API Key Permissions
Each API key can be scoped to specific permissions. Assign only the permissions your integration needs — you can always edit them later from the API Keys dashboard.
Quick Start — Common Permission Sets
Choose the set that matches your use case. You can always change permissions later without regenerating the key.
Only IOC Enrichment
Enrich IPs, domains, URLs, and hashes against threat intelligence providers. No access to phishing lookups or exposure scanning.
enrichment:readenrichment:writePhishing Lookups + Enrichment
Access all phishing lookup endpoints (DNS, blacklist, GeoIP, Safe Browsing, CheckPhish, URLScan, URL expand) plus IOC enrichment via scope expansion.
phishing:readFull Phishing Analysis
Everything in phishing lookups, plus heuristic email analysis and AI-powered verdicts. Covers the full phishing investigation workflow.
phishing:readphishing:analyzephishing:aiExposure Scanning Only
Scan domains and IPs for exposed services, open ports, and subdomains. No access to phishing or enrichment endpoints.
exposure:readAI Assistant + Enrichment
Interactive DFIR AI assistant with IOC enrichment. Pipe enrichment results to the AI for analysis. Requires Starter plan or above.
ai:chatenrichment:readEverything
Unrestricted access to all endpoints. Use only for trusted internal integrations where you need every capability.
api:fullEndpoint Permission Map
Every API endpoint requires a specific permission. If your key does not have the required permission, the request returns insufficient_permissions (HTTP 403).
| Endpoint | Description | Credits | Required Permission |
|---|---|---|---|
POST /phishing/analyze | Heuristic email analysis | 1 | phishing:analyze |
POST /phishing/analyze/ai | AI-enhanced phishing verdict | 10 | phishing:ai |
POST /phishing/enrich | IOC enrichment | 2 | enrichment:read |
POST /enrichment/lookup | IOC enrichment (standalone) | 3/indicator | enrichment:read |
POST /phishing/dns | DNS configuration analysis | 1 | phishing:read |
POST /phishing/blacklist | IP DNSBL check | 1 | phishing:read |
POST /phishing/geoip | IP geolocation | 1 | phishing:read |
POST /phishing/safe-browsing | Google Safe Browsing | 2 | phishing:read |
POST /phishing/checkphish | CheckPhish URL scan | 2 | phishing:read |
POST /phishing/urlscan | URLScan.io analysis | 3 | phishing:read |
POST /phishing/url-expand | URL redirect chain | 1 | phishing:read |
POST /exposure/scan | Attack surface scan | 10 | exposure:read |
POST /ai/chat | AI-powered DFIR assistant | Dynamic | ai:chat |
POST /ai/triage | AI alert triage and severity classification | 10 | ai:triage |
POST /ai/analysis | Deep incident analysis with timeline reconstruction | 15 | ai:triage |
POST /ai/threat-profile | Threat actor profiling from observed TTPs | 20 | ai:triage |
POST /ai/detect | Detection rule generation (YARA, Sigma, Snort, Suricata) | 15 | ai:triage |
GET /health | Service status | 0 | None (public) |
Available Permissions
These are the permissions you can assign when creating or editing an API key.
phishing:readPhishing LookupsDNS analysis, IP blacklist, GeoIP lookup, Safe Browsing, URL expand, CheckPhish, and URLScan.io.
/phishing/dns/phishing/blacklist/phishing/geoip/phishing/safe-browsing/phishing/url-expand/phishing/checkphish/phishing/urlscanphishing:analyzeEmail AnalysisSubmit raw .eml emails for heuristic phishing analysis.
/phishing/analyzephishing:aiAI VerdictAI-enhanced phishing verdicts using large language model reasoning. Requires Starter plan or above.
/phishing/analyze/aienrichment:readIOC Enrichment (Read)Enrich indicators of compromise (IPs, domains, URLs, hashes) against threat intelligence providers.
/phishing/enrich/enrichment/lookupenrichment:writeIOC Enrichment (Write)Reserved for future write operations (e.g., submitting threat intelligence). Currently not required by any endpoint.
exposure:readExposure ScanningScan domains and IPs to discover exposed services, open ports, subdomains, and TLS certificates.
/exposure/scanai:chatAI ChatInteractive DFIR AI assistant for forensic analysis, log interpretation, and incident response guidance. Requires Starter plan or above.
/ai/chatai:triageAI Triage & AnalysisAI-powered alert triage, deep incident analysis, threat actor profiling, and detection rule generation (YARA, Sigma, Snort, Suricata). Requires Starter plan or above.
/ai/triage/ai/analysis/ai/threat-profile/ai/detectapi:fullFull AccessGrants access to every endpoint, including any added in the future. Use only for trusted, internal integrations.
Scope Expansion
Some permissions automatically grant access to additional scopes. This means you may not need to add every permission individually.
| If you have | You also get | Note |
|---|---|---|
phishing:read | enrichment:read | Users with phishing:read can also access the IOC enrichment endpoint. |
lab:read | phishing:readphishing:analyzeenrichment:readdetection:readdarkweb:readexposure:readfile:read | Legacy scope. New keys should use granular permissions instead. |
lab:write | phishing:aienrichment:writedetection:writeai:readfile:writefile:analyze | Legacy scope. New keys should use granular permissions instead. |
api:full | Everything | Super-permission that grants access to all current and future endpoints. |
You can edit permissions at any time. Open the API Keys page and click the pencil icon next to any active key to add or remove permissions. The key itself does not change — only its access scope is updated.
Use the principle of least privilege. Grant only the permissions your integration actually needs. Avoid using api:full unless you need access to every endpoint.
The /health endpoint is public. It does not require authentication or any permission. Use it for uptime monitoring without consuming credits.