Credentials - VantaPrism API

Export raw login/password credential rows filtered by domain and/or login. Use this for bulk export into your own SIEM, data warehouse, or credential-monitoring pipeline — unlike the End User Protection endpoints, which are designed for single-identifier lookups, this endpoint is built for filtered bulk retrieval.

Request

POST /v1/data/credentials · Required scope: search:domain (all tiers) At least one of domains or logins is required.

Parameter	Type	Required	Default	Description
`domains`	string[]	One of `domains`/`logins` required	`[]`	Registrable domains to filter by, e.g. `["acme-corp.com"]`
`logins`	string[]	One of `domains`/`logins` required	`[]`	Exact login/email values to filter on
`type`	`employees` \| `users` \| `both`	No	`both`	See Domain Intelligence Overview
`start_date`	string (date-time) \| null	No	—	Inclusive start filter, clamped by `query_window_days`
`end_date`	string (date-time) \| null	No	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages
`cursor`	string \| null	No	—	Pagination token
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

Example request

curl -X POST https://api.vantaprism.me/v1/data/credentials \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["acme-corp.com"], "limit": 25 }'

Response

200 OK — array of CredentialRecord, cursor-paginated.

{
  "data": [
    {
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "domain": "acme-corp.com",
      "url": "https://login.microsoftonline.com/***",
      "login": "j.***@acme-corp.com",
      "password": "••••",
      "browser": "Chrome",
      "profile": "Default",
      "inserted_at": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 36.9,
    "tier": "free",
    "masked_fields": ["url", "login", "password"]
  }
}

Field	Description
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`domain`	Registrable domain extracted from `url`
`url`	Masked to `scheme://host/***` on free tier
`login`	Masked via `partial_login` on free tier
`password`	Masked to `"••••"` on free tier
`browser`	Browser the credential was harvested from
`profile`	Browser profile name
`inserted_at`	When the record was ingested

Pagination

Cursor-paginated — see Pagination.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	Neither `domains` nor `logins` provided
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `search:domain`

See Errors for the full catalog.

Tier notes

url, login, and password are masked per the standard free-tier rules in Data Masking. If a logins value you searched for exactly matches the returned login, it is returned unmasked per the “searched value is never masked” rule; matches found only via domains remain masked on free tier.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes