Domain Enrichment API
BETA releaseThe Domain Enrichment API is currently in beta. If you have any questions or feedback, please reach out to us.
.Get infrastructure and risk context for a domain or hostname in a single call ā IPs, TLS certificates, JARM, open ports/protocols, HTTP artifacts, phishing sightings, and more
Endpoint
GET https://api.hunt.io/v1/enrich/domain/{domain}
Path params
domainā Required. Domain or hostname (e.g.,framer.app).
Headers
token: <your-api-key>
Notes
- All timestamps are ISO-8601 (UTC).
- Arrays may be empty; fields may be omitted when unknown.
Quick start
cURL
curl --request GET --url 'https://api.hunt.io/v1/enrich/domain/framer.app' --header 'accept: application/json' --header 'token: <your-api-key>'Python (requests)
import requests
resp = requests.get(
"https://api.hunt.io/v1/enrich/domain/framer.app",
headers={"accept": "application/json", "token": "<your-api-key>"},
timeout=60,
)
resp.raise_for_status()
print(resp.json())JavaScript (fetch)
const resp = await fetch("https://api.hunt.io/v1/enrich/domain/framer.app", {
headers: { accept: "application/json", token: "<your-api-key>" },
});
const data = await resp.json();
console.log(data);Top-level response shape
{
"ips": ["<ip>", "..."],
"certificates": [{ /* certificate object */ }],
"malware": [{ /* malware object */ }],
"jarm": [{ /* jarm object */ }],
"protocol": [{ /* protocol observation */ }],
"http": [{ /* http observation */ }],
"ssh": [{ /* ssh observation */ }],
"opendir": [{ /* open directory sighting */ }],
"honeypot": [{ /* honeypot interaction */ }],
"phishing": [{ /* phishing page sighting */ }]
}Field reference
ips (array of strings)
ips (array of strings)| Field | Description |
|---|---|
ips[] | Observed IPv4/IPv6 addresses associated with the input name (A/AAAA, service telemetry). |
certificates (array of objects)
certificates (array of objects)| Field | Description |
|---|---|
HashHexedSha256, HashHexedSha1, HashHexedMd5 | Certificate byte hashes. |
UUIDHexed | Internal certificate identifier. |
JA4X | JA4X certificate fingerprint. |
SeenFirst, SeenLast | First/last time this cert was observed for related infra. |
Serial | Certificate serial number. |
NotBefore, NotAfter | Validity window. |
SubjectCommonName | Subject CN (e.g., *.example.com). |
SubjectCountry, SubjectOrganization, SubjectOrganizationalUnit, SubjectLocality, SubjectProvince, SubjectStreetAddress, SubjectPostalCode, SubjectSubjectSerialNumber | Subject details (often empty for DV). |
IssuerCommonName, IssuerCountry, IssuerOrganization, IssuerOrganizationalUnit, IssuerLocality, IssuerProvince, IssuerStreetAddress, IssuerPostalCode, IssuerSubjectSerialNumber | Issuer details. |
PolicyIdentifiers | Comma-delimited OIDs string (e.g., ,2.23.140.1.2.1,). |
SignatureAlgorithm | e.g., ECDSA-SHA384. |
PrivateKey_BitLength, PrivateKey_Type | Public key size and algorithm (e.g., 256, ECDSA). |
KeyUsage | Key usage as text. |
ExtKeyUsage | Serialized JSON array string (e.g., ["ServerAuth","ClientAuth"]). |
DNSNames, EmailAddresses, IPAddresses, URIs | SAN entries. |
IssuingCertificateURL | AIA issuing CA URL(s). |
IsCA, MaxPathLen, MaxPathLenZero | CA attributes. |
OCSPServer | OCSP responder URL(s). |
Hostnames | Comma-delimited hostnames captured with this cert (e.g., ,*.example.com,). |
jarm (array of objects)
jarm (array of objects)| Field | Description |
|---|---|
ScanIP | IP where the JARM was captured. |
ScanPort | Port used for the JARM handshake. |
JARM | 62-char JARM fingerprint string. |
SeenFirst, SeenLast | First/last seen for that IP:port. |
protocol (array of objects)
protocol (array of objects)| Field | Description |
|---|---|
IP, Port | Endpoint observed. |
Fingerprint[] | Primary matched protocol label(s) (e.g., http, tls, unknown). |
SeenFirst, SeenLast | First/last time the protocol was observed. |
AllFingerprints[] | Full set of labels matched over time (e.g., ["unknown","tls","tcpwrapped"]). |
http (array of objects)
http (array of objects)| Field | Description |
|---|---|
IP, Port | HTTP endpoint. |
SeenFirst, SeenLast | First/last observation. |
BodySHA256 | Hash of response body (content fingerprint). |
HeaderRaw | Raw response headers (may be empty). |
ssh (array of objects; when present)
ssh (array of objects; when present)| Field | Description |
|---|---|
IP, Port | SSH endpoint. |
SeenFirst, SeenLast | First/last observation. |
Keys | Comma-separated SSH public key hashes (when available). |
opendir (array of objects; when present)
opendir (array of objects; when present)| Field | Description |
|---|---|
IP | IP where an open directory was observed. |
Hostname | URL including scheme and port. |
SeenFirst, SeenLast | First/last sighting. |
honeypot (array of objects; when present)
honeypot (array of objects; when present)| Field | Description |
|---|---|
Ports[] | Ports involved in honeypot activity. |
Tags[] | Activity tags (e.g., crawler, scanner, exploit). |
Actor | Linked threat actor ID (if any). |
SeenFirst, SeenLast | First/last sighting. |
phishing (array of objects)
phishing (array of objects)| Field | Description |
|---|---|
URL | Phishing page URL associated with related infra. |
SeenFirst, SeenLast | First/last sighting time. |
Status | HTTP status code at crawl time. |
Title | Page title captured. |
MatchedSignatures[] | Matched Hunt signatures/heuristics (e.g., inline-navigator-regex, default-framer-title). |
Example response (trimmed)
Example generated for the
framer.appdomain
{
"ips": ["52.223.52.2"],
"certificates": [
{
"HashHexedSha256": "39E1FF225B37B29CB2D1179AEE6FB580007D18D58A4AD2BD68A2B425B5A4C1F4",
"UUIDHexed": "0DA34546B05715F874500B3670A3799F197B3E3ED1F35789B995D4F19B216E74",
"HashHexedSha1": "D6D544217DEA810B6F8162DA38B47202988E1F43",
"HashHexedMd5": "736227C1E684D8226D0FCE02357B2418",
"JA4X": "a373a9f83c6b_7022c563de38_2e3757343cb0",
"SeenFirst": "2025-06-11T23:45:32",
"SeenLast": "2025-08-10T23:03:18",
"Serial": "481689352709894488851110697852654079886406",
"NotBefore": "2025-06-11T22:03:53",
"NotAfter": "2025-09-09T22:03:52",
"SubjectCommonName": "*.framer.app",
"IssuerCommonName": "E6",
"IssuerCountry": ["US"],
"IssuerOrganization": ["Let's Encrypt"],
"DNSNames": ["*.framer.app"]
}
],
"jarm": [
{
"ScanIP": "52.223.52.2",
"ScanPort": 443,
"JARM": "00000000000000000000000000000000000000000000000000000000000000",
"SeenFirst": "2023-09-30T05:40:49",
"SeenLast": "2025-08-28T02:03:30"
}
],
"protocol": [
{ "IP": "52.223.52.2", "Port": 443, "Fingerprint": ["tls"], "SeenFirst": "2023-09-12T04:08:28", "SeenLast": "2025-08-24T09:32:34", "AllFingerprints": ["unknown","tls","tcpwrapped"] },
{ "IP": "52.223.52.2", "Port": 80, "Fingerprint": ["http"], "SeenFirst": "2023-09-12T08:16:44", "SeenLast": "2025-08-24T06:31:52", "AllFingerprints": ["unknown","http","tcpwrapped"] }
],
"http": [
{
"IP": "52.223.52.2",
"Port": 443,
"SeenFirst": "2024-05-09T17:05:49",
"SeenLast": "2025-08-27T10:23:33",
"BodySHA256": "7A1FABF227903297428F36DA3B3547D91E308A992063271E8FE1A4F1E1E6CD26",
"HeaderRaw": ""
}
],
"phishing": [
{
"URL": "https://violet-track-966474.framer.app/page",
"SeenFirst": "2025-05-15T21:18:20",
"SeenLast": "2025-05-15T21:18:20",
"Status": 200,
"Title": "My Framer Site",
"MatchedSignatures": ["inline-navigator-regex", "default-framer-title"]
}
],
"malware": [],
"ssh": [],
"opendir": [],
"honeypot": []
}Status codes
| Code | Meaning |
|---|---|
200 | Success ā JSON payload returned. |
400 | Bad request (e.g., malformed domain). |
401 | Unauthorized (missing/invalid token). |
404 | No enrichment found for the domain/host. |
429 | Rate limited ā back off and retry later. |
500 | Server error. |
Best practices
- Filter by recency: Use
SeenLastto prioritize active infrastructure. - Pivot consistently: The component shapes mirror IP Enrichment, so you can pivot by IP ā Domain or Domain ā IP with identical handling.
- Handle large arrays:
protocolandphishingmay be large; paginate or filter client-side by date/port/signature.
Updated 15 days ago