> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encrata.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Domain Search

> Look up comprehensive intelligence about a domain — WHOIS registration, DNS records, SSL certificates, hosting infrastructure, threat data, urlscan.io screenshot, blocklist status, reverse-IP, popularity rank, typosquatting, IP reputation, and breach exposure.

## Authentication

Requires an API key in the `Authorization` header.

```bash theme={"dark"}
Authorization: Bearer YOUR_API_KEY
```

## Request

<ParamField body="query" type="string" required>
  The domain name to search (e.g. `tesla.com`)
</ParamField>

## Response

Returns domain intelligence including WHOIS registration, DNS records, SSL certificate
details, hosting/IP info, threat indicators, and a deep **Domain Intelligence** recon
report (`intel`) plus **company enrichment** (`company`).

<ResponseField name="domain" type="string">
  The resolved domain name.
</ResponseField>

<ResponseField name="whois" type="object">
  WHOIS registration data — registrar, creation/expiry dates, and name servers.
</ResponseField>

<ResponseField name="dns" type="object">
  Apex DNS records (`a`, `aaaa`, `cname`, `mx`, `ns`, `txt`).
</ResponseField>

<ResponseField name="ssl" type="object">
  SSL/TLS certificate details — issuer, validity window, and subject alternative names.
</ResponseField>

<ResponseField name="threat_intel" type="object">
  Reputation / threat indicators for the domain.
</ResponseField>

<ResponseField name="intel" type="object">
  **Domain Intelligence** — a passive reconnaissance report built from subdomain
  enumeration, DNS resolution, and live HTTP probing. Safe to run against any domain
  (no intrusive scanning). May be `null` if recon returns no data.

  <Expandable title="Intel fields">
    <ResponseField name="subdomains" type="array">
      Discovered subdomains (passive sources: certificate transparency + public DNS aggregators).
    </ResponseField>

    <ResponseField name="subdomain_count" type="integer">
      Total number of subdomains discovered.
    </ResponseField>

    <ResponseField name="hosts" type="array">
      Live, probed hosts. Each host includes resolved `ips`, `cname`, open `ports`,
      `url`, `status_code`, page `title`, `web_server`, detected `tech` stack, `cdn`,
      and `tls` certificate details.
    </ResponseField>

    <ResponseField name="live_host_count" type="integer">
      Number of hosts that responded to HTTP probing.
    </ResponseField>

    <ResponseField name="dns" type="object">
      Aggregate apex DNS records (`a`, `aaaa`, `cname`, `mx`, `ns`, `txt`).
    </ResponseField>

    <ResponseField name="exposures" type="array">
      Potential exposures / CVE findings. Each entry has `name`, `severity`, `host`,
      and `matched`. Only populated for authorised active deep scans.
    </ResponseField>

    <ResponseField name="active_scan" type="boolean">
      Whether active port scanning was performed. Always `false` for API requests
      (passive-only mode).
    </ResponseField>

    <ResponseField name="deep_scan" type="boolean">
      Whether deep exposure scanning was performed. Always `false` for API requests.
    </ResponseField>

    <ResponseField name="tools_run" type="array">
      The recon tools that produced data for this report.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="company" type="object">
  Company enrichment for the organisation behind the domain — name, industry,
  headquarters, social profiles, and registry data. May be `null` if no enrichment
  data is available.

  <Expandable title="Company fields">
    <ResponseField name="name" type="string">Company name.</ResponseField>
    <ResponseField name="legal_name" type="string">Registered legal name.</ResponseField>
    <ResponseField name="description" type="string">Short company description.</ResponseField>
    <ResponseField name="industry" type="string">Industry / sector.</ResponseField>
    <ResponseField name="founded" type="string">Founding or incorporation date.</ResponseField>
    <ResponseField name="headquarters" type="string">Primary headquarters location.</ResponseField>
    <ResponseField name="emails" type="array">Public contact email addresses.</ResponseField>
    <ResponseField name="phones" type="array">Public contact phone numbers.</ResponseField>
    <ResponseField name="socials" type="object">Social profile links (LinkedIn, Twitter/X, Crunchbase, GitHub, Facebook, Instagram, YouTube).</ResponseField>
    <ResponseField name="registry" type="object">Registry data — LEI, company number, jurisdiction, status, registered address, name servers, abuse contact, and officers.</ResponseField>
    <ResponseField name="confidence" type="number">Confidence score (0–1) for the merged enrichment.</ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="report" type="object">
  **OSINT Report** — a structured, 16-section intelligence report synthesized from
  every data source above plus keyless passive enrichment (HTTP security headers,
  `.well-known` files, Certificate Transparency logs, the Internet Archive / Wayback
  Machine, ASN / hosting attribution, and email-authentication posture). Designed for
  a single-domain "everything we know" view. May be `null` if no data is available.

  <Expandable title="Report fields">
    <ResponseField name="domain" type="string">The domain the report was built for.</ResponseField>
    <ResponseField name="generated_at" type="string">ISO-8601 timestamp of when the report was generated.</ResponseField>
    <ResponseField name="screenshot" type="string">URL of the most recent urlscan.io live screenshot of the apex site, when available.</ResponseField>
    <ResponseField name="popularity_rank" type="integer">Tranco global popularity rank (lower is more popular), when the domain is ranked.</ResponseField>

    <ResponseField name="summary" type="object">
      Executive summary — `company_name`, `description`, `category`, `key_findings[]`,
      `major_risks[]`, `confidence`, `security_grade` (A–F), and a `stats` object
      (`subdomains`, `live_hosts`, `open_ports`, `dns_records`, `technologies`,
      `exposures`, `emails`, `ct_names`).
    </ResponseField>

    <ResponseField name="dns_intel" type="array">Sheet 2 — DNS & domain intelligence rows (`record_type`, `value`, `provider`, `notes`).</ResponseField>
    <ResponseField name="infra" type="array">Sheet 3 — infrastructure & hosting (`asset`, `ip`, `asn`, `hosting`, `cdn`, `country`).</ResponseField>
    <ResponseField name="subdomains" type="array">Sheet 4 — discovered subdomains (`subdomain`, `ip`, `status`, `purpose`, `source`, `first_seen`, `owner_era`). `owner_era` is `previous` when a Certificate Transparency entry predates the current registration (likely a prior owner), otherwise `current`.</ResponseField>
    <ResponseField name="website" type="array">Sheet 5 — website & product pages (`page`, `url`, `page_type`, `status`, `title`).</ResponseField>
    <ResponseField name="tech_stack" type="array">Sheet 6 — technology stack (`category`, `technology`, `evidence`, `confidence`).</ResponseField>
    <ResponseField name="security" type="array">Sheet 7 — passive security posture (`area`, `finding`, `severity`, `recommendation`).</ResponseField>
    <ResponseField name="company" type="array">Sheet 8 — company & business intelligence (`category`, `entity`, `role`, `detail`).</ResponseField>
    <ResponseField name="marketing" type="array">Sheet 9 — marketing, SEO & brand (`category`, `finding`, `url`, `detail`).</ResponseField>
    <ResponseField name="documents" type="array">Sheet 10 — public documents & files (`type`, `url`, `sensitive`, `notes`).</ResponseField>
    <ResponseField name="email" type="array">Sheet 11 — email infrastructure & authentication posture: SPF, DKIM, DMARC, MTA-STS, CAA, BIMI, and TLS-RPT (`type`, `value`, `purpose`, `notes`).</ResponseField>
    <ResponseField name="risk" type="array">Sheet 12 — risk, reputation & trust (`signal`, `category`, `severity`, `recommendation`).</ResponseField>
    <ResponseField name="historical" type="array">Sheet 13 — historical intelligence from Wayback & CT (`period`, `source`, `finding`, `url`).</ResponseField>
    <ResponseField name="gaps" type="array">Sheet 14 — gaps & unknowns (`missing`, `why_matters`, `next_step`, `priority`).</ResponseField>
    <ResponseField name="next_steps" type="array">Sheet 15 — recommended next steps (`priority`, `task`, `purpose`, `method`).</ResponseField>
    <ResponseField name="sources" type="array">Sheet 16 — source list (`name`, `type`, `used_for`, `reliability`).</ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="extras" type="object">
  **Extended domain intelligence** — additional best-effort OSINT sources. Each
  sub-field is `null` when the source returns nothing. These signals are also folded
  into the `report` (risk, infrastructure, historical, and website sections).

  <Expandable title="Extras fields">
    <ResponseField name="urlscan" type="object">
      urlscan.io scan of the apex site — `scan_id`, `scanned_url`, `screenshot`,
      `report_url`, `malicious`, `score`, `verdict`, `tags`, `scanned_at`.
    </ResponseField>

    <ResponseField name="blocklist" type="object">
      abuse.ch URLhaus blocklist status — `listed`, `source`, `threat_types`,
      `url_count`, `blacklists`, `first_seen`, `reference`.
    </ResponseField>

    <ResponseField name="reverse_ip" type="object">
      Reverse-IP lookup of the primary IP — `ip`, `domains[]`, `count`, `truncated`.
    </ResponseField>

    <ResponseField name="popularity" type="object">
      Tranco popularity — `rank`, `date`, `list`.
    </ResponseField>

    <ResponseField name="typosquat" type="object">
      Registered look-alike domains — `generated`, `count`, and `registered[]`
      (`domain`, `ip`, `type`).
    </ResponseField>

    <ResponseField name="ip_reputation" type="array">
      GreyNoise + AbuseIPDB reputation per resolved IP — `ip`, `abuse_score`,
      `total_reports`, `classification`, `is_tor`, `is_scanner`, `usage_type`,
      `country`.
    </ResponseField>

    <ResponseField name="breaches" type="object">
      Have I Been Pwned breaches recorded at the domain — `domain`, `count`,
      `total_pwned`, and `breaches[]` (`name`, `title`, `breach_date`, `pwn_count`,
      `data_classes`).
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="credits" type="integer">
  Credits consumed by the request.
</ResponseField>

<ResponseExample>
  ```json theme={"dark"}
  {
    "domain": "tesla.com",
    "whois": {
      "registrar": "MarkMonitor Inc.",
      "created": "2003-07-15",
      "expires": "2027-07-15",
      "name_servers": ["a1-12.akam.net", "a10-67.akam.net"]
    },
    "dns": {
      "a": ["184.50.204.169"],
      "mx": ["tesla-com.mail.protection.outlook.com"],
      "txt": ["v=spf1 ..."]
    },
    "ssl": {
      "issuer": "DigiCert Inc",
      "valid_from": "2025-01-15",
      "valid_to": "2026-01-15",
      "subject_alt_names": ["tesla.com", "www.tesla.com"]
    },
    "threat_intel": {
      "malicious": false,
      "categories": []
    },
    "intel": {
      "domain": "tesla.com",
      "subdomains": ["www.tesla.com", "shop.tesla.com", "api.tesla.com"],
      "subdomain_count": 3,
      "hosts": [
        {
          "host": "www.tesla.com",
          "ips": ["184.50.204.169"],
          "ports": [80, 443],
          "url": "https://www.tesla.com",
          "status_code": 200,
          "title": "Tesla",
          "web_server": "nginx",
          "tech": ["Nginx", "React", "Cloudflare"],
          "cdn": "cloudflare",
          "tls": {
            "issuer": "DigiCert Inc",
            "subject": "tesla.com",
            "expires": "2026-01-15"
          }
        }
      ],
      "live_host_count": 1,
      "dns": {
        "a": ["184.50.204.169"],
        "ns": ["a1-12.akam.net"],
        "mx": ["tesla-com.mail.protection.outlook.com"]
      },
      "exposures": [],
      "active_scan": false,
      "deep_scan": false,
      "tools_run": ["subfinder", "dnsx", "httpx"]
    },
    "company": {
      "name": "Tesla, Inc.",
      "industry": "Automotive",
      "headquarters": "Austin, Texas, USA",
      "socials": {
        "linkedin": "https://www.linkedin.com/company/tesla-motors",
        "twitter": "https://twitter.com/tesla"
      },
      "registry": {
        "jurisdiction": "us_tx",
        "status": "active"
      },
      "confidence": 0.92
    },
    "credits": 1
  }
  ```
</ResponseExample>

## Domain Intelligence

The `intel` block is produced by Encrata's self-hosted recon engine, which wraps the
open-source [ProjectDiscovery](https://projectdiscovery.io) suite:

| Tool        | Purpose                                                                          |
| ----------- | -------------------------------------------------------------------------------- |
| `subfinder` | Passive subdomain enumeration (certificate transparency, public DNS aggregators) |
| `dnsx`      | DNS resolution (A/AAAA/CNAME/MX/NS/TXT) for the apex + every subdomain           |
| `httpx`     | Live HTTP probing — status, title, server, tech stack, TLS, CDN/WAF detection    |

API requests run in **passive mode only** — no port scans or intrusive probes are sent
to the target, so it is safe to query any domain. Active port scanning (`naabu`) and
exposure/CVE scanning (`nuclei`) are reserved for authorised internal use and never run
on user-supplied domains.

## Credits

1 credit per request.
