# VantaPrism API > Programmatic access to the VantaPrism stealer-log intelligence dataset — domain exposure, credential search, victim profiles, and dark-web monitoring. ## Docs - [Get Account](https://docs.vantaprism.me/account/account.md): GET /v1/account — your API key's identity, tier, scopes, limits, and usage. - [Advanced Search](https://docs.vantaprism.me/advanced-search/advanced.md): POST /v1/search/advanced — multi-field AND-logic cross-filter search. - [Keyword Search](https://docs.vantaprism.me/advanced-search/keyword.md): POST /v1/search/keyword — aggregate keyword hit-counts across harvested URLs. - [Keyword → URLs](https://docs.vantaprism.me/advanced-search/keyword-urls.md): POST /v1/search/keyword/urls — list individual URLs matching keywords. - [Password Search](https://docs.vantaprism.me/advanced-search/password.md): POST /v1/search/password — find accounts using a known-compromised password. - [Get your API key's account, tier, and usage](https://docs.vantaprism.me/api-reference/account/get-your-api-keys-account-tier-and-usage.md): Returns the calling API key's identity, tier, granted scopes, tier limits, and today's usage (requests/errors/cost units). Requires only a valid API key — no specific scope. - [Export raw browser-autofill records](https://docs.vantaprism.me/api-reference/data/export-raw-browser-autofill-records.md): Returns saved autofill form fields (names, addresses, phone numbers, etc.) filtered by `name_contains` and/or a date range — at least one of `name_contains`, `start_date`, `end_date` is required. Use to build identity profiles or cross-reference PII. Cursor-paginated. - [Export raw cookie records](https://docs.vantaprism.me/api-reference/data/export-raw-cookie-records.md): Returns browser cookie rows for the given `domains`. Set `active_only: true` to only return cookies whose `expiration_utc` is in the future — useful for active session-hijacking risk assessment. Cursor-paginated. - [Export raw credential records](https://docs.vantaprism.me/api-reference/data/export-raw-credential-records.md): Returns raw `login`/`password` credential rows filtered by `domains` and/or `logins` (at least one required). Use for bulk export/ingestion into your own SIEM. Cursor-paginated. - [Export raw crypto-wallet records](https://docs.vantaprism.me/api-reference/data/export-raw-crypto-wallet-records.md): Returns cryptocurrency wallet records (MetaMask, Exodus, etc.) filtered by `wallet_type` and/or `chain_primary` — at least one of `wallet_type`, `chain_primary`, `start_date`, `end_date` is required. `seed_phrase`, `private_key`, `encrypted_vault`, and `wallet_files` are converted to `has_*` boolean… - [Export raw FTP credential records](https://docs.vantaprism.me/api-reference/data/export-raw-ftp-credential-records.md): Returns FTP server credentials filtered by `server_contains` and/or a date range — at least one of `server_contains`, `start_date`, `end_date` is required. `ftp_password` is returned as `"[REDACTED]"` on the free tier. Cursor-paginated. - [Export raw macOS Keychain records](https://docs.vantaprism.me/api-reference/data/export-raw-macos-keychain-records.md): Returns macOS Keychain entries filtered by `name_contains` and/or a date range — at least one of `name_contains`, `start_date`, `end_date` is required. `value` (`keychain_value`) is returned as `"[REDACTED]"` on free/pro tiers. **Ultra tier only** (`view:keychain` scope). Cursor-paginated. - [Export raw payment-card records](https://docs.vantaprism.me/api-reference/data/export-raw-payment-card-records.md): Returns stolen payment-card records filtered by `bin` (6-digit issuer prefix), `last4`, and/or `holder_contains` — at least one is required. `card_number` is always masked via `bin_last_four`; `cvv` is converted to a `has_cvv` boolean flag on free/pro tiers. Cursor-paginated. - [Export raw shell-command history records](https://docs.vantaprism.me/api-reference/data/export-raw-shell-command-history-records.md): Returns shell command history (bash, zsh, PowerShell) filtered by `terms`, `shell`, and/or a date range — at least one of `terms`, `shell`, `start_date`, `end_date` is required. Use to understand developer activity, cloud CLI usage, or internal automation captured from infected machines. Cursor-pagi… - [Aggregated breach summary for one or more domains](https://docs.vantaprism.me/api-reference/domain/aggregated-breach-summary-for-one-or-more-domains.md): Returns total compromised-account counts and first/last-seen timestamps per domain without returning raw records. Use for a quick risk summary. Supports up to 500 domains in one call. Not paginated. Cached for ~15 minutes. - [Company-wide employee exposure search](https://docs.vantaprism.me/api-reference/domain/company-wide-employee-exposure-search.md): Returns credentials where the login email belongs to the searched company domain(s) or their subdomains. Add `external_domains` for SSO/IdP domains (e.g. Okta). Every result is tagged with `credential_type: employee | user | third_party`. Cursor-paginated. - [Enumerate URLs and assets captured for a domain](https://docs.vantaprism.me/api-reference/domain/enumerate-urls-and-assets-captured-for-a-domain.md): Returns unique URLs harvested from infected machines that had saved credentials for the given domains — internal tools, admin panels, VPN portals, SaaS apps. Use to map attack surface. Not paginated (capped by `limit`, max 30). - [Globally top-exposed domains](https://docs.vantaprism.me/api-reference/domain/globally-top-exposed-domains.md): Returns the domains with the most unique compromised victims across the entire dataset over a look-back window. Useful for trend reports and dashboards. Requires only a valid API key (no specific scope). Cached for 1 hour. - [Search breach records for one or more domains](https://docs.vantaprism.me/api-reference/domain/search-breach-records-for-one-or-more-domains.md): Primary domain intelligence lookup. Returns stealer-log records with credentials or cookies for the given domains. Set `include_subdomains: true` to include subdomains, or pass explicit `subdomains` (which takes priority). Set `type: employees` for corporate emails only. Cursor-paginated. - [Third-party services co-present on infected machines](https://docs.vantaprism.me/api-reference/domain/third-party-services-co-present-on-infected-machines.md): Identifies third-party domains (e.g. Slack, GitHub, AWS) co-harvested with the target domain on the same infected machines — reveals supply-chain and vendor risk. Requires `search:advanced` (pro/ultra only). Not paginated (capped by `limit`, max 25). - [Weekly breach volume trend for a domain](https://docs.vantaprism.me/api-reference/domain/weekly-breach-volume-trend-for-a-domain.md): Weekly histogram of breach record volume (employees vs. users) for a single domain. Use to identify trends or spikes. Not paginated. - [Look up full victim records by victim ID](https://docs.vantaprism.me/api-reference/exposure/look-up-full-victim-records-by-victim-id.md): Retrieves full victim records using one or more victim IDs (SHA-256 `victim_id` hashes and/or `log_victim_id` values, in any mix). Set `filter_credentials: true` to only return victims with at least one stored credential. Not cursor-paginated — results are sorted and truncated to `limit` in one pass… - [Search breach records by email address](https://docs.vantaprism.me/api-reference/exposure/search-breach-records-by-email-address.md): Looks up whether one or more email addresses appear in stolen-credential records and returns the matching credential/infection details. Emails you search for are never masked in the response, even on the free tier (`restore_named_identifiers`). Cursor-paginated. - [Search breach records by username](https://docs.vantaprism.me/api-reference/exposure/search-breach-records-by-username.md): Searches stolen-credential records by username or email local-part. Usernames you search for are never masked in the response, even on the free tier. Cursor-paginated. - [Search infected-machine records by IP or CIDR range](https://docs.vantaprism.me/api-reference/exposure/search-infected-machine-records-by-ip-or-cidr-range.md): Finds infection records for a specific IPv4 address or CIDR subnet. Provide `ips` (exact list) OR `cidr` (subnet) — at least one is required. Exact IPs you search for in `ips` are never masked, even on the free tier; IPs matched only via `cidr` remain subnet-masked on free. Cursor-paginated. - [Search infected machines by computer name](https://docs.vantaprism.me/api-reference/exposure/search-infected-machines-by-computer-name.md): Finds infection records by infected-machine hostname. `pc_names` are lowercased automatically before matching. Computer names you search for are never masked in the response, even on the free tier. Cursor-paginated. - [Liveness probe](https://docs.vantaprism.me/api-reference/health/liveness-probe.md): Confirm the API process is up. Always returns `{"status":"ok"}`. Unauthenticated — use to verify connectivity before making other requests. - [Readiness probe](https://docs.vantaprism.me/api-reference/health/readiness-probe.md): Checks connectivity to ClickHouse, PostgreSQL, and Redis. Returns `"status": "degraded"` (still HTTP 200) if any dependency is unreachable, with a per-dependency breakdown. Unauthenticated. - [Aggregate keyword hit-counts across harvested URLs](https://docs.vantaprism.me/api-reference/search/aggregate-keyword-hit-counts-across-harvested-urls.md): For up to 10 keywords, returns the domains where each keyword appears in harvested URLs/titles, with occurrence and unique-victim counts. Use to discover internal tools or admin paths matching a pattern (e.g. `"admin-panel"`, `"jenkins"`). Not paginated (capped by `limit`, max 25); counted as an agg… - [AI-assisted infection-vector analysis for a stealer family](https://docs.vantaprism.me/api-reference/search/ai-assisted-infection-vector-analysis-for-a-stealer-family.md): Analyzes browser history around the infection date for victims of the given stealer family and returns a heuristic best-guess for the infection vector (the URL/download most likely responsible), with reasoning and an analyst-ready summary. **Ultra tier only** (`infection-analysis` scope). Not pagina… - [Categorize domains co-occurring with a stealer family](https://docs.vantaprism.me/api-reference/search/categorize-domains-co-occurring-with-a-stealer-family.md): For a given stealer family, returns the domains its victims appear to be employees (`employeeAt`) or customers (`clientAt`) of, plus an industry-category map derived from VantaPrism's domain taxonomy. Not paginated; counted as an aggregation request against `agg_per_min`. - [List individual URLs matching keywords](https://docs.vantaprism.me/api-reference/search/list-individual-urls-matching-keywords.md): Like `/v1/search/keyword`, but returns the individual matching URLs (with title, occurrence count, and last-seen date) rather than per-domain aggregates. **Pro/Ultra only** (`search:keyword` scope). Cursor-paginated. - [Multi-field AND-logic cross-filter search](https://docs.vantaprism.me/api-reference/search/multi-field-and-logic-cross-filter-search.md): Combines `domains`, `emails`, `ips`, `pc_names`, `stealer_family`, and `country` with AND logic — e.g. "RedLine infections in Germany involving acme-corp.com". At least one filter is required. **Pro/Ultra only** (`search:advanced` scope). Cursor-paginated. - [Search browser history by term](https://docs.vantaprism.me/api-reference/search/search-browser-history-by-term.md): Searches victims' browser history for up to 10 terms matched against visited URLs and page titles. Use for behavioral fingerprinting and cross-victim correlation — recurring rare or internal URLs across victims are strong attribution signals. Cursor-paginated. - [Search for accounts using a known-compromised password](https://docs.vantaprism.me/api-reference/search/search-for-accounts-using-a-known-compromised-password.md): Finds accounts whose stolen credential record uses the exact `password` provided (4-200 chars). The raw password is **not** returned in results — only the affected `username`/`domain`/`url`. Use to assess blast radius of a leaked or weak password. **Pro/Ultra only** (`search:password` scope). Cursor… - [Search for stolen files by filename](https://docs.vantaprism.me/api-reference/search/search-for-stolen-files-by-filename.md): Searches harvested-file listings (FileGrabber output) for filenames matching `file_name` (substring match). Use to discover what sensitive documents, key material, or configs were exfiltrated alongside credentials. Cursor-paginated. - [Get global dataset statistics](https://docs.vantaprism.me/api-reference/stats/get-global-dataset-statistics.md): Returns headline counts for the entire VantaPrism dataset — total victims, credentials, cards, wallets, cookies, and the most recently ingested stealer family/version/date. Not tier-masked. Cached for 15 minutes. - [Get victim counts by country](https://docs.vantaprism.me/api-reference/stats/get-victim-counts-by-country.md): Returns a breakdown of victim counts per country (ISO 3166-1 alpha-2). Not tier-masked. Cached for 15 minutes. - [Get victim/record counts by stealer family](https://docs.vantaprism.me/api-reference/stats/get-victimrecord-counts-by-stealer-family.md): Returns a breakdown of victim counts and total records per stealer malware family (RedLine, Raccoon, Lumma, etc.). Not tier-masked. Cached for 15 minutes. - [Get weekly infection-volume timeline](https://docs.vantaprism.me/api-reference/stats/get-weekly-infection-volume-timeline.md): Returns the number of new infections per week across the entire dataset — useful for trend charts. Not tier-masked. Cached for 1 hour. - [Get a victim's full infection profile](https://docs.vantaprism.me/api-reference/victims/get-a-victims-full-infection-profile.md): Returns the full infection profile for a single victim: malware family/version, host metadata (OS, computer name, hardware IDs), installed software/browsers/antivirus, and infection timestamp. Accepts either a 64-character hex `victim_id` (SHA-256) or the raw `log_victim_id` from the source log — bo… - [Get a victim's records for a specific data category](https://docs.vantaprism.me/api-reference/victims/get-a-victims-records-for-a-specific-data-category.md): Returns up to `limit` rows of a single data category for one victim. `sub` must be one of the values below — each requires its own scope, independent of `search:stealer` (required for the profile endpoint above). Requesting an unmapped `sub` value returns `404 NOT_FOUND`; requesting a valid `sub` wi… - [Authentication](https://docs.vantaprism.me/authentication.md): API key formats, header styles, scopes, and error responses. - [Changelog](https://docs.vantaprism.me/changelog.md): Customer API release history. - [Autofill](https://docs.vantaprism.me/data-categories/autofill.md): POST /v1/data/autofill — bulk export of raw browser-autofill records. - [Cards](https://docs.vantaprism.me/data-categories/cards.md): POST /v1/data/cards — bulk export of raw stolen payment-card records. - [Commands](https://docs.vantaprism.me/data-categories/commands.md): POST /v1/data/commands — bulk export of raw shell-command history records. - [Cookies](https://docs.vantaprism.me/data-categories/cookies.md): POST /v1/data/cookies — bulk export of raw stolen browser cookies. - [Credentials](https://docs.vantaprism.me/data-categories/credentials.md): POST /v1/data/credentials — bulk export of raw stolen login/password records. - [FTP](https://docs.vantaprism.me/data-categories/ftp.md): POST /v1/data/ftp — bulk export of raw stolen FTP credentials. - [Keychain](https://docs.vantaprism.me/data-categories/keychain.md): POST /v1/data/keychain — bulk export of raw macOS Keychain records. - [Wallets](https://docs.vantaprism.me/data-categories/wallets.md): POST /v1/data/wallets — bulk export of raw cryptocurrency wallet records. - [Data Masking & Privacy](https://docs.vantaprism.me/data-masking.md): How VantaPrism protects sensitive fields per tier, and the 'searched value is never masked' rule. - [Data Model](https://docs.vantaprism.me/data-model.md): What infostealer logs actually contain, and the field-by-field schema of every object the API returns. - [Assets Discovery](https://docs.vantaprism.me/domain-intelligence/assets.md): POST /v1/domain/assets — enumerate URLs and applications seen on infected machines tied to a domain. - [Company Exposure](https://docs.vantaprism.me/domain-intelligence/company.md): POST /v1/domain/company — employee, user, and third-party exposure for a company's domains. - [Domain Overview](https://docs.vantaprism.me/domain-intelligence/domain-overview.md): POST /v1/domain/overview — headline breach counts for up to 500 domains at once. - [Domain Intelligence — Overview](https://docs.vantaprism.me/domain-intelligence/overview.md): Concepts shared across all /v1/domain/* endpoints: type semantics, subdomain handling, and which endpoint to use. - [Search Domains](https://docs.vantaprism.me/domain-intelligence/search.md): POST /v1/domain/search — find stolen credentials associated with a domain. - [Third-Party Risk](https://docs.vantaprism.me/domain-intelligence/third-party-risk.md): POST /v1/domain/third-party-risk — find vendor and supply-chain domains co-harvested with yours. - [Domain Timeline](https://docs.vantaprism.me/domain-intelligence/timeline.md): GET /v1/domain/{domain}/timeline — weekly breach volume trend for a single domain. - [Top Exposed Domains](https://docs.vantaprism.me/domain-intelligence/top-exposed.md): GET /v1/domain/top-exposed — global leaderboard of the most-compromised domains in the dataset. - [Search by Email](https://docs.vantaprism.me/end-user-protection/emails.md): POST /v1/search/emails — check whether an email address has been exposed in a stealer log. - [Search by IP / CIDR](https://docs.vantaprism.me/end-user-protection/ip-cidr.md): POST /v1/search/ip-cidr — find infection records for an IP address or subnet. - [End User Protection — Overview](https://docs.vantaprism.me/end-user-protection/overview.md): Concepts shared across /v1/search/{emails,usernames,ip-cidr,stealer-id,pc-name}. - [Search by PC Name](https://docs.vantaprism.me/end-user-protection/pc-name.md): POST /v1/search/pc-name — find infections by infected-machine hostname. - [Search by Stealer ID](https://docs.vantaprism.me/end-user-protection/stealer-id.md): POST /v1/search/stealer-id — look up full victim records by victim ID. - [Search by Username](https://docs.vantaprism.me/end-user-protection/usernames.md): POST /v1/search/usernames — check whether a username or email local-part has been exposed. - [Errors](https://docs.vantaprism.me/errors.md): Unified error envelope and the full error-code catalog. - [Health](https://docs.vantaprism.me/health/health.md): GET /v1/health and /v1/health/ready — liveness and readiness probes. - [Introduction](https://docs.vantaprism.me/introduction.md): Programmatic access to the VantaPrism stealer-log intelligence dataset. - [Categorize Domains](https://docs.vantaprism.me/investigations/categorize-domains.md): POST /v1/search/categorize-domains — find domains associated with victims of a stealer family. - [File Search](https://docs.vantaprism.me/investigations/file-search.md): POST /v1/search/file — find stolen files by filename across all infections. - [Infection Analysis](https://docs.vantaprism.me/investigations/infection-analysis.md): POST /v1/search/infection-analysis — AI-assisted infection-vector analysis for a stealer family. - [Term / History Search](https://docs.vantaprism.me/investigations/term-search.md): POST /v1/search/term — search browser history across all infections by term. - [Pagination](https://docs.vantaprism.me/pagination.md): Cursor-based pagination: how nextCursor and cursor work. - [Quickstart](https://docs.vantaprism.me/quickstart.md): Make your first authenticated request to the VantaPrism API. - [Rate Limits & Tiers](https://docs.vantaprism.me/rate-limits.md): Per-tier limits, scopes, rate-limit headers, and 429 handling. - [Response Envelope](https://docs.vantaprism.me/response-envelope.md): The data/meta/nextCursor shape used by every successful response. - [Statistics by Country](https://docs.vantaprism.me/statistics/countries.md): GET /v1/stats/countries — victim counts per country. - [Statistics by Stealer Family](https://docs.vantaprism.me/statistics/families.md): GET /v1/stats/families — victim and record counts per stealer malware family. - [Statistics Overview](https://docs.vantaprism.me/statistics/overview.md): GET /v1/stats/overview — global dataset headline counts. - [Statistics Timeline](https://docs.vantaprism.me/statistics/timeline.md): GET /v1/stats/timeline — weekly infection-volume timeline. - [Get Victim Profile](https://docs.vantaprism.me/victims/profile.md): GET /v1/victims/{victim_id} — full infection profile for a single victim. - [Victim Sub-resources](https://docs.vantaprism.me/victims/sub-resources.md): GET /v1/victims/{victim_id}/{sub} — get a victim's records for a specific data category. ## OpenAPI Specs - [openapi](https://docs.vantaprism.me/openapi.yaml)