Victim Sub-resources - VantaPrism API

Retrieve a single data category’s records for one victim — e.g. just that victim’s stolen credentials, or just their browser cookies. This is the victim-scoped counterpart to the Data Categories endpoints, which retrieve records across all victims matching a filter.

Request

GET /v1/victims/{victim_id}/{sub} · Required scope: varies by sub — see table below

Parameter	Type	Required	Default	Description
`victim_id`	string (path)	Yes	—	SHA-256 `victim_id` (64 lowercase hex chars) or a `log_victim_id` from a previous search result. Both forms are resolved automatically
`sub`	string (path)	Yes	—	Which data category to return — one of the values in the table below
`limit`	integer (query)	No	`25`	1–500, clamped to your tier’s `max_rows`

Each sub value requires its own scope, independent of search:stealer (which is required for Get Victim Profile). Requesting an unmapped sub value returns 404 NOT_FOUND; requesting a valid sub without the required scope returns 403 FORBIDDEN_SCOPE.

`sub` value	Required scope	Response shape	Min tier
`credentials`	`search:login`	`CredentialRecord[]`	free
`cookies`	`view:cookies`	`CookieRecord[]`	pro
`autofill`	`view:autofill`	`AutofillRecord[]`	pro
`cards`	`view:cards`	`CardRecord[]`	pro
`wallets`	`view:wallets`	`WalletRecord[]`	pro
`files`	`search:file`	`FileSearchResult[]`	pro
`ftp`	`view:ftp`	`FTPRecord[]`	pro
`history`	`view:history`	`HistoryRecord[]`	pro
`keychain`	`view:keychain`	`KeychainRecord[]`	ultra
`commands`	`view:commands`	`CommandRecord[]`	pro

The same per-tier field masking described on the Data Masking page applies to every row, exactly as on the equivalent Data Categories endpoint.

Example request

curl -X GET "https://api.vantaprism.me/v1/victims/a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456/credentials?limit=25" \
  -H "api-key: $VANTAPRISM_API_KEY"

Response

200 OK — array of records in the shape listed for the requested sub value (see table above).

{
  "data": [
    {
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "domain": "acme-corp.com",
      "url": "https://login.microsoftonline.com/***",
      "login": "j.***@acme-corp.com",
      "password": "••••",
      "browser": "Chrome",
      "profile": "Default",
      "inserted_at": "2026-05-02T14:22:31Z"
    }
  ],
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 16.7,
    "tier": "free",
    "masked_fields": ["url", "login", "password"]
  }
}

The response above shows sub=credentials on free tier. For the full field reference of each shape, see the corresponding Data Categories page — field names, masking rules, and tier behavior are identical.

Not paginated

This endpoint returns up to limit rows in a single response — cursor/sort_direction do not apply. There is no nextCursor in the response envelope.

Errors

Status	`code`	Cause
404	`NOT_FOUND`	`victim_id` could not be resolved, or `sub` is not one of the listed values
403	`FORBIDDEN_SCOPE`	Key lacks the scope required for the requested `sub` (see table above)

See Errors for the full catalog.

Tier notes

credentials is available on every tier (search:login). All other sub values require pro or ultra — keychain requires ultra specifically (view:keychain). Field-level masking for each shape follows the rules documented on its corresponding Data Categories page.

​Request

​Example request

​Response

​Not paginated

​Errors

​Tier notes