Request
POST /v1/domain/third-party-risk · Required scope: search:advanced (pro/ultra only) · Aggregation (counts toward agg_per_min) · Not paginated
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
domains | string[] | Yes | — | Domains to analyze, min 1 item |
start_date | string (date-time) | null | No | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | No | — | Inclusive end filter |
limit | integer | No | 25 | 1–25 |
Example request
Response
200 OK — array of ThirdPartyRiskResult, ordered by shared_victim_count
descending. Not paginated — limit (max 25) bounds the result directly.
| Field | Description |
|---|---|
third_party_domain | A domain whose credentials were found on the same infected machines as domains |
shared_victim_count | Number of distinct victims with credentials for both domains |
credential_count | Total third_party_domain credential rows across those shared victims |
Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | domains empty, or limit > 25 |
| 403 | FORBIDDEN_SCOPE | Key lacks search:advanced — this endpoint is unavailable on the free tier |
| 429 | RATE_LIMIT_EXCEEDED | Exceeded agg_per_min |
Tier notes
This is one of the few endpoints not available onfree — it requires
search:advanced, granted to pro and ultra. See
Rate Limits & Tiers.