docs / passive-osint
Passive OSINT & Recon API
Passive OSINT & Recon API
base /passive-osint/v14 endpoints
post
/passive-osint/v1/subdomains2 creditsPassive subdomain discovery across crt.sh + certspotter + OTX + hackertarget + Wayback, deduped, with a per-source matrix and an honest coverage note
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| domain | required | — | The registrable domain to enrich (a bare host like example.com; a full URL or leading www. is accepted and normalized). NOT a person. |
| sources | optional | crtsh · certspotter · otx · hackertarget · wayback | Which passive sources to query (comma-separated string or array). Defaults to all five. Unknown names are ignored. |
post
/passive-osint/v1/domain3 creditsOne-call unified passive report: subdomains + DNS summary + SSL summary + archive first/last-seen + threat blocklist flags, each section degrading independently
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| domain | required | — | The registrable domain to enrich (a bare host like example.com; a full URL or leading www. is accepted and normalized). NOT a person. |
| sources | optional | crtsh · certspotter · otx · hackertarget · wayback | Which passive sources to query (comma-separated string or array). Defaults to all five. Unknown names are ignored. |
| include_pii = false | optional | — | If true, reveal the RDAP abuse mailbox / contact email. Default false → contact emails are masked (R17 privacy hygiene). |
post
/passive-osint/v1/ip1 creditPassive IP enrichment: rDNS (PTR) + ASN/org/country (Team-Cymru + RDAP) + threat blocklist flags + shared-host neighbours (reverse-IP + OTX IPv4 passive-DNS)
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| ip | required | — | A single IPv4 address to enrich (rDNS + ASN/org/country + threat + shared-host neighbours). |
| include_pii = false | optional | — | If true, reveal the RDAP abuse mailbox / contact email. Default false → contact emails are masked (R17 privacy hygiene). |
post
/passive-osint/v1/batch3 creditsCompact passive report (subdomain count+list, DNS, threat, archive-first-seen) across up to 10 domains in one call
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| domains | required | — | Up to 10 domains. A JSON array or a comma/space/newline-separated string. Each gets a compact passive report. |
Example request · subdomains
curl -X POST https://api.reefapi.com/passive-osint/v1/subdomains \
-H "x-api-key: $REEF_KEY" \
-H "content-type: application/json" \
-d '{"domain":"hackerone.com"}'Response shape
{
"ok": true,
"data": { /* the result */ },
"meta": {
"latency_ms": 240,
"record_count": 12,
"completeness_pct": 100
},
"error": null
}