Iris API

Quick start with Python

Our Python SDK provides native support for this API. Install with pip install domaintools_api --upgrade

The Iris API suite provides programmatic access to DomainTools' comprehensive threat intelligence platform. The Iris APIs are organized into three distinct products, each designed for specific security workflows:

• Iris Investigate API: Deep domain analysis and infrastructure mapping
• Iris Enrich API: High-volume domain enrichment for SIEM and SOAR platforms
• Iris Detect API: Automate lookalike domain discovery and monitoring

Iris Investigate API

The Iris Investigate API enables deep domain analysis and infrastructure mapping at human scale. Search and pivot across dozens of domain attributes to uncover connected infrastructure and map adversary operations.

Key capabilities:

• Comprehensive domain profiles with dozens of attributes
• Pivot searches by identity, IP, name server, mail server, SSL/TLS certificate, and more
• Guided pivot counts to identify meaningful connections
• Domain tagging and search hash integration with the Iris Investigate UI
• Monitor newly active domains matching specific criteria

Ideal for: Threat hunters, incident responders, and security analysts conducting manual investigations or building custom threat intelligence workflows that require deep domain context and relationship mapping.

Iris Investigate API Guide

Iris Enrich API

The Iris Enrich API provides high-volume domain enrichment optimized for batch processing and fast response times. Enrich up to 100 domains per request with actionable threat intelligence and domain metadata.

Key capabilities:

• Batch enrichment of up to 100 domains per request
• Domain risk scores, RDAP, WHOIS, IP, DNS, website, and SSL/TLS certificate data
• Optimized for SIEM and SOAR platform integration
• Independent rate limits designed for high-volume workflows
• Fast response times for real-time enrichment

Ideal for: Security teams integrating domain intelligence into SIEM solutions like Splunk or QRadar, SOAR platforms, or custom data analytics pipelines that process large volumes of domain data.

Iris Enrich API Guide

Iris Detect API

The Iris Detect API enables automated workflows for discovering and triaging lookalike domains that impersonate your brands, partners, or infrastructure.

Key capabilities:

• Retrieve newly discovered domains matching your monitors
• Query watched domains and track infrastructure changes
• Programmatically add domains to watchlists or mark as ignored
• Escalate domains for blocking or submission to Google Web Risk
• Filter and search across all monitors or specific monitors

Ideal for: Brand protection teams, security operations centers, and threat intelligence analysts who need to automate detection and response to domain impersonation attacks.

Iris Detect API Guide

Quick Start

All Iris APIs follow a RESTful URL structure and share common authentication mechanisms. Each product offers free, un-authenticated access for sample URLs listed in their respective guides.

Authentication

The Iris APIs support multiple authentication methods:

• Header authentication (recommended)
• Open-key authentication
• Signed authentication (HMAC)

View authentication details

Get Access

Iris APIs are available as part of DomainTools Enterprise accounts. Contact us to discuss pricing and access levels for your organization.

• Account information
• Rate limits
• Error codes

Additional resources

• OpenAPI Specification
• Python SDK
• SwaggerHub Documentation

In this section

• Getting Started
  • Iris API Authentication
  • Iris API Account Information
  • Iris API Error Codes
  • Iris Rate Limits
• API Reference
  • Iris API reference in redoc
  • Detect API
  • Enrich API
  • Investigate API
• Developer Tools
  • Iris OpenAPI Spec
  • Iris on Swagger API Hub