username, domain, and url are returned.
Request
POST /v1/search/password · Required scope: search:password (pro and ultra tiers)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
password | string | Yes | — | Plaintext password to search for, 4–200 chars, e.g. "Summer2024!" |
start_date | string (date-time) | null | No | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | No | — | Inclusive end filter |
sort_direction | asc | desc | No | desc | Must stay constant across pages |
cursor | string | null | No | — | Pagination token |
limit | integer | No | 25 | 1–500, clamped to your tier’s max_rows |
Example request
Response
200 OK — array of PasswordSearchResult, cursor-paginated. The password
field itself is never returned by this endpoint.
| Field | Description |
|---|---|
stealer_id | log_victim_id of the infected machine |
victim_id | SHA-256 victim ID — use with Victim Profiles |
username | Account identifier using the searched password |
domain | Registrable domain extracted from url |
url | Login URL associated with the credential |
infection_date | When the log was captured |
Pagination
Cursor-paginated — see Pagination.Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | password is missing or outside 4–200 characters |
| 400 | INVALID_CURSOR | Tampered or stale cursor |
| 403 | FORBIDDEN_SCOPE | Key lacks search:password (free tier) |
Tier notes
This endpoint requiressearch:password, which is not included on the
free tier — a free-tier key receives 403 FORBIDDEN_SCOPE. Both pro and
ultra tiers receive username and url unmasked — the free-tier masking
rules in Data Masking for these fields never apply here,
since free tier cannot call this endpoint at all.