Stealer - focuses on credentials extracted from malware infected devices
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Sessions - focuses on session tokens extracted from malware infected devices
NHI - focuses on non-human identities (API keys, OAuth tokens, service credentials)
Darkweb - focuses on company data being leaked or sold on the darkweb
Radar - focuses on domains that threat actors are chatting about, either as a target or selling their data
Docs - focuses on full text search on leaked documents
ASM - attack surface management listing both assets and potential phishing domains
Account - manages monitored assets, notification recipients, and license rotation
If you’d rather query these endpoints in plain English from your terminal than write curl commands, install the Breachsense plugin for Claude Code. Same data, same backend, no flag-and-parameter recall required.
Getting Started
Authentication
Every request requires a license key, sent as either a query parameter or HTTP header:
curl "https://api.breachsense.com/stealer?lic=[LicenseKey]&s=example.com"
curl -H "lic: [LicenseKey]" "https://api.breachsense.com/stealer?s=example.com"
HTTP status codes
| Code | Meaning |
|---|---|
| 200 | Success, full result set returned |
| 206 | Success, more results available, request next page with p=N+1 |
| 400 | Malformed request (missing required parameter, invalid format) |
| 401 | Missing or invalid license key |
| 403 | Endpoint or feature not included in your tier (e.g. premium-marketplace monitoring on Essentials) |
| 422 | Required configuration missing (e.g. license rotation without a notification recipient set) |
| 429 | Already performed within the rate-limit window (e.g. license rotation more than once per 24h) |
| 500 | Server error, contact support@breachsense.com |
Throttling
Each license is rate-limited to 1 request per second sustained, with short bursts of up to 5 requests absorbed without delay. Requests beyond that return HTTP 429 with a JSON body:
{"error": true, "message": "Rate limit exceeded. Please throttle to 1 request per second per license."}
The limit is keyed off your license, so multiple machines / processes sharing a license share the same rate budget. If your workflow legitimately needs higher throughput (for example, an MSSP onboarding many client domains in parallel), contact support@breachsense.com.
The total number of queries available per month is determined by your subscription tier and is independent of this rate limit.
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /stealer |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hid | search for a given hardware ID. |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/stealer?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/stealer?s=[DomainName] |
| p | The system returns up to 1000 results per request. To access the next 1000 results, use the p parameter to specify the desired page. When an HTTP 206 response status is returned, increase the page number to view the next page. Numeric value. |
| pwd | search for a given password. |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name, email address, IP address, crypto wallet address, or a truncated credit card number (e.g. 123456-1234) |
| update | return the Unix timestamp the stealer database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| ccn* | The disclosed credit card number |
| ccx* | The exposed credit card number’s expiration date |
| cnt* | The number of results available for the searched target |
| cwa* | The exposed crypto wallet address |
| bid* | The build ID of the malware |
| fle | The file name the credential was found in |
| fnd | The date the credential was found |
| hid* | The hardware ID of the infected device |
| iip* | The IP address of the infected device |
| inf* | The date the machine was infected on |
| mac* | The name assigned to the infected device |
| mal* | The type of malware infected on the device |
| nme* | The user logged in on the infected device |
| os* | The operating system installed on the infected device |
| pth* | The filesystem path for the malware executable |
| pwd | The password used to authenticate |
| src | The target URL or IP that the victim authenticated to |
| usr | The username used to authenticate to the target |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /combo |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/combo?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/combo?s=[DomainName] |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the combo database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| cnt* | The number of results available for the searched target |
| cnt_approximated* | The number of results available was approximated due to latency issues |
| fle | The file name the credential was found in |
| fnd | The date (in YYYYMMDD or unixtime format) the credentials were found |
| pwd | The password used to authenticate |
| src* | The target URL or IP that the victim authenticated to |
| usr | The username used to authenticate |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /creds |
Supported Parameters
| Parameter | Description |
|---|---|
| attr | display a short description of the breach |
| count | display the number of results available for a given target |
| csv | display results in CSV format (default is JSON) |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hash | return a 0 if the password is in hashed format and a 1 if the password has been decrypted |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/creds?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/creds?s=[DomainName] |
| list | list the breaches and dates they were imported |
| limit | increase / decrease the number of records returned in the response |
| p | to reduce latency for targets with many results, enable pagination via p=1 in the initial request. when an HTTP 206 response status is returned, increase the page number to view the next page. p is a numeric page value and must be accessed sequentially. results are limited to 500 credentials per request (by default). |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the creds database was last updated |
| uniq | return a list of all unique email addresses and plaintext passwords |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| atr* | The attribution data associated with the breach |
| cnt* | The number of results available for the searched target |
| eml | The email address used to authenticate |
| fnd | The date (in YYYYMMDD format) the breach was found |
| pwd | The password used to authenticate |
| src | The name of the breached website or collection |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | ignore@example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /sessions |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/sessions?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/sessions?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name, email address or IP address |
| update | return the Unix timestamp the sessions database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| bid* | The build ID of the malware |
| cookie_name | The name of the cookie |
| cookie_path | The cookie path |
| dom | The domain name associated with the victim |
| expires | The date (in unixtime) that the cookie is set to expire |
| fle* | The file name the cookie was found in |
| fnd | The date the data was found (in YYYYMMDD format) |
| iip* | The IP address of the infected device |
| inf* | The date the machine was infected on |
| mal* | The type of malware infected on the device |
| malware_path | The filesystem path to the malware executable |
| user_name | The user logged in on the infected device |
| val | The value of the cookie |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /nhi |
The NHI (Non-Human Identity) endpoint surfaces leaked API keys, OAuth tokens, and service credentials extracted from stealer logs, ransomware-leaked files, and exposed code repositories.
Supported Parameters
| Parameter | Description |
|---|---|
| bid | search by malware build ID (pivot from a stealer-log infection) |
| category | filter by token category, e.g. cloud_infra, dev_platform, ai_platform, payment, collaboration, generic_secret. Case-insensitive. Can be combined with s= or used as a filter-only query. |
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| hid | search by hardware ID (pivot from a stealer-log infection) |
| ip | search by IP address (server hosting the leaked token, or infected machine) |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/nhi?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/nhi?s=[DomainName] |
| p | pagination. When an HTTP 206 response status is returned, increase the page number to view the next page. |
| platform | filter by platform, e.g. AWS, GitHub, OpenAI, Anthropic, Slack, Stripe, Discord, Atlassian. Case-insensitive. Can be combined with s= or used as a filter-only query. |
| prefix | filter by token prefix, e.g. AKIA (AWS access key), ghp_ (GitHub PAT), sk-ant- (Anthropic). Useful when you know the exact provider but not the platform name. |
| r | return the number of remaining monthly queries allowed |
| s | search term, accepts a domain name or email address. Either s= or one of the filter parameters (platform, category, token_type, prefix, source_type) is required. |
| source_type | filter by where the token was extracted, e.g. browser_store, cookie_file, browser_artifact, env_file, aws_creds, ssh_key, json_config, shell_history, shodan_pem, shodan_etcd. See the Output table below for what each value means. |
| token_type | filter by token type, e.g. aws_access_key, github_pat, openai_api_key, anthropic_api_key. Case-insensitive. |
| update | return the Unix timestamp the NHI database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| av* | Antivirus on the compromised machine, when sourced from stealer logs |
| bid* | The build ID of the malware, when sourced from stealer logs |
| category | Token category (e.g. cloud_infra, dev_platform, ai_platform) |
| fle* | The file name the token was found in |
| fnd | The date the token was found (YYYYMMDD or unixtime) |
| hid* | The hardware ID of the infected device, when sourced from stealer logs |
| ip* | The IP address (infected machine for stealer logs, hosting server for exposed-source rows) |
| mal* | The malware family that exfiltrated the token, when sourced from stealer logs |
| os* | The operating system of the infected device, when sourced from stealer logs |
| platform | The platform the token authenticates against (e.g. AWS, GitHub, OpenAI) |
| pth* | Filesystem path of the file containing the token |
| source_type | Where the token was extracted. Stealer-log values: browser_store (saved password), cookie_file, browser_artifact (browser history/network), env_file, aws_creds, ssh_key, json_config, shell_history. Exposed-server values: shodan_pem, shodan_etcd. |
| src* | The URL or location where the token was found |
| token | The leaked token value |
| token_type | Specific token type (e.g. aws_access_key, github_pat) |
| usr* | Username associated with the token, when applicable |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /darkweb |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| desc | display a short description of the victim |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/darkweb?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/darkweb?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| range | range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit) |
| s / search | search term - accepts a domain name |
| tadesc | display a short description of the threat actor |
| update | return the Unix timestamp the darkweb database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| data | The domain name associated with the victim |
| desc* | A short description of the victim |
| found | The date the data was indexed (in YYYYMMDD format) |
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers |
| name | The company name of the victim |
| site | The name of the threat actor |
| src | A URL containing data associated with the target |
| tadesc* | A short description of the threat actor |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /radar |
Supported Parameters
| Parameter | Description |
|---|---|
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/radar?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/radar?s=[DomainName] |
| r | return the number of remaining monthly queries allowed |
| s / search | search term - accepts a domain name |
| update | return the Unix timestamp the radar database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| data | The domain name associated with the victim |
| found | The date the data was indexed (in YYYYMMDD format) |
| img* | A signed URL linking to a screenshot of the relevant data The URL is valid for 20 minutes This output is only available in the Business and Enterprise tiers |
| src | A URL containing data associated with the target |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /docs |
Supported Parameters
| Parameter | Description |
|---|---|
| s / search | Search term (address, phone number, company name, domain, keyword, phrase). Supports quoted strings for exact-phrase matching |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/docs?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/docs?s=[DomainName] |
| count | display the number of results available for a given target |
| date | only display results where extraction_date equal to or newer than this value. Value set in YYYYMMDD |
| update | return the Unix timestamp the docs database was last updated |
| download_all | download all the document ids corresponding to the search term (default format is json, csv can be used by specifying format=csv) |
| download_doc_id | download the document with the given document id |
| format | Download format - default is json, can be csv as well |
| fuzzy | include similar but not exact matches in the results as well |
Output
| JSON Key | Value |
|---|---|
| doc_id | Unique document identifier (UUID) |
| file_name | Name of the leaked file |
| file_hash | SHA-256 hash of the file |
| file_size | File size in bytes |
| content_type | MIME type of the document |
| extraction_timestamp | Date & time the document was processed |
| leak_date | Date the breach / leak occurred |
| threat_actor | Threat actor or ransomware group |
| company_name | Victim company name |
| domain_name | Victim domain |
| url_main_post | Original leak announcement URL |
| url_for_breach | Direct URL to the leaked file |
| password* | Password associated with protected leaks |
| * Optional JSON object keys |
Test Data :
| Parameter | String |
|---|---|
| s | example.com |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /asm |
Supported Parameters
| Parameter | Description |
|---|---|
| assets | filter results to only display assets |
| count | display the number of results available for a given target |
| date | only display results newer than this value. Value set in YYYYMMDD or unixtime formats |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/asm?lic=[LicenseKey]&s=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/asm?s=[DomainName] |
| pphish | filter results to only display potential phishing domains |
| r | return the number of remaining monthly queries allowed |
| s / search | accepts a domain name or email address |
| update | return the Unix timestamp the combo database was last updated |
| unixtime | display the import date in unixtime (aliases: unix,epoch) |
Output
| JSON Key | Value |
|---|---|
| api* | The name of the API endpoint that generated the alert |
| cname* | The CNAME of the domain name identified |
| dom | The domain name found |
| found | The date (in YYYYMMDD or unixtime format) the domain was found |
| ip* | The IP address of the domain name identified |
| type | The type of asset identified ns represents a nameserver mx represents a mail server ast represents a domain name asset. pphish represents a potential phishing domain found. |
| * Optional JSON object keys | |
| ** Output based on domain names configured in the monitor API endpoint |
Endpoint
| Domain Name | Path |
|---|---|
| api.breachsense.com | /account (alias: /monitor) |
Supported Parameters
| Parameter | Description |
|---|---|
| action | manage monitored assets and license must be set to add, del, list, test, or rotate |
| ast | add/delete the asset you wish to monitor per asset notifications can be set using the :: separator, e.g.: example.com::soc@example.com or example.com::https://user:pass@www.example.com/Path/To/Webhook monitored session tokens are set similarly example.com::JSESSIONID example.com::JSESSIONID::soc@example.com must be used in conjunction with the action parameter |
| lic | license key can be sent via a GET parameter or request header, for example: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName] curl -H “lic: LicenseKey” https://api.breachsense.com/account?action=add&ast=[DomainName] |
| notify | add/delete the default email address or webhook you wish to receive alerts at this is used when a per asset notification is not set must be used in conjunction with the action parameter |
| creds | add/delete the basic auth credentials you wish to use when sending an alert to a webhook must be used in conjunction with the action parameter |
| premium | flag a monitored domain for premium-marketplace monitoring only available on the Business and Enterprise tiers (3 and 10 premium-flagged domains respectively) used in conjunction with action=add and the ast parameter accepts the bare flag form or an explicit value: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=1 to disable premium on a previously flagged domain: curl https://api.breachsense.com/account?lic=[LicenseKey]&action=add&ast=[DomainName]&premium=0 |
Output
| JSON Key | Value |
|---|---|
| ast* | asset that will be monitored |
| notify* | email or webhook that will be notified |
| premium* | true if the domain is currently flagged for premium-marketplace monitoring (returned in action=list responses, Business and Enterprise tiers only) |
| status* | ok on successful action=rotate; fail on rotation errors |
| message* | human-readable message returned with action=rotate responses |
| * Optional JSON object keys |
Webhook payload format
When you configure a webhook URL via action=add¬ify=https://your-webhook, alerts are delivered as HTTP POST with Content-Type: application/json.
The body is a JSON array of result objects, the same shape you’d receive in an HTTP response from the corresponding API endpoint, with two extra fields per object:
| Field | Value |
|---|---|
| ast | The monitored asset that triggered the alert |
| api | The endpoint that produced this row (stealer, combo, creds, sessions, darkweb, radar, docs, asm, nhi) |
If you’ve configured basic auth via action=add&creds=user:pass, the request includes an Authorization: Basic ... header. Webhooks are sent per ingest cycle, not batched across cycles — expect multiple POSTs if many results match a single ingest.
Sending a test alert
Use this to verify a webhook is reachable, validate your alert-handling code against a known payload, or sanity-check a notification recipient was added correctly.
curl https://api.breachsense.com/account?lic=[License]&action=test&ast=[MonitoredAsset]
The asset must already be configured for monitoring (action=add&ast=... first). The test fans out to every notification target configured for that asset, both webhooks and emails. To target a single webhook, append it after a :: separator:
curl https://api.breachsense.com/account?lic=[License]&action=test&ast=example.com::https://hooks.example.com/breachsense
Test payload (sent to webhooks as a JSON array of one object):
[
{
"fnd": "20260510",
"src": "dashboard.example.com/admin/login",
"usr": "admin@example.com",
"pwd": "admin123",
"fle": "File.txt",
"api": "combo",
"ast": "example.com",
"test": true
}
]
The test: true field lets your receiver distinguish a test fixture from a real alert and skip ingestion of the synthetic credentials. Otherwise the payload shape matches a real combo-endpoint alert exactly.
Daily limit: 20 test alerts per license. Counter resets every 24 hours.
Response includes per-webhook delivery status:
{
"status": "success",
"message": "Test alert sent",
"remaining_today": 19,
"delivered": { "webhooks_ok": 1, "webhooks_failed": 0, "emails_queued": 0 },
"webhooks": [{ "url": "https://hooks.example.com/breachsense", "status": 200 }]
}
Status codes:
| Code | Meaning |
|---|---|
| 200 | Test alert dispatched, response includes per-webhook delivery details |
| 400 | Missing ast parameter, or the ::webhook suffix doesn’t match a configured webhook |
| 403 | Asset isn’t currently monitored, add it first with action=add&ast=... |
| 429 | Hit the 20-tests-per-day limit; wait until reset |
Rotating your license key
If your license key is exposed (committed to a public repository, shared in chat, leaked in logs), rotate it self-serve:
curl https://api.breachsense.com/account?lic=[CurrentLicense]&action=rotate
The new license key is emailed to your configured notification recipients, not returned in the HTTP response. Even if the rotation request itself is intercepted, the new key only reaches you via email.
Requirements:
- Paid plan (Trial keys cannot be rotated, contact support@breachsense.com if a trial key is compromised)
- At least one notification recipient configured:
curl https://api.breachsense.com/account?lic=[License]&action=add¬ify=you@example.com - One rotation per 24 hours per license
The old key is invalidated immediately on success.
Status codes:
| Code | Meaning |
|---|---|
| 200 | Rotated, new key emailed to notification recipients |
| 403 | Trial license, rotation requires a paid plan |
| 422 | No notification recipient configured, add one with action=add¬ify=... first |
| 429 | Already rotated within the last 24 hours |
| 500 | Server error during rotation, contact support |