API Reference
Programmatic access to DataHound's intelligence engines. Integrate real-time OSINT and aggregated breach datasets directly into your applications using our standardized JSON API.
Base URL
https://datahound.tools/api
Authentication
Authenticate requests by setting the X-API-Key
header. Do not expose your API key in client-side code.
Rate Limits
Depending on your plan, there are daily limits to how many queries you can perform and how many results are returned per query.
| Plan | Daily Queries | Results Limit |
|---|---|---|
| Basic | 100 | 1,000 |
| Enterprise | 1,000 | 1,000 |
/username
Full OSINT sweep on a username. Runs a live parallel scan across social networks, bulk availability checks via OsintCat, and cross-references breach compilations.
Pipelines
- Social FootprintLive parallel scan: GitHub, Twitter, Steam, and dozens more. Returns profile URL, avatar, bio, email when exposed.
- Platform FootprintBulk availability check via OsintCat — returns registered count and per-site taken/free status.
- Database LeaksOsintCat database-search rows first, then Snusbase and LeakCheck (BreachHub) — each row tagged with source_leak. Provider status is reported separately in breach_providers.
Parameters
Response Fields
https://datahound.tools/api/username
Deep OSINT sweep on an email address. Runs a live platform registration scan, cross-references breach databases, and — on Full Access plans — queries the Stealer Provider for infected device matches.
Pipelines
- Email OSINTLive parallel scan: checks registrations on Spotify, Twitter, and other platforms. Returns profile data when exposed.
- Database LeaksOsintCat rows first, then Snusbase and LeakCheck (BreachHub). Each external row has breach_summary.source_leak set to Snusbase or LeakCheck. See breach_providers for per-API status.
- Stealer ProviderOathNet V2 stealer/victim summaries for the email. Full Access plan required. Uses one upstream search session per query.
Parameters
Response Fields
https://datahound.tools/api/email
/phone
Retrieves carrier details, geolocation metadata, CNAM identities, social registrations (WhatsApp/Facebook), phone OSINT modules, and breach rows from local indexes plus Snusbase and LeakCheck v2 (BreachHub). External rows are flattened into phone_leaks with source_leak Snusbase or LeakCheck; breach_providers reports whether each upstream API succeeded.
Parameters
Response Fields
https://datahound.tools/api/phone
/ip
IPv4 intelligence in one request. Aggregates geolocation, breach cross-references, Hudson Rock stealer exposure, and Stealer Provider victim search.
Pipelines
- GeolocationCountry, region, ISP, and proxy/hosting flags.
- Database LeaksSnusbase and LeakCheck (BreachHub) plus OsintCat where applicable — deduplicated, capped by result_limit. breach_providers shows per-API status.
- Hudson RockInfected machines and credentials.
- Stealer ProviderOathNet V2 victim summaries for the IP. Full Access plan required.
Parameters
Response Fields
https://datahound.tools/api/ip
/stealer
Queries our vast repository of Stealer Logs searching by email or domain.
Parameters
Response Fields
https://datahound.tools/api/stealer
Hudson Rock
Dedicated Hudson Rock v3 stealer intelligence. Three separate routes by query type — each accepts a single query parameter and returns compromised machines, infostealer families, and extracted credential pairs.
/api/hudsonrock/ip
/api/hudsonrock/email
/api/hudsonrock/username
_ . -)
Response Fields
https://datahound.tools/api/hudsonrock/{ip|email|username}
/stealer-provider
OathNet V2 stealer intelligence. Search compromised devices or individual credentials,
then drill into a victim by log_id:
browse the file tree, read a single file, or download the full ZIP archive.
Upstream calls use /service/v2/stealer/search and /service/v2/victims/search.
Search sessions (credit efficient)
DataHound opens one OathNet search session per query before upstream calls. Related searches for the same query reuse the session search_id so they count as a single upstream lookup instead of one per endpoint.
- Victims + credentials —
GET /victims/searchwith a plainqruns victim and credential V2 searches in one session. - Email / IP / Discord modules — embedded stealer_provider blocks reuse the same session logic automatically.
- Session cache — 15 minutes per normalized query (server-side; no client action required).
Typical workflow
- Search victims —
GET /victims/searchwith discord_id, email, ip, hwid, or username. Copy alog_idfromresults.data.items[]. - Browse manifest —
GET /victims/{log_id}returnsvictim_tree(folders + files withidper file). - Read one file —
GET /victims/{log_id}/files/{file_id}returns rawtext/plainbody. - Or download all —
GET /victims/{log_id}/archivestreamsapplication/zip.
Optional: /credentials/search for V2 credential rows (url_str, username, password, optional legacy log line). Passing a plain-text q to /victims/search opens one search session, runs victim + credential V2 searches in parallel, and merges upstream items (OathNet internal noise stripped).
1. Victim search
GET /api/stealer-provider/victims/search
Device-level summaries. Pass at least one filter. Array fields (email, ip, hwid, discord_id, username) may be repeated in the query string to match multiple values at once.
When q is provided without explicit typed params, the server auto-routes it: email → email, IPv4 → ip, 17–20 digit snowflake → discord_id, domain-like string → victims q + stealer q, otherwise → username plus a parallel V2 credential search. Both upstream calls share one search session.
Query examples
2. Credential search (V2)
GET /api/stealer-provider/credentials/search
Row-level stolen logins from OathNet V2 stealer search — URL, username, password, and optional log_id pivot — without opening a victim archive.
Smart q detection upstream: [email protected] → email, example.com → domain, john_doe → username, 17–20 digit string → Discord ID. Some rows may still include a legacy log plain-text line (url|user|pass style).
Query examples
3. Victim manifest
GET /api/stealer-provider/victims/{log_id}
Returns a recursive victim_tree. Each file node has type: "file", name, id (use as file_id), and size_bytes. Directories have type: "directory" and children[].
log_id must match ^[A-Za-z0-9_\-]{8,128}$
Query example
4. Single file
GET /api/stealer-provider/victims/{log_id}/files/{file_id}
Returns the raw file body as text/plain (not JSON). Use the id from the manifest tree. HTTP 502 if download fails.
file_id must match ^[A-Za-z0-9_\-]{1,128}$
Query example
5. Full archive
GET /api/stealer-provider/victims/{log_id}/archive
Streams the complete victim dump as application/zip with Content-Disposition: attachment; filename="{log_id}.zip". The response is a raw binary stream — save to disk with -o or equivalent. Timeout is 300 s; HTTP 502 if OathNet archive is unavailable.
Query example
Response Fields
https://datahound.tools/api/stealer-provider
/discord
Comprehensive lookup for Discord IDs. Aggregates data from Medal, guns.lol, Roblox, FiveM server logs, and Stealer Provider.
Parameters
Response Fields
https://datahound.tools/api/discord
/roblox
Resolves Roblox users via the live API and returns profile data plus social footprint signals.
Parameters
Response Fields
https://datahound.tools/api/roblox
/fivem
Searches FiveM server dumps by Discord ID, Steam hex, IP, or raw FiveM identifier. For Steam64 ID lookups with cross-platform enrichment use /steam.
Parameters
Response Fields
https://datahound.tools/api/fivem
/steam
Accepts a Steam64 ID and returns a full cross-platform profile: Steam account details, past usernames, linked Medal.tv profiles, and FiveM server session records. All data sources are queried in parallel.
Parameters
76
Response Fields
https://datahound.tools/api/steam
/minecraft
Resolves Username to UUID and searches local server logs for player history.
Parameters
Response Fields
https://datahound.tools/api/minecraft
IP Whitelist
Manage the IP whitelist bound to your API key directly via API — no dashboard required. All changes are rate-limited by your plan's daily allowance.
/api/ip/bind/list
Returns the IPs currently bound to your key along with plan limits.
Response Fields
/api/ip/bind/set
Replaces the entire whitelist. Send a comma-separated list of IPv4 addresses. Send an empty string to clear all bound IPs.
Body Parameters
1.2.3.4,5.6.7.8)
Response Fields
/api/ip/bind/auto
Detects the public IP of the device making the request and adds it to the whitelist. No body required. Returns unchanged: true if the IP was already bound. Returns 400 if the plan limit is already reached.
Response Fields
https://datahound.tools/api/ip/bind