docs / privacy-scan
Privacy Scan API
Privacy Scan API
base /privacy-scan/v17 endpoints
post
/privacy-scan/v1/scan3 creditsFull privacy report for a URL: third-party trackers + cookies + consent/CMP + tracking pixels + fingerprinting + 0-100 privacy score + GDPR risk + ranked fixes. One call.
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| url | required | — | The page to scan. Full URL (https://example.com/page) or a bare domain (example.com → https:// assumed). Only http/https; private/internal/metadata targets are SSRF-blocked. Alias: domain/site/website. |
| follow_redirects = true | optional | — | Follow redirects (http→https, apex→www) before scanning the final page (default true). Each hop is independently SSRF-validated. |
| render = always | optional | always · false · auto | How to capture the tracker graph. DEFAULT 'always': a full headless browser renders the page and captures live third-party requests — ad-tech, tag-manager-injected trackers, Consent Mode signals — plus the complete cookie jar. This is the most thorough scan (a missed tracker injected by JavaScript would be a false 'clean'). Set render=false (alias: never) for a fast, lightweight static-only scan suited to bulk runs. 'auto' starts static and escalates to a full render only when the page appears JavaScript-heavy. |
post
/privacy-scan/v1/trackers2 creditsThird-party + first-party tracker list: per-host entity/owner, category (advertising/analytics/social/session_replay/…), first-vs-third-party, load surface.
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| url | required | — | The page to scan. Full URL (https://example.com/page) or a bare domain (example.com → https:// assumed). Only http/https; private/internal/metadata targets are SSRF-blocked. Alias: domain/site/website. |
| follow_redirects = true | optional | — | Follow redirects (http→https, apex→www) before scanning the final page (default true). Each hop is independently SSRF-validated. |
| render = always | optional | always · false · auto | How to capture the tracker graph. DEFAULT 'always': a full headless browser renders the page and captures live third-party requests — ad-tech, tag-manager-injected trackers, Consent Mode signals — plus the complete cookie jar. This is the most thorough scan (a missed tracker injected by JavaScript would be a false 'clean'). Set render=false (alias: never) for a fast, lightweight static-only scan suited to bulk runs. 'auto' starts static and escalates to a full render only when the page appears JavaScript-heavy. |
post
/privacy-scan/v1/consent2 creditsConsent-management platform (CMP) detection: OneTrust/Cookiebot/Usercentrics/Quantcast/TrustArc/Didomi/Sourcepoint/Iubenda/… + IAB-TCF v2 + Google Consent Mode.
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| url | required | — | The page to scan. Full URL (https://example.com/page) or a bare domain (example.com → https:// assumed). Only http/https; private/internal/metadata targets are SSRF-blocked. Alias: domain/site/website. |
| follow_redirects = true | optional | — | Follow redirects (http→https, apex→www) before scanning the final page (default true). Each hop is independently SSRF-validated. |
| render = always | optional | always · false · auto | How to capture the tracker graph. DEFAULT 'always': a full headless browser renders the page and captures live third-party requests — ad-tech, tag-manager-injected trackers, Consent Mode signals — plus the complete cookie jar. This is the most thorough scan (a missed tracker injected by JavaScript would be a false 'clean'). Set render=false (alias: never) for a fast, lightweight static-only scan suited to bulk runs. 'auto' starts static and escalates to a full render only when the page appears JavaScript-heavy. |
post
/privacy-scan/v1/fingerprinting2 creditsBrowser-fingerprinting detection: canvas, WebGL, audio, font and device code patterns plus known fingerprinting libraries (FingerprintJS, ThreatMetrix, and similar SDKs).
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| url | required | — | The page to scan. Full URL (https://example.com/page) or a bare domain (example.com → https:// assumed). Only http/https; private/internal/metadata targets are SSRF-blocked. Alias: domain/site/website. |
| follow_redirects = true | optional | — | Follow redirects (http→https, apex→www) before scanning the final page (default true). Each hop is independently SSRF-validated. |
| render = always | optional | always · false · auto | How to capture the tracker graph. DEFAULT 'always': a full headless browser renders the page and captures live third-party requests — ad-tech, tag-manager-injected trackers, Consent Mode signals — plus the complete cookie jar. This is the most thorough scan (a missed tracker injected by JavaScript would be a false 'clean'). Set render=false (alias: never) for a fast, lightweight static-only scan suited to bulk runs. 'auto' starts static and escalates to a full render only when the page appears JavaScript-heavy. |
post
/privacy-scan/v1/score3 creditsComposite privacy score (0-100, higher=more private) + grade + GDPR risk verdict (minimal/low/medium/high/critical) + ranked recommendations + transparent penalties.
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| url | required | — | The page to scan. Full URL (https://example.com/page) or a bare domain (example.com → https:// assumed). Only http/https; private/internal/metadata targets are SSRF-blocked. Alias: domain/site/website. |
| follow_redirects = true | optional | — | Follow redirects (http→https, apex→www) before scanning the final page (default true). Each hop is independently SSRF-validated. |
| render = always | optional | always · false · auto | How to capture the tracker graph. DEFAULT 'always': a full headless browser renders the page and captures live third-party requests — ad-tech, tag-manager-injected trackers, Consent Mode signals — plus the complete cookie jar. This is the most thorough scan (a missed tracker injected by JavaScript would be a false 'clean'). Set render=false (alias: never) for a fast, lightweight static-only scan suited to bulk runs. 'auto' starts static and escalates to a full render only when the page appears JavaScript-heavy. |
post
/privacy-scan/v1/batch5 creditsScan up to 20 URLs concurrently in one call (each independently SSRF-guarded). Compact per-URL privacy_score + grade + gdpr_risk + tracker/cookie counts. NOTE: batch is the fast bulk path — it runs static (no per-URL render, to stay within latency for 20 URLs); per-URL likely_js_app flags JS shells. For the full runtime graph, call `scan` per URL (render defaults on).
| Parameter | Allowed / range | Description | |
|---|---|---|---|
| urls | required | — | List of pages to scan in one call (max 20); each is independently SSRF-guarded and fetched concurrently. |
Example request · scan
curl -X POST https://api.reefapi.com/privacy-scan/v1/scan \
-H "x-api-key: $REEF_KEY" \
-H "content-type: application/json" \
-d '{"url":"https://www.cnn.com"}'Response shape
{
"ok": true,
"data": { /* the result */ },
"meta": {
"latency_ms": 240,
"record_count": 12,
"completeness_pct": 100
},
"error": null
}