Skip to main content

Quickstart

This guide walks through the current DarkRecon flow: submit either keywords or domain, store the returned scan_id, and retrieve the raw stored result.
Use keywords in the request body. Older docs used queries, which no longer matches the live API.

1) Set your API key

export DARKRECON_BASE_URL="https://darkrecon.1337807.xyz"
export DARKRECON_API_KEY="YOUR_API_KEY"

2) Start a keyword scan

curl -X POST "$DARKRECON_BASE_URL/scan" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $DARKRECON_API_KEY" \
  -d '{
    "keywords": ["john@example.com", "ShadowPlayer228"]
  }'
Example response: 
{
  "scan_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "success",
  "total_breaches": 3
}

3) Start a domain scan

curl -X POST "$DARKRECON_BASE_URL/scan" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $DARKRECON_API_KEY" \
  -d '{
    "domain": "example.com"
  }'
Domain scans can include discovered_emails in the initial response when the service enumerates breached addresses before running the follow-on scan.

4) Retrieve full scan results

curl -X GET "$DARKRECON_BASE_URL/scan/YOUR_SCAN_ID" \
  -H "X-API-Key: $DARKRECON_API_KEY"
Example stored result: 
{
  "scan_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "keywords": ["john@example.com"],
  "domain": null,
  "total_breaches": 3,
  "status": "success",
  "created_at": "2026-03-30T10:30:00+00:00",
  "results": {
    "AlpineReplay": {
      "InfoLeak": "Description of the breach...",
      "NumOfResults": 1,
      "Data": [
        {
          "Email": "john@example.com",
          "Password(bcrypt)": "$2****************************xC",
          "FirstName": "John",
          "LastName": "Doe"
        }
      ]
    }
  }
}

5) Parse the result safely

  • total_breaches is the number of matched breach sources, not the total number of rows in all Data arrays.
  • results is keyed by breach database name.
  • Every source exposes InfoLeak, NumOfResults, and Data.
  • Records inside Data are source-specific and can have different field names across breaches.
  • Password-like values are masked in the API output.

Next steps

  • /darkrecon/api/start-scan
  • /darkrecon/api/get-scan-results
  • /darkrecon/schemas/scan-request
  • /darkrecon/schemas/scan-result
  • /darkrecon/schemas/http-validation-error