Domain Enrichment API
BETA release
The Domain Enrichment API is currently in beta. If you have any questions or feedback, please reach out to us.
.Get infrastructure and risk context for a domain or hostname in a single call — IPs, TLS certificates, JARM, open ports/protocols, HTTP artifacts, phishing sightings, and more
Endpoint
GET https://api.hunt.io/v1/enrich/domain/{domain}
Path params
domain— Required. Domain or hostname (e.g.,framer.app).
Headers
token: <your-api-key>
Notes
- All timestamps are ISO-8601 (UTC).
- Arrays may be empty; fields may be omitted when unknown.
Quick start
cURL
curl --request GET --url 'https://api.hunt.io/v1/enrich/domain/framer.app' --header 'accept: application/json' --header 'token: <your-api-key>'
Python (requests)
import requests
resp = requests.get(
"https://api.hunt.io/v1/enrich/domain/framer.app",
headers={"accept": "application/json", "token": "<your-api-key>"},
timeout=60,
)
resp.raise_for_status()
print(resp.json())
JavaScript (fetch)
const resp = await fetch("https://api.hunt.io/v1/enrich/domain/framer.app", {
headers: { accept: "application/json", token: "<your-api-key>" },
});
const data = await resp.json();
console.log(data);
Top-level response shape
{
"ips": ["<ip>", "..."],
"certificates": [{ /* certificate object */ }],
"malware": [{ /* malware object */ }],
"jarm": [{ /* jarm object */ }],
"protocol": [{ /* protocol observation */ }],
"http": [{ /* http observation */ }],
"ssh": [{ /* ssh observation */ }],
"opendir": [{ /* open directory sighting */ }],
"honeypot": [{ /* honeypot interaction */ }],
"phishing": [{ /* phishing page sighting */ }]
}
Field reference
ips (array of strings)
ips (array of strings)| Field | Description |
|---|---|
ips[] | Observed IPv4/IPv6 addresses associated with the input name (A/AAAA, service telemetry). |
certificates (array of objects)
certificates (array of objects)| Field | Description |
|---|---|
HashHexedSha256, HashHexedSha1, HashHexedMd5 | Certificate byte hashes. |
UUIDHexed | Internal certificate identifier. |
JA4X | JA4X certificate fingerprint. |
SeenFirst, SeenLast | First/last time this cert was observed for related infra. |
Serial | Certificate serial number. |
NotBefore, NotAfter | Validity window. |
SubjectCommonName | Subject CN (e.g., *.example.com). |
SubjectCountry, SubjectOrganization, SubjectOrganizationalUnit, SubjectLocality, SubjectProvince, SubjectStreetAddress, SubjectPostalCode, SubjectSubjectSerialNumber | Subject details (often empty for DV). |
IssuerCommonName, IssuerCountry, IssuerOrganization, IssuerOrganizationalUnit, IssuerLocality, IssuerProvince, IssuerStreetAddress, IssuerPostalCode, IssuerSubjectSerialNumber | Issuer details. |
PolicyIdentifiers | Comma-delimited OIDs string (e.g., ,2.23.140.1.2.1,). |
SignatureAlgorithm | e.g., ECDSA-SHA384. |
PrivateKey_BitLength, PrivateKey_Type | Public key size and algorithm (e.g., 256, ECDSA). |
KeyUsage | Key usage as text. |
ExtKeyUsage | Serialized JSON array string (e.g., ["ServerAuth","ClientAuth"]). |
DNSNames, EmailAddresses, IPAddresses, URIs | SAN entries. |
IssuingCertificateURL | AIA issuing CA URL(s). |
IsCA, MaxPathLen, MaxPathLenZero | CA attributes. |
OCSPServer | OCSP responder URL(s). |
Hostnames | Comma-delimited hostnames captured with this cert (e.g., ,*.example.com,). |
jarm (array of objects)
jarm (array of objects)| Field | Description |
|---|---|
ScanIP | IP where the JARM was captured. |
ScanPort | Port used for the JARM handshake. |
JARM | 62-char JARM fingerprint string. |
SeenFirst, SeenLast | First/last seen for that IP:port. |
protocol (array of objects)
protocol (array of objects)| Field | Description |
|---|---|
IP, Port | Endpoint observed. |
Fingerprint[] | Primary matched protocol label(s) (e.g., http, tls, unknown). |
SeenFirst, SeenLast | First/last time the protocol was observed. |
AllFingerprints[] | Full set of labels matched over time (e.g., ["unknown","tls","tcpwrapped"]). |
http (array of objects)
http (array of objects)| Field | Description |
|---|---|
IP, Port | HTTP endpoint. |
SeenFirst, SeenLast | First/last observation. |
BodySHA256 | Hash of response body (content fingerprint). |
HeaderRaw | Raw response headers (may be empty). |
ssh (array of objects; when present)
ssh (array of objects; when present)| Field | Description |
|---|---|
IP, Port | SSH endpoint. |
SeenFirst, SeenLast | First/last observation. |
Keys | Comma-separated SSH public key hashes (when available). |
opendir (array of objects; when present)
opendir (array of objects; when present)| Field | Description |
|---|---|
IP | IP where an open directory was observed. |
Hostname | URL including scheme and port. |
SeenFirst, SeenLast | First/last sighting. |
honeypot (array of objects; when present)
honeypot (array of objects; when present)| Field | Description |
|---|---|
Ports[] | Ports involved in honeypot activity. |
Tags[] | Activity tags (e.g., crawler, scanner, exploit). |
Actor | Linked threat actor ID (if any). |
SeenFirst, SeenLast | First/last sighting. |
phishing (array of objects)
phishing (array of objects)| Field | Description |
|---|---|
URL | Phishing page URL associated with related infra. |
SeenFirst, SeenLast | First/last sighting time. |
Status | HTTP status code at crawl time. |
Title | Page title captured. |
MatchedSignatures[] | Matched Hunt signatures/heuristics (e.g., inline-navigator-regex, default-framer-title). |
Example response (trimmed)
Example generated for the
framer.appdomain
{
"ips": ["52.223.52.2"],
"certificates": [
{
"HashHexedSha256": "39E1FF225B37B29CB2D1179AEE6FB580007D18D58A4AD2BD68A2B425B5A4C1F4",
"UUIDHexed": "0DA34546B05715F874500B3670A3799F197B3E3ED1F35789B995D4F19B216E74",
"HashHexedSha1": "D6D544217DEA810B6F8162DA38B47202988E1F43",
"HashHexedMd5": "736227C1E684D8226D0FCE02357B2418",
"JA4X": "a373a9f83c6b_7022c563de38_2e3757343cb0",
"SeenFirst": "2025-06-11T23:45:32",
"SeenLast": "2025-08-10T23:03:18",
"Serial": "481689352709894488851110697852654079886406",
"NotBefore": "2025-06-11T22:03:53",
"NotAfter": "2025-09-09T22:03:52",
"SubjectCommonName": "*.framer.app",
"IssuerCommonName": "E6",
"IssuerCountry": ["US"],
"IssuerOrganization": ["Let's Encrypt"],
"DNSNames": ["*.framer.app"]
}
],
"jarm": [
{
"ScanIP": "52.223.52.2",
"ScanPort": 443,
"JARM": "00000000000000000000000000000000000000000000000000000000000000",
"SeenFirst": "2023-09-30T05:40:49",
"SeenLast": "2025-08-28T02:03:30"
}
],
"protocol": [
{ "IP": "52.223.52.2", "Port": 443, "Fingerprint": ["tls"], "SeenFirst": "2023-09-12T04:08:28", "SeenLast": "2025-08-24T09:32:34", "AllFingerprints": ["unknown","tls","tcpwrapped"] },
{ "IP": "52.223.52.2", "Port": 80, "Fingerprint": ["http"], "SeenFirst": "2023-09-12T08:16:44", "SeenLast": "2025-08-24T06:31:52", "AllFingerprints": ["unknown","http","tcpwrapped"] }
],
"http": [
{
"IP": "52.223.52.2",
"Port": 443,
"SeenFirst": "2024-05-09T17:05:49",
"SeenLast": "2025-08-27T10:23:33",
"BodySHA256": "7A1FABF227903297428F36DA3B3547D91E308A992063271E8FE1A4F1E1E6CD26",
"HeaderRaw": ""
}
],
"phishing": [
{
"URL": "https://violet-track-966474.framer.app/page",
"SeenFirst": "2025-05-15T21:18:20",
"SeenLast": "2025-05-15T21:18:20",
"Status": 200,
"Title": "My Framer Site",
"MatchedSignatures": ["inline-navigator-regex", "default-framer-title"]
}
],
"malware": [],
"ssh": [],
"opendir": [],
"honeypot": []
}
Status codes
| Code | Meaning |
|---|---|
200 | Success — JSON payload returned. |
400 | Bad request (e.g., malformed domain). |
401 | Unauthorized (missing/invalid token). |
404 | No enrichment found for the domain/host. |
429 | Rate limited — back off and retry later. |
500 | Server error. |
Best practices
- Filter by recency: Use
SeenLastto prioritize active infrastructure. - Pivot consistently: The component shapes mirror IP Enrichment, so you can pivot by IP → Domain or Domain → IP with identical handling.
- Handle large arrays:
protocolandphishingmay be large; paginate or filter client-side by date/port/signature.
Updated 7 days ago