Request
POST /v1/data/keychain · Required scope: view:keychain (ultra tier only)
At least one of name_contains, start_date, or end_date is required.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
name_contains | string | null | One of the three required | — | Case-insensitive substring match against the Keychain entry name, e.g. "github" |
start_date | string (date-time) | null | See above | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | See above | — | Inclusive end filter |
sort_direction | asc | desc | No | desc | Must stay constant across pages |
cursor | string | null | No | — | Pagination token |
limit | integer | No | 25 | 1–500, clamped to your tier’s max_rows |
Example request
Response
200 OK — array of KeychainRecord, cursor-paginated.
| Field | Description |
|---|---|
victim_id | SHA-256 victim ID — use with Victim Profiles |
name | Keychain entry name, e.g. a hostname or app/service identifier |
value | The stored Keychain secret. Returned as "[REDACTED]" on free/pro tiers (keychain_value) |
inserted_at | When the record was ingested |
Pagination
Cursor-paginated — see Pagination.Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | None of name_contains, start_date, end_date provided |
| 400 | INVALID_CURSOR | Tampered or stale cursor |
| 403 | FORBIDDEN_SCOPE | Key lacks view:keychain (free and pro tiers) |
Tier notes
view:keychain is part of ALL_SCOPES but only granted to the ultra
tier — free and pro keys receive 403 FORBIDDEN_SCOPE. Even on pro tier
(hypothetically), value (keychain_value) would be returned as
"[REDACTED]"; only ultra returns it raw. Returning a raw keychain_value
is logged to the api_raw_access audit table.