Enter a domain, URL, IP, email, or record and get a focused result without setup.
Review public hostname evidence with clear source labels
GET /v1/subdomains?domain=example.com
Use the browser tool for a fast answer, then move the same logic into scripts, monitoring, or product flows when it becomes repeatable.
Enter a domain, URL, IP, email, or record and get a focused result without setup.
Outputs highlight statuses, risks, records, and next actions instead of raw provider noise.
Use the request and response examples to turn a one-off check into an API call or recipe.
Each page is shaped around a practical operational question, not just a raw lookup.
See the current DNS, registration, security, pricing, or reputation evidence.
Compare the result with related checks so the next move is easier to trust.
Copy examples, open linked tools, or move into API documentation when you need scale.
Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.
OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.
Authenticated endpoints use API keys with clear credit costs before you call them.
Start with 10,000 monthly credits and upgrade only when usage grows.
Start from the curl and HTTP samples, then map the parameters into your application code.
DomScan tries crt.sh first. If it does not return hostnames, the pipeline can try HackerTarget, ThreatMiner, the Wayback Machine, and CertSpotter. It does not brute-force names or crawl the target site. Optional DNS verification checks only names already returned by discovery.
Compare the result with a known asset list, review old hostnames, or seed an authorized security inventory. Because passive coverage has gaps, this should not be your only discovery method.
Use GET /v1/subdomains?domain=example.com&sources=ct. The ct value selects the compatibility pipeline, while each entry reports its actual evidence source. Cache-only misses return 202 and all-source failures return 503; both refund credits.
GET /v1/subdomains?domain=example.com&sources=ct
{
"domain": "example.com",
"subdomains": [
{
"name": "api.example.com",
"source": "crtsh",
"first_seen": "2025-01-15T00:00:00Z",
"verified": false,
"dns_records": null
}
],
"summary": {
"total_found": 1,
"returned": 1,
"verified_count": 0,
"unverified_count": 1,
"sources_used": ["crtsh"],
"apex_included": false,
"wildcard_suppressed_count": 0,
"wildcard_returned_count": 0
},
"intelligence_summary": {
"data_sources": ["crtsh"],
"source_count": 1,
"cache_status": "live",
"returned_count": 1,
"total_found": 1,
"truncated": false,
"limit": 500,
"verification_requested": false,
"include_wildcards": false,
"verified_count": 0,
"verified_ratio": 0,
"live_dns_record_count": 0,
"apex_included": false,
"wildcard_suppressed_count": 0,
"wildcard_returned_count": 0,
"first_seen_oldest": "2025-01-15T00:00:00Z",
"first_seen_newest": "2025-01-15T00:00:00Z",
"warning_count": 0
},
"meta": {
"query_time_ms": 184,
"cached": false
}
}
The browser experience previews DomScan's structured endpoints, so teams can validate a use case before writing code.
DomScan tries crt.sh first. If it does not return hostnames, the pipeline can try HackerTarget, ThreatMiner, the Wayback Machine, and CertSpotter. It does not brute-force names or crawl the target site. Optional DNS verification checks only names already returned by discovery.
Compare the result with a known asset list, review old hostnames, or seed an authorized security inventory. Because passive coverage has gaps, this should not be your only discovery method.
No. This is best-effort passive coverage. Internal names and public hosts missing from the source datasets will not appear, and DNS verification does not search for additional names.
Use GET /v1/subdomains?domain=example.com&sources=ct. The ct value selects the compatibility pipeline, while each entry reports its actual evidence source. Cache-only misses return 202 and all-source failures return 503; both refund credits.