Search by Email - VantaPrism API

The most common End User Protection query: check whether an email address appears in stolen-credential records, e.g. during login, password-reset, or account-creation flows to warn users about credential reuse.

Request

POST /v1/search/emails · Required scope: search:login (all tiers)

Parameter	Type	Required	Default	Description
`emails`	string[]	Yes	—	Email addresses to search, min 1 item. Lowercased automatically.
`type`	`employees` \| `users` \| `both`	No	`both`	See Domain Intelligence Overview
`start_date`	string (date-time) \| null	No	—	Inclusive start filter, clamped by `query_window_days`
`end_date`	string (date-time) \| null	No	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages
`cursor`	string \| null	No	—	Pagination token
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

Example request

curl -X POST https://api.vantaprism.me/v1/search/emails \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "emails": ["john.doe@acme-corp.com"], "limit": 25 }'

Response

200 OK — array of CredentialExposureResult, cursor-paginated.

{
  "data": [
    {
      "stealer_id": "RL-2026-AC91F3",
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "username": "john.doe@acme-corp.com",
      "password": "••••",
      "domain": "acme-corp.com",
      "url": "https://login.microsoftonline.com/***",
      "infection_date": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 33.5,
    "tier": "free",
    "masked_fields": ["password", "url"]
  }
}

Field	Description
`stealer_id`	`log_victim_id` of the infected machine
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`username`	Returned unmasked — exactly matches a value you searched for
`password`	Masked to `"••••"` on free tier
`domain`	Registrable domain extracted from `url`
`url`	Masked to `scheme://host/***` on free tier
`infection_date`	When the log was captured

Note that username is unmasked here even on free tier — it’s the exact email you searched for. See Data Masking.

Pagination

Cursor-paginated — see Pagination.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	`emails` is empty or exceeds limits
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `search:login`

See Errors for the full catalog.

Tier notes

password and url are masked on free tier; username (the searched value) is always raw. start_date/limit clamping follows the standard per-tier rules in Rate Limits & Tiers.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes