Request
POST /v1/domain/assets · Required scope: search:domain (all tiers) · Aggregation (counts toward agg_per_min) · Not paginated
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domains | string[] | Yes | — | Domains to enumerate, min 1 item |
type | employees | users | both | No | both | See Overview |
start_date | string (date-time) | null | No | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | No | — | Inclusive end filter |
limit | integer | No | 30 | 1–30 — this endpoint is capped lower than list endpoints |
Example request
Response
200 OK — array of DomainAssetResult, ordered by occurrences descending.
Not paginated — limit (max 30) bounds the result directly.
| Field | Description |
|---|---|
url | Masked to scheme://host/*** on free tier via domain_only_url |
domain | Registrable domain extracted from url |
occurrences | Total times this URL was seen across all matching infections |
unique_victims | Distinct infected machines that had this URL |
employee_occurrences / user_occurrences | Breakdown by classification |
type | employee | user | both |
last_seen | Most recent infection date this URL was observed in |
Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | domains empty, or limit > 30 |
| 403 | FORBIDDEN_SCOPE | Key lacks search:domain |
| 429 | RATE_LIMIT_EXCEEDED | Exceeded agg_per_min |
Tier notes
url is masked to scheme://host/*** on the free tier — the full path
(which can reveal internal tool names/IDs) requires pro or ultra.