The build ID of the malware
fleThe file name the credential was found in
fndThe date the credential was found
hid*The hardware ID of the infected device
iip*The IP address of the infected device
inf*The date the machine was infected on
mac*The name assigned to the infected device
mal*The type of malware infected on the device
nme*The user logged in on the infected device
os*The operating system installed on the infected device
pth*The filesystem path for the malware executable
pwdThe password used to authenticate
srcThe target URL or IP that the victim authenticated to
usrThe username used to authenticate to the target
* Optional JSON object keys

Test Data :

ParameterString
signore@example.com

Endpoint

Domain NamePath
api.breachsense.com/combo

Supported Parameters

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/combo?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/combo?s=[DomainName]
pto reduce latency for targets with many results, enable pagination via p=1 in the initial request.
when an HTTP 206 response status is returned, increase the page number to view the next page.
p is a numeric page value and must be accessed sequentially.
rreturn the number of remaining monthly queries allowed
s / searchaccepts a domain name or email address
updatereturn the Unix timestamp the combo database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
cnt*The number of results available for the searched target
cnt_approximated*The number of results available was approximated due to latency issues
fleThe file name the credential was found in
fndThe date (in YYYYMMDD or unixtime format) the credentials were found
pwdThe password used to authenticate
src*The target URL or IP that the victim authenticated to
usrThe username used to authenticate
* Optional JSON object keys

Test Data :

ParameterString
signore@example.com

Endpoint

Domain NamePath
api.breachsense.com/creds

Supported Parameters

ParameterDescription
attrdisplay a short description of the breach
countdisplay the number of results available for a given target
csvdisplay results in CSV format (default is JSON)
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
hashreturn a 0 if the password is in hashed format and a 1 if the password has been decrypted
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/creds?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/creds?s=[DomainName]
listlist the breaches and dates they were imported
limitincrease / decrease the number of records returned in the response
pto reduce latency for targets with many results, enable pagination via p=1 in the initial request.
when an HTTP 206 response status is returned, increase the page number to view the next page.
p is a numeric page value and must be accessed sequentially.
results are limited to 500 credentials per request (by default).
rreturn the number of remaining monthly queries allowed
s / searchaccepts a domain name or email address
updatereturn the Unix timestamp the creds database was last updated
uniqreturn a list of all unique email addresses and plaintext passwords
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
atr*The attribution data associated with the breach
cnt*The number of results available for the searched target
emlThe email address used to authenticate
fndThe date (in YYYYMMDD format) the breach was found
pwdThe password used to authenticate
srcThe name of the breached website or collection
* Optional JSON object keys

Test Data :

ParameterString
signore@example.com

Endpoint

Domain NamePath
api.breachsense.com/sessions

Supported Parameters

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/sessions?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/sessions?s=[DomainName]
rreturn the number of remaining monthly queries allowed
s / searchsearch term - accepts a domain name, email address or IP address
updatereturn the Unix timestamp the sessions database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
bid*The build ID of the malware
cookie_nameThe name of the cookie
cookie_pathThe cookie path
domThe domain name associated with the victim
expiresThe date (in unixtime) that the cookie is set to expire
fle*The file name the cookie was found in
fndThe date the data was found (in YYYYMMDD format)
iip*The IP address of the infected device
inf*The date the machine was infected on
mal*The type of malware infected on the device
malware_pathThe filesystem path to the malware executable
user_nameThe user logged in on the infected device
valThe value of the cookie
* Optional JSON object keys

Test Data :

ParameterString
sexample.com

Endpoint

Domain NamePath
api.breachsense.com/nhi

The NHI (Non-Human Identity) endpoint surfaces leaked API keys, OAuth tokens, and service credentials extracted from stealer logs, ransomware-leaked files, and exposed code repositories.

Supported Parameters

ParameterDescription
bidsearch by malware build ID (pivot from a stealer-log infection)
categoryfilter by token category, e.g. cloud_infra, dev_platform, ai_platform, payment, collaboration, generic_secret. Case-insensitive. Can be combined with s= or used as a filter-only query.
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
hidsearch by hardware ID (pivot from a stealer-log infection)
ipsearch by IP address (server hosting the leaked token, or infected machine)
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/nhi?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/nhi?s=[DomainName]
ppagination. When an HTTP 206 response status is returned, increase the page number to view the next page.
platformfilter by platform, e.g. AWS, GitHub, OpenAI, Anthropic, Slack, Stripe, Discord, Atlassian. Case-insensitive. Can be combined with s= or used as a filter-only query.
prefixfilter by token prefix, e.g. AKIA (AWS access key), ghp_ (GitHub PAT), sk-ant- (Anthropic). Useful when you know the exact provider but not the platform name.
rreturn the number of remaining monthly queries allowed
ssearch term, accepts a domain name or email address. Either s= or one of the filter parameters (platform, category, token_type, prefix, source_type) is required.
source_typefilter by where the token was extracted, e.g. browser_store, cookie_file, browser_artifact, env_file, aws_creds, ssh_key, json_config, shell_history, shodan_pem, shodan_etcd. See the Output table below for what each value means.
token_typefilter by token type, e.g. aws_access_key, github_pat, openai_api_key, anthropic_api_key. Case-insensitive.
updatereturn the Unix timestamp the NHI database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
av*Antivirus on the compromised machine, when sourced from stealer logs
bid*The build ID of the malware, when sourced from stealer logs
categoryToken category (e.g. cloud_infra, dev_platform, ai_platform)
fle*The file name the token was found in
fndThe date the token was found (YYYYMMDD or unixtime)
hid*The hardware ID of the infected device, when sourced from stealer logs
ip*The IP address (infected machine for stealer logs, hosting server for exposed-source rows)
mal*The malware family that exfiltrated the token, when sourced from stealer logs
os*The operating system of the infected device, when sourced from stealer logs
platformThe platform the token authenticates against (e.g. AWS, GitHub, OpenAI)
pth*Filesystem path of the file containing the token
source_typeWhere the token was extracted. Stealer-log values: browser_store (saved password), cookie_file, browser_artifact (browser history/network), env_file, aws_creds, ssh_key, json_config, shell_history. Exposed-server values: shodan_pem, shodan_etcd.
src*The URL or location where the token was found
tokenThe leaked token value
token_typeSpecific token type (e.g. aws_access_key, github_pat)
usr*Username associated with the token, when applicable
* Optional JSON object keys

Test Data :

ParameterString
sexample.com

Endpoint

Domain NamePath
api.breachsense.com/darkweb

Supported Parameters

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
descdisplay a short description of the victim
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/darkweb?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/darkweb?s=[DomainName]
rreturn the number of remaining monthly queries allowed
rangerange - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit)
s / searchsearch term - accepts a domain name
tadescdisplay a short description of the threat actor
updatereturn the Unix timestamp the darkweb database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
dataThe domain name associated with the victim
desc*A short description of the victim
foundThe date the data was indexed (in YYYYMMDD format)
img*A signed URL linking to a screenshot of the relevant data
The URL is valid for 20 minutes
This output is only available in the Business and Enterprise tiers
nameThe company name of the victim
siteThe name of the threat actor
srcA URL containing data associated with the target
tadesc*A short description of the threat actor
* Optional JSON object keys

Test Data :

ParameterString
sexample.com

Endpoint

Domain NamePath
api.breachsense.com/radar

Supported Parameters

ParameterDescription
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/radar?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/radar?s=[DomainName]
rreturn the number of remaining monthly queries allowed
s / searchsearch term - accepts a domain name
updatereturn the Unix timestamp the radar database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
dataThe domain name associated with the victim
foundThe date the data was indexed (in YYYYMMDD format)
img*A signed URL linking to a screenshot of the relevant data
The URL is valid for 20 minutes
This output is only available in the Business and Enterprise tiers
srcA URL containing data associated with the target
* Optional JSON object keys

Test Data :

ParameterString
sexample.com

Endpoint

Domain NamePath
api.breachsense.com/docs

Supported Parameters

ParameterDescription
s / searchAny search term, run as a full-text search across the leaked documents. Accepts any string: a name, address, phone number, company name, domain, keyword, or phrase. Supports quoted strings for exact-phrase matching
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/docs?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/docs?s=[DomainName]
countdisplay the number of results available for a given target
dateonly display results where extraction_date equal to or newer than this value. Value set in YYYYMMDD
updatereturn the Unix timestamp the docs database was last updated
download_alldownload all the document ids corresponding to the search term (default format is json, csv can be used by specifying format=csv)
download_doc_iddownload the document with the given document id
formatDownload format - default is json, can be csv as well
fuzzyinclude similar but not exact matches in the results as well

Output

JSON KeyValue
doc_idUnique document identifier (UUID)
file_nameName of the leaked file
file_hashSHA-256 hash of the file
file_sizeFile size in bytes
content_typeMIME type of the document
extraction_timestampDate & time the document was processed
leak_dateDate the breach / leak occurred
threat_actorThreat actor or ransomware group
company_nameVictim company name
domain_nameVictim domain
url_main_postOriginal leak announcement URL
url_for_breachDirect URL to the leaked file
password*Password associated with protected leaks
* Optional JSON object keys

Test Data :

ParameterString
sexample.com

Endpoint

Domain NamePath
api.breachsense.com/asm

Supported Parameters

ParameterDescription
assetsfilter results to only display assets
countdisplay the number of results available for a given target
dateonly display results newer than this value. Value set in YYYYMMDD or unixtime formats
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/asm?lic=[LicenseKey]&s=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/asm?s=[DomainName]
pphishfilter results to only display potential phishing domains
rreturn the number of remaining monthly queries allowed
s / searchaccepts a domain name or email address
updatereturn the Unix timestamp the combo database was last updated
unixtimedisplay the import date in unixtime (aliases: unix,epoch)

Output

JSON KeyValue
api*The name of the API endpoint that generated the alert
cname*The CNAME of the domain name identified
domThe domain name found
foundThe date (in YYYYMMDD or unixtime format) the domain was found
ip*The IP address of the domain name identified
typeThe type of asset identified
ns represents a nameserver
mx represents a mail server
ast represents a domain name asset.
pphish represents a potential phishing domain found.
* Optional JSON object keys
** Output based on domain names configured in the monitor API endpoint

Endpoint

Domain NamePath
api.breachsense.com/account (alias: /monitor)

Supported Parameters

ParameterDescription
actionmanage monitored assets and license
must be set to add, del, list, test, rotate, or audit
astadd/delete the asset you wish to monitor
a monitored asset can be a domain name, an email address, or an IP address
per asset notifications can be set using the :: separator, e.g.:
example.com::soc@example.com
or
example.com::https://user:pass@www.example.com/Path/To/Webhook

monitored session tokens are set similarly
example.com::JSESSIONID
example.com::JSESSIONID::soc@example.com

must be used in conjunction with the action parameter
liclicense key
can be sent via a GET parameter or request header, for example:
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]
curl -H “lic: LicenseKey” https://api.breachsense.com/account?action=add&ast=[DomainName]
notifyadd/delete the default email address or webhook you wish to receive alerts at
this is used when a per asset notification is not set
must be used in conjunction with the action parameter
techadd/delete a technical notification email used for operational and deliverability alerts (for example, when a configured webhook is failing)
must be an email address, not a webhook
useful when your notify target is a webhook, so we can still reach you if delivery fails
used in conjunction with action=add, del, or list, for example:
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&tech=ops@example.com
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=list&tech
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=del&tech=ops@example.com
credsadd/delete the basic auth credentials you wish to use when sending an alert to a webhook
must be used in conjunction with the action parameter
premiumflag a monitored domain for premium-marketplace monitoring
only available on the Business and Enterprise tiers
used in conjunction with action=add and the ast parameter
accepts the bare flag form or an explicit value:
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=1
to disable premium on a previously flagged domain:
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=0
whitelistsuppress credential alerts for entries you don’t want to be notified about, such as rotated or old passwords, test or honeypot accounts, and already-remediated creds
used as a bare flag (like premium), used with action=add, del, or list together with the ast parameter
the entry can be an exact username:password pair, or a username on its own to suppress every alert for that account
the username is matched case-insensitively, the password exactly
this suppresses the alert only, the match still appears in your API query results
available on all tiers, up to 1000 entries per license
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=user@example.com:OldPass123&whitelist
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=user@example.com&whitelist
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=list&whitelist
curl https://api.breachsense.com/account?lic=[LicenseKey]&action=del&ast=user@example.com:OldPass123&whitelist

Output

JSON KeyValue
ast*asset that will be monitored
notify*email or webhook that will be notified
tech*technical notification email (returned in action=list&tech responses)
premium*true if the domain is currently flagged for premium-marketplace monitoring (returned in action=list responses, Business and Enterprise tiers only)
whitelist*array of whitelisted entries, returned by action=list&whitelist; an empty array when none are set
status*success or fail on action=add/del&whitelist; ok or fail on action=rotate
message*human-readable message returned with whitelist add/del and rotate responses (for example Whitelisted: user@example.com, Already whitelisted: ..., Removed from whitelist: ...)
* Optional JSON object keys

Webhook payload format

When you configure a webhook URL via action=add&notify=https://your-webhook, alerts are delivered as HTTP POST with Content-Type: application/json.

The body is a JSON array of result objects, the same shape you’d receive in an HTTP response from the corresponding API endpoint, with two extra fields per object:

FieldValue
astThe monitored asset that triggered the alert
apiThe endpoint that produced this row (stealer, combo, creds, sessions, darkweb, radar, docs, asm, nhi)

If you’ve configured basic auth via action=add&creds=user:pass, the request includes an Authorization: Basic ... header. Webhooks are sent per ingest cycle, not batched across cycles, so expect multiple POSTs if many results match a single ingest.


Sending a test alert

Use this to verify a webhook is reachable, validate your alert-handling code against a known payload, or sanity-check a notification recipient was added correctly.

curl https://api.breachsense.com/account?lic=[License]&action=test&ast=[MonitoredAsset]

The asset must already be configured for monitoring (action=add&ast=... first). The test fans out to every notification target configured for that asset, both webhooks and emails. To target a single webhook, append it after a :: separator:

curl https://api.breachsense.com/account?lic=[License]&action=test&ast=example.com::https://hooks.example.com/breachsense

Test payload (sent to webhooks as a JSON array of one object):

[
  {
    "fnd": "20260510",
    "src": "dashboard.example.com/admin/login",
    "usr": "admin@example.com",
    "pwd": "admin123",
    "fle": "File.txt",
    "api": "combo",
    "ast": "example.com",
    "test": true
  }
]

The test: true field lets your receiver distinguish a test fixture from a real alert and skip ingestion of the synthetic credentials. Otherwise the payload shape matches a real combo-endpoint alert exactly.

Daily limit: 20 test alerts per license. Counter resets every 24 hours.

Response includes per-webhook delivery status:

{
  "status": "success",
  "message": "Test alert sent",
  "remaining_today": 19,
  "delivered": { "webhooks_ok": 1, "webhooks_failed": 0, "emails_queued": 0 },
  "webhooks": [{ "url": "https://hooks.example.com/breachsense", "status": 200 }]
}

Status codes:

CodeMeaning
200Test alert dispatched, response includes per-webhook delivery details
400Missing ast parameter, or the ::webhook suffix doesn’t match a configured webhook
403Asset isn’t currently monitored, add it first with action=add&ast=...
429Hit the 20-tests-per-day limit; wait until reset

Suppressing credential alerts (whitelist)

Whitelist username:password pairs you don’t want alerts for, such as rotated or old passwords, test or honeypot accounts, and pairs you’ve already remediated. The alert pipeline checks each license’s whitelist before sending a credential alert (the stealer, combo, and creds matches) and drops anything that matches, which cuts alert fatigue. This affects notifications only: a whitelisted pair still shows up in your normal API query results.

Two forms are supported:

  • An exact pair, user@example.com:OldPass123, suppresses alerts for just that pair.
  • A username on its own, user@example.com, suppresses every credential alert for that account.

The username is normalized to lowercase and matched case-insensitively; the password is matched exactly. Entries go in the ast parameter alongside a bare whitelist flag, and the feature is available on every tier (up to 1000 entries per license).

# whitelist an exact pair
curl "https://api.breachsense.com/account?lic=[License]&action=add&ast=user@example.com:OldPass123&whitelist"

# whitelist a whole username
curl "https://api.breachsense.com/account?lic=[License]&action=add&ast=user@example.com&whitelist"

# list current whitelist entries
curl "https://api.breachsense.com/account?lic=[License]&action=list&whitelist"

# remove an entry
curl "https://api.breachsense.com/account?lic=[License]&action=del&ast=user@example.com:OldPass123&whitelist"

action=add&whitelist requires an ast value and is idempotent (re-adding an existing entry returns Already whitelisted). action=list&whitelist returns a JSON array of the current entries, or [] when none are set.

Rotating your license key

If your license key is exposed (committed to a public repository, shared in chat, leaked in logs), rotate it self-serve:

curl https://api.breachsense.com/account?lic=[CurrentLicense]&action=rotate

The new license key is emailed to your configured notification recipients, not returned in the HTTP response. Even if the rotation request itself is intercepted, the new key only reaches you via email.

Requirements:

  • Paid plan (Trial keys cannot be rotated, contact support@breachsense.com if a trial key is compromised)
  • At least one notification recipient configured: curl https://api.breachsense.com/account?lic=[License]&action=add&notify=you@example.com
  • One rotation per 24 hours per license

The old key is invalidated immediately on success.

Status codes:

CodeMeaning
200Rotated, new key emailed to notification recipients
403Trial license, rotation requires a paid plan
422No notification recipient configured, add one with action=add&notify=... first
429Already rotated within the last 24 hours
500Server error during rotation, contact support

Downloading your audit log

Pull a record of the API activity on your license so you can review what was queried, without us exporting it for you. The log is strictly scoped to the license passed in lic.

curl https://api.breachsense.com/account?lic=[License]&action=audit

By default this returns the last 30 days. To set a different window, use either days or an explicit from/to range:

ParameterDescription
daysnumber of trailing days to return (default 30, capped at the 35-day retention window)
from / toexplicit date range, YYYY-MM-DD or YYYY-MM-DD HH:MM:SS format, used instead of days
curl "https://api.breachsense.com/account?lic=[License]&action=audit&days=7"
curl "https://api.breachsense.com/account?lic=[License]&action=audit&from=2026-06-01&to=2026-06-15"

Activity is retained for 35 days; anything older ages out and cannot be queried. The response echoes back the resolved time window it applied.

Response is a JSON object with a count, the resolved window_days, and an events array:

{
  "count": 1,
  "window_days": 7,
  "events": [
    {
      "endpoint": "/creds",
      "method": "HEAD",
      "search": "ignore@example.com",
      "status": 200,
      "time": "2026-06-18T19:01:49Z",
      "ip": "203.0.113.10",
      "user_agent": "curl/8.4.0"
    }
  ]
}

A window with no activity returns the same shape with count: 0 and an empty events array.

Each event records one request counted against your license:

  • the search term that was queried (search)
  • the endpoint and HTTP method (endpoint, method)
  • the HTTP status code returned (status)
  • the timestamp in UTC (time)
  • the IP address the request came from (ip)
  • the User-Agent that made the request (user_agent)

License-rotation events are merged into the same stream. The log reflects every request that counts against your license’s monthly usage, including automated monitoring runs performed on your behalf, not only requests you send directly.

A single request returns at most 5,000 events, newest first. If a window holds more than that, narrow it with days or an explicit from/to range to page through the rest.

Status codes:

CodeMeaning
200Success; events array returned (empty array when there’s no activity in the window)
401Missing or invalid license key