docs / domain-risk

Domain Risk API

base /domain-risk/v16 endpoints

post/domain-risk/v1/assess1 credit

Comprehensive fraud and security risk report for one domain: a 0-100 risk score, human-readable reasons, and a risk level (low / medium / elevated / high). Combines domain age, expiry status, parked/for-sale detection, TLS certificate presence, hostname structure, brand impersonation signals, and email/DNSSEC legitimacy into a single verdict. The primary action for phishing detection and brand protection.

Parameter		Allowed / range	Description
domain	required	—	A full domain to evaluate (e.g. example.com, secure-login.io). A bare host, full URL, leading www., or an IDN (münchen.de) are accepted and normalized to its registrable form.
check_parked = true	optional	—	If true (default), also fetch the domain's root page to detect a parked or for-sale landing page. A failed page probe never fails the overall risk assessment — only the parking signal is omitted.
include_pii = false	optional	—	If true, return the full RDAP registrant contact. Default false → personal data dropped (GDPR), organization kept.

Try in playground →

post/domain-risk/v1/age1 credit

Domain age + expiry-risk band + renewal status (lifecycle synthesis from RDAP dates — NOT a raw whois dump; use domain-intel.whois for that).

Parameter		Allowed / range	Description
domain	required	—	A full domain to evaluate (e.g. example.com, secure-login.io). A bare host, full URL, leading www., or an IDN (münchen.de) are accepted and normalized to its registrable form.

Try in playground →

post/domain-risk/v1/parked1 credit

Detect whether a domain is parked or listed for sale. Checks parking nameserver signals and the domain's root page for for-sale phrases and marketplace redirect hosts (Sedo, Afternic, GoDaddy, etc.). Returns a confidence-scored verdict: parked, for_sale, or actively in use. Returns 'unknown' when the page cannot be read.

Parameter		Allowed / range	Description
domain	required	—	A full domain to evaluate (e.g. example.com, secure-login.io). A bare host, full URL, leading www., or an IDN (münchen.de) are accepted and normalized to its registrable form.

Try in playground →

post/domain-risk/v1/typosquat1 credit

Generate a brand's lookalike domains across 16 permutation families (meets/exceeds dnstwist; incl IDN homoglyph/homograph) then report which are ACTUALLY REGISTERED + their risk — the brand-protection product.

Parameter		Allowed / range	Description
domain	required	—	A full domain to evaluate (e.g. example.com, secure-login.io). A bare host, full URL, leading www., or an IDN (münchen.de) are accepted and normalized to its registrable form.
families	optional	omission · repetition · transposition · replacement · insertion · vowel_swap · homoglyph · bitsquatting · hyphenation · addition · subdomain · tld_swap · combosquat · plural · homophones · various	Which typosquat permutation families to generate (comma-separated or array). Defaults to ALL 16 (meets/exceeds dnstwist): omission, repetition, transposition, replacement, insertion, vowel_swap, homoglyph, bitsquatting, hyphenation, addition, subdomain, tld_swap, combosquat, plural, homophones, various. Unknown names are ignored.
keywords	optional	—	Additional keywords to include in the combosquat permutation family (e.g. your product name or campaign terms like 'checkout', 'wallet'). Combined with the built-in phishing keyword set (login, secure, verify…).
check_registered = true	optional	—	If true (default), RDAP/DoH-check which generated lookalikes are actually registered (capped at 120 checks). False → return candidates only.

Try in playground →

post/domain-risk/v1/reputation1 credit

Registrar / nameserver / age / mail-hygiene (SPF·DMARC·DNSSEC) trust signals → a 0-100 reputation_score + trust_level. Reputation is a positive-trust lens (vs assess's risk lens).

Parameter		Allowed / range	Description
domain	required	—	A full domain to evaluate (e.g. example.com, secure-login.io). A bare host, full URL, leading www., or an IDN (münchen.de) are accepted and normalized to its registrable form.

Try in playground →

post/domain-risk/v1/batch1 credit

Risk-assess up to 50 domains in one call (RDAP + DNS + email hygiene scoring, no per-domain parked-page probe). Returns a risk verdict per domain plus a combined high-risk list — ideal for bulk fraud screening.

Parameter		Allowed / range	Description
domains	required	—	A list of full domains to risk-assess at once (comma-separated string or array). Capped at 50; invalid entries reported under 'invalid'.

Try in playground →

Example request · assess

curl -X POST https://api.reefapi.com/domain-risk/v1/assess \
  -H "x-api-key: $REEF_KEY" \
  -H "content-type: application/json" \
  -d '{"domain":"google.com","check_parked":false}'

Response shape

{
  "ok": true,
  "data": { /* the result */ },
  "meta": {
    "latency_ms": 240,
    "record_count": 12,
    "completeness_pct": 100
  },
  "error": null
}