Base URL
Route every request through the single v2 entrypoint and choose a module with the path parameter.
Stolen
API v2 now tracks the current dashboard search modules, exposes their real option sets, and documents the publishable surface in one place. Combined Search remains a dashboard workflow built on top of these endpoints rather than a standalone public v2 path.
Overview
Every module below accepts both GET and POST. Use a bearer token with JSON, or send the key in the X-API-Key header.
Route every request through the single v2 entrypoint and choose a module with the path parameter.
Preferred: Authorization: Bearer <api_key>. Also supported: X-API-Key.
Use POST with JSON for stable integrations. Endpoint-specific parameters also accept their legacy generic aliases where documented.
Dashboard-only utilities like Combined Search are orchestration layers over the endpoints below. API-only modules such as Shodan are still documented here alongside the live dashboard-backed surface.
Dashboard + API modulesEndpoint Index
Each tile links to a full parameter reference and a ready-to-run cURL example.
osintcat
OsintCat breach and database-search endpoint.
osintcat-footprint
OsintCat email and username footprint checks.
snusbase
Auto-detected breach lookup through Snusbase.
eyeall
Eye-All auto-detected search.
reconly
Reconly search with the full mode selector from the dashboard.
intelx
IntelX SystemID lookup with provider selection.
intelbase
IntelBase family endpoint with the dashboard modes plus extended IntelBase functions.
inf0sec
Inf0sec with the full dashboard module list, including Discord.
stealerlogs
Cypher Dynamics / stealer logs lookup with dashboard and extended categories.
leakosint
LeakOSINT lookup with provider-side auto-detection.
akula
Akula enrichment lookup.
seeknow
SeekNow lookup with auto-detect or explicit type selection.
leaksight
LeakSight with dashboard types plus extended upstream modes.
osintdog
OsintDog lookup with provider-side email/username/IP detection.
breachbase
BreachBase credential lookup via osintdog.com/api/breachbase. Supports email and username searches.
intelvault
IntelVault breach and stealer-log search via osintdog.com/api/intelvault.
hackcheck
HackCheck lookup with explicit or inferred category.
breachdirectory
BreachDirectory lookup with explicit or inferred type.
leakcheck
LeakCheck Pro API v2 breach search by email, username, phone, or keyword.
seon
SEON email enrichment with risk scoring, domain intelligence, account aggregates, and breach history.
xosint
xOsint search.
hudsonrock
Hudson Rock infostealer exposure lookup.
antipublic
AntiPublic email-only credential leak search.
breachvip
BreachVIP search with explicit field selection, forced wildcard matching, and case-insensitive lookup.
Reference
OsintCat breach and database-search endpoint.
Parameters
queryRequiredSearch term passed to OsintCat.
osintcat_modeOptionalOsintCat function to run.
Available values
Notes
Matches the dashboard OsintCat mode selector.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=osintcat" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"osintcat_mode": "breach"
}'
OsintCat email and username footprint checks.
Parameters
queryRequiredEmail address or username to footprint.
footprint_typeOptionalFootprint endpoint to run.
Available values
Notes
Runs email-footprint for email mode and user-footprint for username mode.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=osintcat-footprint" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"footprint_type": "email"
}'
Auto-detected breach lookup through Snusbase.
Parameters
queryRequiredEmail, username, domain, password, or IP.
Notes
Queries Snusbase /data/search once using all supported search types: email, username, lastip, password, hash, name, and _domain.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=snusbase" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
OsintBat lookup with the full upstream function list.
Parameters
queryRequiredSearch term for the selected OsintBat function.
osintbat_moduleOptionalSelects the OsintBat function.
Available values
Notes
Available via API only; not surfaced in the dashboard module picker.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=osintbat" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"osintbat_module": "email-breach"
}'
Eye-All auto-detected search.
Parameters
queryRequiredEmail, username, domain, IP, or free-form term.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=eyeall" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
NoSINT search with explicit or inferred lookup type.
Parameters
queryRequiredValue to search in NoSINT.
nosint_typeOptionalOverrides auto-detection for NoSINT.
Available values
Notes
Non-IP NoSINT responses may be normalized from an upstream event stream.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=nosint" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"nosint_type": "email"
}'
Reconly search with the full mode selector from the dashboard.
Parameters
queryRequiredLookup value for the chosen Reconly mode.
reconly_modeOptionalReconly function to run.
Available values
Notes
If you omit the mode, API v2 uses the same auto-detection rules as the dashboard.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=reconly" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "octocat",
"reconly_mode": "github"
}'
IntelX SystemID lookup with provider selection.
Parameters
queryRequiredIntelX SystemID UUID.
intelx_providerOptionalIntelX upstream provider.
Available values
Notes
The endpoint is only returned for API keys with IntelX access enabled.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=intelx" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "06c4a463-3de7-4cc7-9ed8-cb63497919b2",
"intelx_provider": "provider1"
}'
IntelBase family endpoint with the dashboard modes plus extended IntelBase functions.
Parameters
queryRequiredLookup value for the selected IntelBase function.
intelbase_moduleOptionalSelects the IntelBase family function to execute.
Dashboard Search
Identity & Social
Bridges & Enrichment
BMW
Unified
Structured
Notes
NPD requests require key=value filters in the query string or JSON string, for example first_name=John&last_name=Doe&state=CA.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=intelbase" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"intelbase_module": "search_email"
}'
Inf0sec with the full dashboard module list, including Discord.
Parameters
queryRequiredLookup value for the selected Inf0sec module.
inf0sec_moduleOptionalSelects the Inf0sec module.
Available values
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=inf0sec" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"inf0sec_module": "leaks"
}'
Cypher Dynamics / stealer logs lookup with dashboard and extended categories.
Parameters
queryRequiredLookup value for the selected Cypher Dynamics category.
cypherdynamics_categoryOptionalSelects the Cypher Dynamics category.
Dashboard Categories
Extended Categories
Notes
You can call this path as either stealerlogs or cypher.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=stealerlogs" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"cypherdynamics_category": "email"
}'
LeakOSINT lookup with provider-side auto-detection.
Parameters
queryRequiredEmail, username, phone, domain, or IP.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=leakosint" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
Akula enrichment lookup.
Parameters
queryRequiredLookup term passed to Akula.
Notes
The current upstream request is sent in email lookup mode.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=akula" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
SeekNow lookup with auto-detect or explicit type selection.
Parameters
queryRequiredEmail, username, phone, IP, domain, name, hash, or URL.
seeknow_typeOptionalForces the SeekNow query type instead of auto-detection.
Available values
Notes
Leave seeknow_type unset for auto-detect; supply one of email, username, phone, ip, domain, name, hash, url to force a type.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=seeknow" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"seeknow_type": "email"
}'
LeakSight with dashboard types plus extended upstream modes.
Parameters
queryRequiredLookup value for the selected LeakSight type.
leaksight_typeOptionalSelects the LeakSight search type.
Dashboard Types
Extended Types
Notes
If you omit the type, API v2 infers it from the query value.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=leaksight" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"leaksight_type": "username"
}'
OsintDog lookup with provider-side email/username/IP detection.
Parameters
queryRequiredEmail, username, or IP.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=osintdog" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
BreachBase credential lookup via osintdog.com/api/breachbase. Supports email and username searches.
Parameters
queryRequiredEmail or username to search.
breachbase_typeOptionalOverrides BreachBase search type auto-detection.
Available values
Notes
If you omit the type, API v2 infers email from the query value (falls back to username).
Returns breach credentials including email, username, password, and origin (source dataset).
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=breachbase" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"breachbase_type": "email"
}'
IntelVault breach and stealer-log search via osintdog.com/api/intelvault.
Parameters
queryRequiredSearch term for breaches or stealer logs.
intelbase_moduleOptionalIntelVault mode. Use stealer-logs or breaches_<field> (e.g. breaches_email).
Available values
intelvault_fieldOptionalBreach field when intelbase_module is breaches (without suffix).
Available values
Notes
Upstream is OsintDog IntelVault (POST https://osintdog.com/api/intelvault).
Breaches mode sends { type: "breaches", field: [{field: query}], useWildcard: true }.
Stealer-logs mode sends { type: "stealer-logs", query: "..." } and requires 4+ characters.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=intelvault" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"intelbase_module": "breaches_email"
}'
HackCheck lookup with explicit or inferred category.
Parameters
queryRequiredEmail, username, or password.
hackcheck_categoryOptionalOverrides HackCheck category auto-detection.
Available values
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=hackcheck" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"hackcheck_category": "email"
}'
BreachDirectory lookup with explicit or inferred type.
Parameters
queryRequiredEmail, username, or IP.
breachdirectory_typeOptionalOverrides BreachDirectory type auto-detection.
Available values
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=breachdirectory" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"breachdirectory_type": "email"
}'
LeakCheck Pro API v2 breach search by email, username, phone, or keyword.
Parameters
queryRequiredEmail address, username, phone number, or keyword (3+ characters).
leakcheck_typeOptionalOverrides LeakCheck search type auto-detection.
Available values
leakcheck_limitOptionalMaximum rows to return (1-1000).
leakcheck_offsetOptionalResult offset for pagination (0-2500).
Notes
Upstream is LeakCheck Pro API v2 (https://leakcheck.io/api/v2/query/{query}).
Plan-limited to email, username, phone, and keyword searches.
Type is auto-inferred from the query when leakcheck_type is omitted.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=leakcheck" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"leakcheck_type": "email"
}'
SEON email enrichment with risk scoring, domain intelligence, account aggregates, and breach history.
Parameters
queryRequiredEmail address to enrich.
Notes
Email-only enrichment. Upstream is SEON Email API v3.
Returns risk score, deliverability, domain WHOIS, social/account aggregates, and breach history.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=seon" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
Infodra lookup with inferred category.
Parameters
queryRequiredEmail, username, or domain.
Notes
API v2 infers domain or login mode from the query.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=infodra" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "example.com"
}'
xOsint search.
Parameters
queryRequiredEmail, username, phone, or domain.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=xosint" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
Hudson Rock infostealer exposure lookup.
Parameters
queryRequiredEmail address to search.
Notes
Current upstream flow is email-only.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=hudsonrock" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
AntiPublic email-only credential leak search.
Parameters
queryRequiredEmail address to search in AntiPublic.
Notes
AntiPublic only supports email lookups. Results are returned as email:password pairs.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=antipublic" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]"
}'
BreachVIP search with explicit field selection, forced wildcard matching, and case-insensitive lookup.
Parameters
queryRequiredSearch term for the selected BreachVIP field set.
breachvip_fieldsOptionalSingle field, comma-separated list, or JSON array of BreachVIP fields. Supports dashboard-style single-field requests and API-style multi-field requests.
Available values
Notes
This endpoint matches the dashboard picker and combined search.
The Stolen integration always sends wildcard=true and case_sensitive=false to BreachVIP.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=breachvip" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "[email protected]",
"breachvip_fields": [
"email"
]
}'
Shodan host lookup.
Parameters
queryRequiredIP address to submit to Shodan.
Notes
Published in API v2 even though it is not part of the current dashboard module picker.
Example
curl -X POST "https://www.stolen.tax/api/v2/index.php?path=shodan" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"query": "8.8.8.8"
}'