API Reference

Programmatic access to DataHound's intelligence engines. Integrate real-time OSINT and aggregated breach datasets directly into your applications using our standardized JSON API.

Base URL

https://datahound.tools/api

Authentication

Authenticate requests by setting the X-API-Key header. Do not expose your API key in client-side code.

Headers
X-API-Key: dh_live_xxxxxxxxxxxxxxxxxxxxxxxx
Content-Type: application/json

Rate Limits

Depending on your plan, there are daily limits to how many queries you can perform and how many results are returned per query.

Plan Daily Queries Results Limit
Basic 100 1,000
Enterprise 1,000 1,000
GET

/username

Full OSINT sweep on a username. Runs a live parallel scan across social networks, bulk availability checks via OsintCat, and cross-references breach compilations.

Pipelines

  • Social FootprintLive parallel scan: GitHub, Twitter, Steam, and dozens more. Returns profile URL, avatar, bio, email when exposed.
  • Platform FootprintBulk availability check via OsintCat — returns registered count and per-site taken/free status.
  • Database LeaksOsintCat database-search rows first, then Snusbase and LeakCheck (BreachHub) — each row tagged with source_leak. Provider status is reported separately in breach_providers.

Parameters

username Required
Target username

Response Fields

https://datahound.tools/api/username
cURL Example
curl "https://datahound.tools/api/username" \ -G \ -d "username=admin" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests API = "https://datahound.tools/api" HEADERS = {"X-API-Key": "YOUR_API_KEY"} resp = requests.get(f"{API}/username", headers=HEADERS, params={"username": "admin"}).json() footprint = resp.get("results", {}).get("Social Footprint", {}) leaks = resp.get("results", {}).get("database_leaks", []) providers = resp.get("results", {}).get("breach_providers", {}) print("found on:", list(footprint.keys())) print("leaks:", len(leaks)) print("snusbase:", providers.get("snusbase")) print("leakcheck:", providers.get("leakcheck"))
GET

/email

Deep OSINT sweep on an email address. Runs a live platform registration scan, cross-references breach databases, and — on Full Access plans — queries the Stealer Provider for infected device matches.

Pipelines

  • Email OSINTLive parallel scan: checks registrations on Spotify, Twitter, and other platforms. Returns profile data when exposed.
  • Database LeaksOsintCat rows first, then Snusbase and LeakCheck (BreachHub). Each external row has breach_summary.source_leak set to Snusbase or LeakCheck. See breach_providers for per-API status.
  • Stealer ProviderOathNet V2 stealer/victim summaries for the email. Full Access plan required. Uses one upstream search session per query.

Parameters

email Required
Target email address

Response Fields

https://datahound.tools/api/email
cURL Example
curl "https://datahound.tools/api/email" \ -G \ -d "[email protected]" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/email" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"email": "[email protected]"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/phone

Retrieves carrier details, geolocation metadata, CNAM identities, social registrations (WhatsApp/Facebook), phone OSINT modules, and breach rows from local indexes plus Snusbase and LeakCheck v2 (BreachHub). External rows are flattened into phone_leaks with source_leak Snusbase or LeakCheck; breach_providers reports whether each upstream API succeeded.

Parameters

number Required
E.164 formatted number

Response Fields

https://datahound.tools/api/phone
cURL Example
curl "https://datahound.tools/api/phone" \ -G \ -d "number=393663247848" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/phone" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"number": "393663247848"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/ip

IPv4 intelligence in one request. Aggregates geolocation, breach cross-references, Hudson Rock stealer exposure, and Stealer Provider victim search.

Pipelines

  • GeolocationCountry, region, ISP, and proxy/hosting flags.
  • Database LeaksSnusbase and LeakCheck (BreachHub) plus OsintCat where applicable — deduplicated, capped by result_limit. breach_providers shows per-API status.
  • Hudson RockInfected machines and credentials.
  • Stealer ProviderOathNet V2 victim summaries for the IP. Full Access plan required.

Parameters

address Required
Public IPv4 Address

Response Fields

https://datahound.tools/api/ip
cURL Example
curl "https://datahound.tools/api/ip" \ -G \ -d "address=8.8.8.8" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests API = "https://datahound.tools/api" HEADERS = {"X-API-Key": "YOUR_API_KEY"} resp = requests.get(f"{API}/ip", headers=HEADERS, params={"address": "8.8.8.8"}).json() print(resp.get("status"))
GET

/stealer

Queries our vast repository of Stealer Logs searching by email or domain.

Parameters

query Required
Domain or email

Response Fields

https://datahound.tools/api/stealer
cURL Example
curl "https://datahound.tools/api/stealer" \ -G \ -d "query=example.com" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/stealer" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"query": "example.com"} response = requests.get(url, headers=headers, params=params) print(response.json())

Hudson Rock

Dedicated Hudson Rock v3 stealer intelligence. Three separate routes by query type — each accepts a single query parameter and returns compromised machines, infostealer families, and extracted credential pairs.

GET /api/hudsonrock/ip
query Required
Public IPv4 address or CIDR range
GET /api/hudsonrock/email
query Required
Email address
GET /api/hudsonrock/username
query Required
Username (2–64 chars: letters, digits, _ . -)

Response Fields

https://datahound.tools/api/hudsonrock/{ip|email|username}
By IP
curl "https://datahound.tools/api/hudsonrock/ip" \ -G -d "query=8.8.8.8" \ -H "X-API-Key: YOUR_API_KEY"
By Email
curl "https://datahound.tools/api/hudsonrock/email" \ -G -d "[email protected]" \ -H "X-API-Key: YOUR_API_KEY"
By Username
curl "https://datahound.tools/api/hudsonrock/username" \ -G -d "query=johndoe" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests API = "https://datahound.tools/api/hudsonrock" HEADERS = {"X-API-Key": "YOUR_API_KEY"} r = requests.get(f"{API}/email", headers=HEADERS, params={"query": "[email protected]"}).json() print(r.get("status"), r.get("results", {}).get("infection_count"))
GET

/stealer-provider

OathNet V2 stealer intelligence. Search compromised devices or individual credentials, then drill into a victim by log_id: browse the file tree, read a single file, or download the full ZIP archive. Upstream calls use /service/v2/stealer/search and /service/v2/victims/search.

Search sessions (credit efficient)

DataHound opens one OathNet search session per query before upstream calls. Related searches for the same query reuse the session search_id so they count as a single upstream lookup instead of one per endpoint.

  • Victims + credentialsGET /victims/search with a plain q runs victim and credential V2 searches in one session.
  • Email / IP / Discord modules — embedded stealer_provider blocks reuse the same session logic automatically.
  • Session cache — 15 minutes per normalized query (server-side; no client action required).

Typical workflow

  1. Search victimsGET /victims/search with discord_id, email, ip, hwid, or username. Copy a log_id from results.data.items[].
  2. Browse manifestGET /victims/{log_id} returns victim_tree (folders + files with id per file).
  3. Read one fileGET /victims/{log_id}/files/{file_id} returns raw text/plain body.
  4. Or download allGET /victims/{log_id}/archive streams application/zip.

Optional: /credentials/search for V2 credential rows (url_str, username, password, optional legacy log line). Passing a plain-text q to /victims/search opens one search session, runs victim + credential V2 searches in parallel, and merges upstream items (OathNet internal noise stripped).

1. Victim search

GET /api/stealer-provider/victims/search

Device-level summaries. Pass at least one filter. Array fields (email, ip, hwid, discord_id, username) may be repeated in the query string to match multiple values at once.

When q is provided without explicit typed params, the server auto-routes it: email → email, IPv4 → ip, 17–20 digit snowflake → discord_id, domain-like string → victims q + stealer q, otherwise → username plus a parallel V2 credential search. Both upstream calls share one search session.

discord_idDiscord snowflake (17–20 digits)
emailEmail on the infected device
ipVictim IPv4 address
hwidHardware ID
usernameWindows / device username
log_idDirect lookup by victim id
qSmart query — auto-routed to the correct typed filter (see above)
page_sizeResults per page
cursorPagination cursor from prior response
sortSort order (OathNet-defined)
total_docs_min / maxFilter by file count inside the log

Query examples

By Discord ID
curl "https://datahound.tools/api/stealer-provider/victims/search" \ -G -d "discord_id=123456789012345678" \ -H "X-API-Key: YOUR_API_KEY"
By email + IP
curl "https://datahound.tools/api/stealer-provider/victims/search" \ -G \ -d "[email protected]" \ -d "ip=78.173.63.109" \ -H "X-API-Key: YOUR_API_KEY"
Paginated search
curl "https://datahound.tools/api/stealer-provider/victims/search" \ -G \ -d "username=acer" \ -d "page_size=10" \ -d "cursor=CURSOR_FROM_PREVIOUS_RESPONSE" \ -H "X-API-Key: YOUR_API_KEY"

2. Credential search (V2)

GET /api/stealer-provider/credentials/search

Row-level stolen logins from OathNet V2 stealer search — URL, username, password, and optional log_id pivot — without opening a victim archive.

Smart q detection upstream: [email protected] → email, example.com → domain, john_doe → username, 17–20 digit string → Discord ID. Some rows may still include a legacy log plain-text line (url|user|pass style).

qSearch term — domain, email, or any free-text string
log_idLimit results to a single victim log
wildcardBoolean — enable wildcard matching on q
page_size / cursor / sortPagination controls

Query examples

By domain
curl "https://datahound.tools/api/stealer-provider/credentials/search" \ -G -d "q=discord.com" \ -H "X-API-Key: YOUR_API_KEY"
Wildcard email search
curl "https://datahound.tools/api/stealer-provider/credentials/search" \ -G \ -d "[email protected]" \ -d "wildcard=true" \ -H "X-API-Key: YOUR_API_KEY"
Inside one log
curl "https://datahound.tools/api/stealer-provider/credentials/search" \ -G \ -d "log_id=a1b2c3d4e5f6g7h8" \ -d "q=netflix" \ -H "X-API-Key: YOUR_API_KEY"

3. Victim manifest

GET /api/stealer-provider/victims/{log_id}

Returns a recursive victim_tree. Each file node has type: "file", name, id (use as file_id), and size_bytes. Directories have type: "directory" and children[].

log_id must match ^[A-Za-z0-9_\-]{8,128}$

Query example

Get file tree
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8" \ -H "X-API-Key: YOUR_API_KEY"

4. Single file

GET /api/stealer-provider/victims/{log_id}/files/{file_id}

Returns the raw file body as text/plain (not JSON). Use the id from the manifest tree. HTTP 502 if download fails.

file_id must match ^[A-Za-z0-9_\-]{1,128}$

Query example

Read Passwords.txt
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8/files/Passwords_txt" \ -H "X-API-Key: YOUR_API_KEY"

5. Full archive

GET /api/stealer-provider/victims/{log_id}/archive

Streams the complete victim dump as application/zip with Content-Disposition: attachment; filename="{log_id}.zip". The response is a raw binary stream — save to disk with -o or equivalent. Timeout is 300 s; HTTP 502 if OathNet archive is unavailable.

Query example

Download ZIP
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8/archive" \ -H "X-API-Key: YOUR_API_KEY" \ -o victim.zip

Response Fields

https://datahound.tools/api/stealer-provider
1 — Victims search
curl "https://datahound.tools/api/stealer-provider/victims/search" \ -G -d "discord_id=123456789012345678" \ -H "X-API-Key: YOUR_API_KEY"
2 — Credentials search
curl "https://datahound.tools/api/stealer-provider/credentials/search" \ -G -d "q=discord.com" -d "wildcard=true" \ -H "X-API-Key: YOUR_API_KEY"
3 — Manifest
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8" \ -H "X-API-Key: YOUR_API_KEY"
4 — Single file
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8/files/Passwords_txt" \ -H "X-API-Key: YOUR_API_KEY"
5 — Archive ZIP
curl "https://datahound.tools/api/stealer-provider/victims/a1b2c3d4e5f6g7h8/archive" \ -H "X-API-Key: YOUR_API_KEY" \ -o victim.zip
Python — Full workflow
import requests API = "https://datahound.tools/api/stealer-provider" HEADERS = {"X-API-Key": "YOUR_API_KEY"} # 1) Find victims by Discord ID r = requests.get(f"{API}/victims/search", headers=HEADERS, params={"discord_id": "123456789012345678"}).json() items = (r.get("results") or {}).get("data", {}).get("items") or [] log_id = items[0]["log_id"] if items else None print("log_id:", log_id) if log_id: # 2) List files in the victim tree manifest = requests.get(f"{API}/victims/{log_id}", headers=HEADERS).json() tree = (manifest.get("results") or {}).get("victim_tree") def first_file(node): if not node: return None if node.get("type") == "file" and node.get("id"): return node for child in node.get("children") or []: found = first_file(child) if found: return found return None f = first_file(tree) if f: # 3) Download one file as plain text text = requests.get( f"{API}/victims/{log_id}/files/{f['id']}", headers=HEADERS ).text print(f["name"], "→", text[:200]) # 4) Or download the full ZIP zip_bytes = requests.get( f"{API}/victims/{log_id}/archive", headers=HEADERS ).content open(f"{log_id}.zip", "wb").write(zip_bytes)
GET

/discord

Comprehensive lookup for Discord IDs. Aggregates data from Medal, guns.lol, Roblox, FiveM server logs, and Stealer Provider.

Parameters

id Required
Discord Snowflake

Response Fields

https://datahound.tools/api/discord
cURL Example
curl "https://datahound.tools/api/discord" \ -G \ -d "id=123456789012345678" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/discord" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"id": "123456789012345678"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/roblox

Resolves Roblox users via the live API and returns profile data plus social footprint signals.

Parameters

username Optional
Roblox Username
id Optional
Roblox ID

Response Fields

https://datahound.tools/api/roblox
cURL Example
curl "https://datahound.tools/api/roblox" \ -G \ -d "username=Builderman" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/roblox" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"username": "Builderman"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/fivem

Searches FiveM server dumps by Discord ID, Steam hex, IP, or raw FiveM identifier. For Steam64 ID lookups with cross-platform enrichment use /steam.

Parameters

query Required
Prefixed query string

Response Fields

https://datahound.tools/api/fivem
cURL Example
curl "https://datahound.tools/api/fivem" \ -G \ -d "query=username:glockvip" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/fivem" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"query": "username:glockvip"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/steam

Accepts a Steam64 ID and returns a full cross-platform profile: Steam account details, past usernames, linked Medal.tv profiles, and FiveM server session records. All data sources are queried in parallel.

Parameters

query Required
Steam64 ID — 17-digit number starting with 76

Response Fields

https://datahound.tools/api/steam
cURL Example
curl "https://datahound.tools/api/steam" \ -G \ -d "query=76561198307831756" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/steam" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"query": "76561198307831756"} response = requests.get(url, headers=headers, params=params) print(response.json())
GET

/minecraft

Resolves Username to UUID and searches local server logs for player history.

Parameters

username Optional
Player Name
uid Optional
Minecraft UUID

Response Fields

https://datahound.tools/api/minecraft
cURL Example
curl "https://datahound.tools/api/minecraft" \ -G \ -d "username=Notch" \ -H "X-API-Key: YOUR_API_KEY"
Python Example
import requests url = "https://datahound.tools/api/minecraft" headers = {"X-API-Key": "YOUR_API_KEY"} params = {"username": "Notch"} response = requests.get(url, headers=headers, params=params) print(response.json())

IP Whitelist

Manage the IP whitelist bound to your API key directly via API — no dashboard required. All changes are rate-limited by your plan's daily allowance.

GET /api/ip/bind/list

Returns the IPs currently bound to your key along with plan limits.

Response Fields

POST /api/ip/bind/set

Replaces the entire whitelist. Send a comma-separated list of IPv4 addresses. Send an empty string to clear all bound IPs.

Body Parameters

api_bind_ip Required
Comma-separated IPv4 list (e.g. 1.2.3.4,5.6.7.8)

Response Fields

POST /api/ip/bind/auto

Detects the public IP of the device making the request and adds it to the whitelist. No body required. Returns unchanged: true if the IP was already bound. Returns 400 if the plan limit is already reached.

Response Fields

https://datahound.tools/api/ip/bind
List bound IPs
curl "https://datahound.tools/api/ip/bind/list" \ -H "X-API-Key: YOUR_API_KEY"
Auto-bind my IP
curl -X POST "https://datahound.tools/api/ip/bind/auto" \ -H "X-API-Key: YOUR_API_KEY"
Set bound IPs
curl -X POST "https://datahound.tools/api/ip/bind/set" \ -H "X-API-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"api_bind_ip": "1.2.3.4,5.6.7.8"}'
Python — Auto-bind workflow
import requests API = "https://datahound.tools/api" HEADERS = {"X-API-Key": "YOUR_API_KEY"} r = requests.post(f"{API}/ip/bind/auto", headers=HEADERS).json() print("bound_ip:", r["bound_ip"]) print("whitelist:", r["api_bind_ips"]) print("unchanged:", r["unchanged"])