Developer Reference

Subdomain Finder

Explore Subdomain Finder API documentation, request parameters, response fields, code examples, and error handling for DomScan integrations.

Subdomain Finder

Return a best-effort set of public hostname evidence. The sources=ct parameter selects the compatibility pipeline, which tries crt.sh first and can fall back to HackerTarget, ThreatMiner, the Wayback Machine, and CertSpotter. DomScan does not brute-force names or crawl the target site, so the result is not a complete inventory. Cache-only misses return HTTP 202 and all-source failures return HTTP 503. Credits are refunded for both responses.

GET /v1/subdomains

Query Parameters

ParameterTypeDescription
domain required string Root domain to find subdomains for (e.g., "github.com")
prefer_cache optional boolean token Serve cached results only. If no fresh or stale cache exists, the API returns 202, queues a background refresh, and refunds the request credits. Accepted values: true, false, 1, 0, yes, and no. Default: false.
sources optional string Compatibility selector. Only ct is accepted. It starts the passive discovery pipeline, but each result reports the provider that supplied its evidence: crtsh, hackertarget, threatminer, wayback, or certspotter. Older cached entries may report ct.
verify optional boolean token Check DNS only for the names already selected for the response. Verification does not discover more names. Accepted values: true, false, 1, 0, yes, and no. Default: false.
include_wildcards optional boolean token Return wildcard certificate evidence in a separate wildcards array. Wildcards are not mixed into concrete hostname results. Accepted values: true, false, 1, 0, yes, and no. Default: false.
limit optional integer Maximum concrete hostname entries to return. Enter an integer from 1 through 2000. Default: 500.

Use Cases

  • Attack surface mapping and security audits
  • Review possible forgotten or shadow IT hostnames
  • Pre-acquisition technical due diligence
  • Competitive analysis of infrastructure
  • Bug bounty reconnaissance

Response Fields

FieldDescription
subdomains[].nameReturned hostname. The apex can appear when a source includes it.
subdomains[].sourceProvider that supplied the evidence. Possible values are crtsh, hackertarget, threatminer, wayback, certspotter, and legacy cached ct.
subdomains[].first_seenFor crt.sh and CertSpotter evidence, the earliest valid certificate not-before value found for the hostname. Passive fallback entries return null because those sources do not provide comparable certificate timing.
subdomains[].verifiedTrue only when verify is enabled and DNS resolution succeeds for the returned hostname. Otherwise false.
subdomains[].dns_recordsA and CNAME records from optional verification of the returned hostname, or null. This field does not add names to the result.
summary.total_foundTotal concrete hostname entries found before the response limit, including the apex when a source includes it.
summary.verified_countNumber of returned hostnames that resolved during optional DNS verification.

HTTP Status Codes

HTTP Status CodesDescription
200 OKRequest successful
202 AcceptedCache-only subdomain miss accepted for background refresh. No credits are charged; retry after the Retry-After delay.
400 Bad RequestInvalid parameters
402 Payment RequiredNot enough credits to run this request.
503 Service UnavailableUpstream service unavailable or temporarily rate limited.
504 Gateway TimeoutUpstream lookup timed out.

Example Request

curl -H "X-API-Key: your-api-key" "https://domscan.net/v1/subdomains?domain=example.com&sources=ct&include_wildcards=yes&limit=100"

curl -H "X-API-Key: your-api-key" "https://domscan.net/v1/subdomains?domain=example.com&sources=ct&verify=yes&limit=50"

curl -H "X-API-Key: your-api-key" "https://domscan.net/v1/subdomains?domain=example.com&prefer_cache=1"
import requests

domscan = requests.Session()
domscan.headers.update({"X-API-Key": "your-api-key"})

response = domscan.get(
    "https://domscan.net/v1/subdomains",
    params={
        "domain": "example.com",
        "sources": "ct",
        "verify": "yes",
        "include_wildcards": "yes",
        "limit": 100
    }
)
data = response.json()

print(f"Returned {data['summary']['returned']} hostname entries")
print(f"Verified: {data['summary']['verified_count']}")

live_subs = [s for s in data['subdomains'] if s['verified']]
for sub in live_subs[:10]:
    print(f"  {sub['name']}")
const domscanFetch = (url, options = {}) =>
  fetch(url, {
    ...options,
    headers: { ...options.headers, "X-API-Key": "your-api-key" },
  });

const response = await domscanFetch(
  'https://domscan.net/v1/subdomains?' + new URLSearchParams({
    domain: 'example.com',
    sources: 'ct',
    verify: 'yes',
    include_wildcards: 'yes',
    limit: '100'
  })
);
const data = await response.json();

console.log(`Returned ${data.summary.returned} hostname entries`);
console.log(`Verified: ${data.summary.verified_count}`);

data.subdomains
  .filter(s => s.verified)
  .forEach(s => console.log(`  ${s.name}`));

Example Response

{
  "domain": "example.com",
  "subdomains": [
    {
      "name": "api.example.com",
      "source": "crtsh",
      "first_seen": "2025-01-15T00:00:00Z",
      "verified": true,
      "dns_records": {
        "A": ["192.0.2.10"],
        "CNAME": null
      }
    }
  ],
  "wildcards": [
    {
      "pattern": "*.example.com",
      "source": "crtsh",
      "first_seen": "2024-11-20T00:00:00Z"
    }
  ],
  "summary": {
    "total_found": 1,
    "returned": 1,
    "verified_count": 1,
    "unverified_count": 0,
    "sources_used": ["crtsh"],
    "apex_included": false,
    "wildcard_suppressed_count": 1,
    "wildcard_returned_count": 1
  },
  "intelligence_summary": {
    "data_sources": ["crtsh"],
    "source_count": 1,
    "cache_status": "live",
    "returned_count": 1,
    "total_found": 1,
    "truncated": false,
    "limit": 100,
    "verification_requested": true,
    "include_wildcards": true,
    "verified_count": 1,
    "verified_ratio": 1,
    "live_dns_record_count": 1,
    "apex_included": false,
    "wildcard_suppressed_count": 1,
    "wildcard_returned_count": 1,
    "first_seen_oldest": "2025-01-15T00:00:00Z",
    "first_seen_newest": "2025-01-15T00:00:00Z",
    "warning_count": 0
  },
  "meta": {
    "query_time_ms": 184,
    "cached": false
  }
}

202 Accepted

{
  "status": "pending",
  "code": "CACHE_MISS_REFRESH_QUEUED",
  "message": "Try again in a moment",
  "domain": "example.com",
  "retry_after": 30,
  "credits_charged": 0,
  "billing_status": "not_charged",
  "request_id": "m8abc12-x9y8"
}
POST /v1/subdomains/bulk

Body Parameters

Parameter Type required
domains string[] required
verify boolean optional
include_wildcards boolean optional
limit integer optional

Response Fields

Field Type
results[] unknown[]
meta object
meta.total integer
meta.succeeded integer
meta.failed integer
meta.max_items integer
meta.credits_per_item integer
meta.duration_ms integer

Example Request

curl -X POST "https://domscan.net/v1/subdomains/bulk" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $DOMSCAN_API_KEY" \
  -d '{
  "domains": [
    "example.com",
    "cloudflare.com"
  ],
  "verify": false,
  "limit": 500
}'

Example Response

{
  "results": [
    null
  ],
  "meta": {
    "total": 1,
    "succeeded": 1,
    "failed": 1,
    "max_items": 10,
    "credits_per_item": 1,
    "duration_ms": 1
  }
}