Request
POST /v1/search/term · Required scope: search:stealer (all tiers)
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
terms | string[] | Yes | — | Search terms matched against visited URL/title, 1–10 items, e.g. ["accounts.google.com"] |
start_date | string (date-time) | null | No | — | Inclusive start filter, clamped by query_window_days |
end_date | string (date-time) | null | No | — | Inclusive end filter |
sort_direction | asc | desc | No | desc | Must stay constant across pages |
cursor | string | null | No | — | Pagination token |
limit | integer | No | 25 | 1–500, clamped to your tier’s max_rows |
Example request
Response
200 OK — array of TermSearchResult, cursor-paginated.
| Field | Description |
|---|---|
stealer_id | log_victim_id of the infected machine |
victim_id | SHA-256 victim ID — use with Victim Profiles |
url | Masked to scheme://host/*** on free tier |
domain | Registrable domain extracted from url |
title | Page title at time of visit |
visited_at | When the page was visited, may be null if unavailable |
visit_count | Number of times the URL was visited |
ip | Masked via subnet_mask on free tier |
country | ISO 3166-1 alpha-2 |
stealer_family |
Pagination
Cursor-paginated — see Pagination.Errors
| Status | code | Cause |
|---|---|---|
| 400 | VALIDATION_ERROR | terms is empty or exceeds 10 items |
| 400 | INVALID_CURSOR | Tampered or stale cursor |
| 403 | FORBIDDEN_SCOPE | Key lacks search:stealer |
Tier notes
url and ip are masked per the standard free-tier rules in
Data Masking. The “searched value is never masked” rule does
not apply here — you searched by free-text term, not by an identifier field.