Stealer - focuses on credentials extracted from malware infected devices
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Sessions - focuses on session tokens extracted from malware infected devices
NHI - focuses on non-human identities (API keys, OAuth tokens, service credentials)
Darkweb - focuses on company data being leaked or sold on the darkweb
Radar - focuses on domains that threat actors are chatting about, either as a target or selling their data
Docs - focuses on full text search on leaked documents
ASM - attack surface management listing both assets and potential phishing domains
Account - manages monitored assets, notification recipients, license rotation, and audit-log export
If you’d rather query these endpoints in plain English from your terminal than write curl commands, install the Breachsense plugin for Claude Code. Same data, same backend, no flag-and-parameter recall required.
Getting Started
Authentication
Every request requires a license key, sent as either a query parameter or HTTP header:
curl "https://api.breachsense.com/stealer?lic=[LicenseKey]&s=example.com"
curl -H "lic: [LicenseKey]" "https://api.breachsense.com/stealer?s=example.com"
HTTP status codes
| Code | Meaning |
|---|---|
| 200 | Success, full result set returned |
| 206 | Success, more results available, request next page with p=N+1 |
| 400 | Malformed request (missing required parameter, invalid format) |
| 401 | Missing or invalid license key |
| 403 | Endpoint or feature not included in your tier (e.g. premium-marketplace monitoring on Essentials) |
| 422 | Required configuration missing (e.g. license rotation without a notification recipient set) |
| 429 | Already performed within the rate-limit window (e.g. license rotation more than once per 24h) |
| 500 | Server error, contact support@breachsense.com |
Throttling
Each license is rate-limited to 1 request per second sustained, with short bursts of up to 5 requests absorbed without delay. Requests beyond that return HTTP 429 with a JSON body:
{"error": true, "message": "Rate limit exceeded. Please throttle to 1 request per second per license."}
The limit is keyed off your license, so multiple machines / processes sharing a license share the same rate budget. If your workflow legitimately needs higher throughput (for example, an MSSP onboarding many client domains in parallel), contact support@breachsense.com.
The total number of queries available per month is determined by your subscription tier and is independent of this rate limit.
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /stealer |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hid | search for a given hardware ID. |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/stealer?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/stealer?s=[DomainName] |
| p | The system returns up to 1000 results per request. To access the next 1000 results, use the p parameter to specify the desired page. When an HTTP 206 response status is returned, increase the page number to view the next page. Numeric value. |
| pwd | search for a given password. |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234) |
| update | return the Unix timestamp the stealer database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| ccn* | The disclosed credit card number |
| ccx* | The exposed credit card number’s expiration date |
| cnt* | The number of results available for the searched target |
| cwa* | The exposed crypto wallet address |
| bid* | The build ID of the malware |
| fle | The file name the credential was found in |
| fnd | The date the credential was found |
| hid* | The hardware ID of the infected device |
| iip* | The IP address of the infected device |
| inf* | The date the machine was infected on |
| mac* | The name assigned to the infected device |
| mal* | The type of malware infected on the device |
| nme* | The user logged in on the infected device |
| os* | The operating system installed on the infected device |
| pth* | The filesystem path for the malware executable |
| pwd | The password used to authenticate |
| src | The target URL or IP that the victim authenticated to |
| usr | The username used to authenticate to the target |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /combo |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/combo?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/combo?s=[DomainName] |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the combo database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| cnt* | The number of results available for the searched target |
| cnt_approximated* | The number of results available was approximated due to latency issues |
| fle | The file name the credential was found in |
| fnd | The date (in YYYYMMDD or unixtime format) the credentials were found |
| pwd | The password used to authenticate |
| src* | The target URL or IP that the victim authenticated to |
| usr | The username used to authenticate |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /creds |
Supported Parameters
| Parameter | Description |
|---|---|
| attr | display a short description of the breach |
| count | display the number of results available for a given target |
| csv | display results in CSV format (default is JSON) |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hash | return a 0 if the password is in hashed format and a 1 if the password has been decrypted |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/creds?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/creds?s=[DomainName] |
| list | list the breaches and dates they were imported |
| limit | increase / decrease the number of records returned in the response |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. results are limited to 500 credentials per request (by default). |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the creds database was last updated |
| uniq | return a list of all unique email addresses and plaintext passwords |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| atr* | The attribution data associated with the breach |
| cnt* | The number of results available for the searched target |
| eml | The email address used to authenticate |
| fnd | The date (in YYYYMMDD format) the breach was found |
| pwd | The password used to authenticate |
| src | The name of the breached website or collection |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /sessions |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/sessions?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/sessions?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name, email address or IP address |
| update | return the Unix timestamp the sessions database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| bid* | The build ID of the malware |
| cookie_name | The name of the cookie |
| cookie_path | The cookie path |
| dom | The domain name associated with the victim |
| expires | The date (in unixtime) that the cookie is set to expire |
| fle* | The file name the cookie was found in |
| fnd | The date the data was found (in YYYYMMDD format) |
| iip* | The IP address of the infected device |
| inf* | The date the machine was infected on |
| mal* | The type of malware infected on the device |
| malware_path | The filesystem path to the malware executable |
| user_name | The user logged in on the infected device |
| val | The value of the cookie |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /nhi |
The NHI (Non-Human Identity) endpoint surfaces leaked API keys, OAuth tokens, and service credentials extracted from stealer logs, ransomware-leaked files, and exposed code repositories.
Supported Parameters
| Parameter | Description |
|---|---|
| bid | search by malware build ID (pivot from a stealer-log infection) |
| category | filter by token category, e.g. cloud_infra, dev_platform, ai_platform, payment, collaboration, generic_secret. Case-insensitive. Can be combined with s= or used as a filter-only query. |
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hid | search by hardware ID (pivot from a stealer-log infection) |
| ip | search by IP address (server hosting the leaked token, or infected machine) |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/nhi?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/nhi?s=[DomainName] |
| p | pagination. When an HTTP 206 response status is returned, increase the page number to view the next page. |
| platform | filter by platform, e.g. AWS, GitHub, OpenAI, Anthropic, Slack, Stripe, Discord, Atlassian. Case-insensitive. Can be combined with s= or used as a filter-only query. |
| prefix | filter by token prefix, e.g. AKIA (AWS access key), ghp_ (GitHub PAT), sk-ant- (Anthropic). Useful when you know the exact provider but not the platform name. |
| r | return the number of remaining monthly queries allowed |
| s | search term, accepts a domain name or email address. Either s= or one of the filter parameters (platform, category, token_type, prefix, source_type) is required. |
| source_type | filter by where the token was extracted, e.g. browser_store, cookie_file, browser_artifact, env_file, aws_creds, ssh_key, json_config, shell_history, shodan_pem, shodan_etcd. See the Output table below for what each value means. |
| token_type | filter by token type, e.g. aws_access_key, github_pat, openai_api_key, anthropic_api_key. Case-insensitive. |
| update | return the Unix timestamp the NHI database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| av* | Antivirus on the compromised machine, when sourced from stealer logs |
| bid* | The build ID of the malware, when sourced from stealer logs |
| category | Token category (e.g. cloud_infra, dev_platform, ai_platform) |
| fle* | The file name the token was found in |
| fnd | The date the token was found (YYYYMMDD or unixtime) |
| hid* | The hardware ID of the infected device, when sourced from stealer logs |
| ip* | The IP address (infected machine for stealer logs, hosting server for exposed-source rows) |
| mal* | The malware family that exfiltrated the token, when sourced from stealer logs |
| os* | The operating system of the infected device, when sourced from stealer logs |
| platform | The platform the token authenticates against (e.g. AWS, GitHub, OpenAI) |
| pth* | Filesystem path of the file containing the token |
| source_type | Where the token was extracted. Stealer-log values: browser_store (saved password), cookie_file, browser_artifact (browser history/network), env_file, aws_creds, ssh_key, json_config, shell_history. Exposed-server values: shodan_pem, shodan_etcd. |
| src* | The URL or location where the token was found |
| token | The leaked token value |
| token_type | Specific token type (e.g. aws_access_key, github_pat) |
| usr* | Username associated with the token, when applicable |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /darkweb |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| desc | display a short description of the victim |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/darkweb?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/darkweb?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| range | range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit) |
| s / search | search term - accepts a domain name |
| tadesc | display a short description of the threat actor |
| update | return the Unix timestamp the darkweb database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| data | The domain name associated with the victim |
| desc* | A short description of the victim |
| found | The date the data was indexed (in YYYYMMDD format) |
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers |
| name | The company name of the victim |
| site | The name of the threat actor |
| src | A URL containing data associated with the target |
| tadesc* | A short description of the threat actor |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /radar |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/radar?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/radar?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name |
| update | return the Unix timestamp the radar database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| data | The domain name associated with the victim |
| found | The date the data was indexed (in YYYYMMDD format) |
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers |
| src | A URL containing data associated with the target |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /docs |
Supported Parameters
| Parameter | Description |
|---|---|
| s / search | Any search term, run as a full-text search across the leaked documents. Accepts any string: a name, address, phone number, company name, domain, keyword, or phrase. Supports quoted strings for exact-phrase matching |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/docs?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/docs?s=[DomainName] |
| count | display the number of results available for a given target |
| date | only display results where extraction_date equal to or newer than this value. Value set in YYYYMMDD |
| update | return the Unix timestamp the docs database was last updated |
| download_all | download all the document ids corresponding to the search term (default format is json, csv can be used by specifying format=csv) |
| download_doc_id | download the document with the given document id |
| format | Download format - default is json, can be csv as well |
| fuzzy | include similar but not exact matches in the results as well |
Output
| JSON Key | Value |
|---|---|
| doc_id | Unique document identifier (UUID) |
| file_name | Name of the leaked file |
| file_hash | SHA-256 hash of the file |
| file_size | File size in bytes |
| content_type | MIME type of the document |
| extraction_timestamp | Date & time the document was processed |
| leak_date | Date the breach / leak occurred |
| threat_actor | Threat actor or ransomware group |
| company_name | Victim company name |
| domain_name | Victim domain |
| url_main_post | Original leak announcement URL |
| url_for_breach | Direct URL to the leaked file |
| password* | Password associated with protected leaks |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /asm |
Supported Parameters
| Parameter | Description |
|---|---|
| assets | filter results to only display assets |
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/asm?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/asm?s=[DomainName] |
| pphish | filter results to only display potential phishing domains |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the combo database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| cname* | The CNAME of the domain name identified |
| dom | The domain name found |
| found | The date (in YYYYMMDD or unixtime format) the domain was found |
| ip* | The IP address of the domain name identified |
| type | The type of asset identified ns represents a nameserver mx represents a mail server ast represents a domain name asset. pphish represents a potential phishing domain found. |
| * Optional JSON object keys | |
| ** Output based on domain names configured in the monitor API endpoint |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /account (alias: /monitor) |
Supported Parameters
| Parameter | Description |
|---|---|
| action | manage monitored assets and license must be set to add, del, list, test, rotate, or audit |
| ast | add/delete the asset you wish to monitor a monitored asset can be a domain name, an email address, or an IP address per asset notifications can be set using the :: separator, e.g.: example.com::soc@example.com or example.com::https://user:pass@www.example.com/Path/To/Webhook monitored session tokens are set similarly example.com::JSESSIONID example.com::JSESSIONID::soc@example.com must be used in conjunction with the action parameter |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/account?action=add&ast=[DomainName] |
| notify | add/delete the default email address or webhook you wish to receive alerts at this is used when a per asset notification is not set must be used in conjunction with the action parameter |
| tech | add/delete a technical notification email used for operational and deliverability alerts (for example, when a configured webhook is failing) must be an email address, not a webhook useful when your notify target is a webhook, so we can still reach you if delivery fails used in conjunction with action=add, del, or list, for example: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&tech=ops@example.com curl https://api.breachsense.com/account?lic=[LicenseKey]&action=list&tech curl https://api.breachsense.com/account?lic=[LicenseKey]&action=del&tech=ops@example.com |
| creds | add/delete the basic auth credentials you wish to use when sending an alert to a webhook must be used in conjunction with the action parameter |
| premium | flag a monitored domain for premium-marketplace monitoring only available on the Business and Enterprise tiers used in conjunction with action=add and the ast parameter accepts the bare flag form or an explicit value: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=1 to disable premium on a previously flagged domain: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=0 |
| whitelist | suppress credential alerts for entries you don’t want to be notified about, such as rotated or old passwords, test or honeypot accounts, and already-remediated creds used as a bare flag (like premium), used with action=add, del, or list together with the ast parameter the entry can be an exact username:password pair, or a username on its own to suppress every alert for that account the username is matched case-insensitively, the password exactly this suppresses the alert only, the match still appears in your API query results available on all tiers, up to 1000 entries per license curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=user@example.com:OldPass123&whitelist curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=user@example.com&whitelist curl https://api.breachsense.com/account?lic=[LicenseKey]&action=list&whitelist curl https://api.breachsense.com/account?lic=[LicenseKey]&action=del&ast=user@example.com:OldPass123&whitelist |
Output
| JSON Key | Value |
|---|---|
| ast* | asset that will be monitored |
| notify* | email or webhook that will be notified |
| tech* | technical notification email (returned in action=list&tech responses) |
| premium* | true if the domain is currently flagged for premium-marketplace monitoring (returned in action=list responses, Business and Enterprise tiers only) |
| whitelist* | array of whitelisted entries, returned by action=list&whitelist; an empty array when none are set |
| status* | success or fail on action=add/del&whitelist; ok or fail on action=rotate |
| message* | human-readable message returned with whitelist add/del and rotate responses (for example Whitelisted: user@example.com, Already whitelisted: ..., Removed from whitelist: ...) |
| * Optional JSON object keys |
Webhook payload format
When you configure a webhook URL via action=add¬ify=https://your-webhook, alerts are delivered as HTTP POST with Content-Type: application/json.
The body is a JSON array of result objects, the same shape you’d receive in an HTTP response from the corresponding API endpoint, with two extra fields per object:
| Field | Value |
|---|---|
| ast | The monitored asset that triggered the alert |
| api | The endpoint that produced this row (stealer, combo, creds, sessions, darkweb, radar, docs, asm, nhi) |
If you’ve configured basic auth via action=add&creds=user:pass, the request includes an Authorization: Basic ... header. Webhooks are sent per ingest cycle, not batched across cycles, so expect multiple POSTs if many results match a single ingest.
Sending a test alert
Use this to verify a webhook is reachable, validate your alert-handling code against a known payload, or sanity-check a notification recipient was added correctly.
curl https://api.breachsense.com/account?lic=[License]&action=test&ast=[MonitoredAsset]
The asset must already be configured for monitoring (action=add&ast=... first). The test fans out to every notification target configured for that asset, both webhooks and emails. To target a single webhook, append it after a :: separator:
curl https://api.breachsense.com/account?lic=[License]&action=test&ast=example.com::https://hooks.example.com/breachsense
Test payload (sent to webhooks as a JSON array of one object):
[
{
"fnd": "20260510",
"src": "dashboard.example.com/admin/login",
"usr": "admin@example.com",
"pwd": "admin123",
"fle": "File.txt",
"api": "combo",
"ast": "example.com",
"test": true
}
]
The test: true field lets your receiver distinguish a test fixture from a real alert and skip ingestion of the synthetic credentials. Otherwise the payload shape matches a real combo-endpoint alert exactly.
Daily limit: 20 test alerts per license. Counter resets every 24 hours.
Response includes per-webhook delivery status:
{
"status": "success",
"message": "Test alert sent",
"remaining_today": 19,
"delivered": { "webhooks_ok": 1, "webhooks_failed": 0, "emails_queued": 0 },
"webhooks": [{ "url": "https://hooks.example.com/breachsense", "status": 200 }]
}
Status codes:
| Code | Meaning |
|---|---|
| 200 | Test alert dispatched, response includes per-webhook delivery details |
| 400 | Missing ast parameter, or the ::webhook suffix doesn’t match a configured webhook |
| 403 | Asset isn’t currently monitored, add it first with action=add&ast=... |
| 429 | Hit the 20-tests-per-day limit; wait until reset |
Suppressing credential alerts (whitelist)
Whitelist username:password pairs you don’t want alerts for, such as rotated or old passwords, test or honeypot accounts, and pairs you’ve already remediated. The alert pipeline checks each license’s whitelist before sending a credential alert (the stealer, combo, and creds matches) and drops anything that matches, which cuts alert fatigue. This affects notifications only: a whitelisted pair still shows up in your normal API query results.
Two forms are supported:
- An exact pair,
user@example.com:OldPass123, suppresses alerts for just that pair. - A username on its own,
user@example.com, suppresses every credential alert for that account.
The username is normalized to lowercase and matched case-insensitively; the password is matched exactly. Entries go in the ast parameter alongside a bare whitelist flag, and the feature is available on every tier (up to 1000 entries per license).
# whitelist an exact pair
curl "https://api.breachsense.com/account?lic=[License]&action=add&ast=user@example.com:OldPass123&whitelist"
# whitelist a whole username
curl "https://api.breachsense.com/account?lic=[License]&action=add&ast=user@example.com&whitelist"
# list current whitelist entries
curl "https://api.breachsense.com/account?lic=[License]&action=list&whitelist"
# remove an entry
curl "https://api.breachsense.com/account?lic=[License]&action=del&ast=user@example.com:OldPass123&whitelist"
action=add&whitelist requires an ast value and is idempotent (re-adding an existing entry returns Already whitelisted). action=list&whitelist returns a JSON array of the current entries, or [] when none are set.
Rotating your license key
If your license key is exposed (committed to a public repository, shared in chat, leaked in logs), rotate it self-serve:
curl https://api.breachsense.com/account?lic=[CurrentLicense]&action=rotate
The new license key is emailed to your configured notification recipients, not returned in the HTTP response. Even if the rotation request itself is intercepted, the new key only reaches you via email.
Requirements:
- Paid plan (Trial keys cannot be rotated, contact support@breachsense.com if a trial key is compromised)
- At least one notification recipient configured:
curl https://api.breachsense.com/account?lic=[License]&action=add¬ify=you@example.com - One rotation per 24 hours per license
The old key is invalidated immediately on success.
Status codes:
| Code | Meaning |
|---|---|
| 200 | Rotated, new key emailed to notification recipients |
| 403 | Trial license, rotation requires a paid plan |
| 422 | No notification recipient configured, add one with action=add¬ify=... first |
| 429 | Already rotated within the last 24 hours |
| 500 | Server error during rotation, contact support |
Downloading your audit log
Pull a record of the API activity on your license so you can review what was queried, without us exporting it for you. The log is strictly scoped to the license passed in lic.
curl https://api.breachsense.com/account?lic=[License]&action=audit
By default this returns the last 30 days. To set a different window, use either days or an explicit from/to range:
| Parameter | Description |
|---|---|
| days | number of trailing days to return (default 30, capped at the 35-day retention window) |
| from / to | explicit date range, YYYY-MM-DD or YYYY-MM-DD HH:MM:SS format, used instead of days |
curl "https://api.breachsense.com/account?lic=[License]&action=audit&days=7"
curl "https://api.breachsense.com/account?lic=[License]&action=audit&from=2026-06-01&to=2026-06-15"
Activity is retained for 35 days; anything older ages out and cannot be queried. The response echoes back the resolved time window it applied.
Response is a JSON object with a count, the resolved window_days, and an events array:
{
"count": 1,
"window_days": 7,
"events": [
{
"endpoint": "/creds",
"method": "HEAD",
"search": "ignore@example.com",
"status": 200,
"time": "2026-06-18T19:01:49Z",
"ip": "203.0.113.10",
"user_agent": "curl/8.4.0"
}
]
}
A window with no activity returns the same shape with count: 0 and an empty events array.
Each event records one request counted against your license:
- the search term that was queried (
search) - the endpoint and HTTP method (
endpoint,method) - the HTTP status code returned (
status) - the timestamp in UTC (
time) - the IP address the request came from (
ip) - the User-Agent that made the request (
user_agent)
License-rotation events are merged into the same stream. The log reflects every request that counts against your license’s monthly usage, including automated monitoring runs performed on your behalf, not only requests you send directly.
A single request returns at most 5,000 events, newest first. If a window holds more than that, narrow it with days or an explicit from/to range to page through the rest.
Status codes:
| Code | Meaning |
|---|---|
| 200 | Success; events array returned (empty array when there’s no activity in the window) |
| 401 | Missing or invalid license key |