Iris Enrich API Reference¶
Overview¶
The vast amount of data available in the Iris dataset for domain names makes it ideally suited to enrich proxy and DNS logs at scale across an organization. Typically this would be implemented in a SIEM solution, such as Splunk or QRadar, or a custom-built data analytics platform using open-source solutions like the ELK stack.
Key characteristics of the Iris Enrich API include:
- Enrich at least 6,000 domains per minute with multiple attributes, including:
- Domain risk scores from proximity and threat profile algorithms
- RDAP, Whois, IP, active DNS, website & SSL data
- Dedicated service levels for customized rate limiting
- Optimized for domain name enrichment – pivot parameters not available
API Endpoint¶
The API returns JSON results and supports both POST and GET requests at this endpoint:
Authentication¶
The Iris Enrich API uses the same authentication mechanisms as the Iris Investigate API (open-key or signed). However, unlike the Investigate API, the Iris Enrich API uses an independent service level to define access levels, query caps and rate limits. It does not pull from the same queries as the Iris Investigate UI and can therefore be used at much greater scale and throughput. That means the API endpoint must be explicitly configured on an enterprise account.
Parameters¶
Because the Iris Enrich API is optimized for fast responses and high volume lookups, it does not offer most of the search parameters available in the Iris Investigate API. Instead, simply provide a list of up to 100 domains in the domain parameter (comma separated). For example:
Response Format¶
The Iris Enrich API response format differs from the Investigate API in several key ways, including:
- Counts of connected domains are not included
- Most domain attribute values still appear under the “value” subkey for consistency with the Investigate API.
- An additional “missing_domains” key is included which lists any domains submitted in the domains parameter that were not found in the Iris dataset. This makes it easier to know if no data was available for one or more of the domains you requested in a batch query.
Retrieve Screenshots in Iris APIs¶
Retrieve the most recent screenshot for a given domain with Iris APIs in a two-step process:
Also consult the section on interpreting screenshot metadata, below.
1. Retrieve the Screenshot URL¶
Append queries with screenshots=1 to receive a screenshot JSON object in the response.
For example, the following Iris API queries (with header authentication) include screenshot requests.
Example Queries for Screenshot URL Retrieval¶
- Iris Detect:
https://api.domaintools.com/v1/iris-detect/domains/watched/?screenshots=1 - Iris Enrich:
https://api.domaintools.com/v1/iris-enrich/?domain=example.com&screenshots=1 - Iris Investigate:
https://api.domaintools.com/v1/iris-investigate/?domain=example.com&screenshots=1
Query Parameters for Screenshot URL Retrieval¶
| Query Parameter | Required | Type | Valid Values | Description | Example |
|---|---|---|---|---|---|
screenshots |
yes | flag (1) | 1 |
Triggers screenshot object in response. | screenshots=1 |
Response Fields for Screenshot URL Retrieval¶
| Output field | Type | Valid Values | Description | Example |
|---|---|---|---|---|
ip_address |
string | null | IP address | The IP address from which the screenshot was taken. | 212.129.31.169 |
last_attempt |
string | ISO 8601 date-time format | The date and time the screenshot was last attempted. | 2025-02-17T15:34:55Z |
last_seen |
string | ISO 8601 date-time format | The date and time the screenshot was last observed | 2025-02-17T15:34:55Z |
screenshot |
object | JSON object | Details about the screenshot. | |
src |
str | URL | Link to the screenshot. | https://screenshots.ne.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fespn.com&ts=2024-03-28T21%3A48%3A37Z&token=dec12499e06b61d17175c683387307c9b751c71fbbbd797b8e094c2c288f2b31 |
timestamp |
string | ISO 8601 date-time format | The date and time the provided screenshot (in fullsize field) was obtained. |
2024-08-05T16:17:45Z |
Response Example for Screenshot URL Retrieval¶
"screenshot": {
"timestamp": "2025-03-07T19:53:44Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.com&ts=2025-03-07T19%3A53%3A44Z&token=2d6269e40f4bc48908b17d218e5647fc90c0034618e39ec20806910d3909785c",
"ip_address": "141.193.213.21",
"last_attempt": "2025-04-07T18:00:01Z",
"last_seen": "2025-04-07T18:00:01Z"
}
2. Retrieve and Optionally Resize the Screenshot Image via its URL¶
Use the src URL in the returned screenshot object to download the screenshot image. The URL already contains the required parameters domain, ts, rurl, and token. Optionally add resize_width and crop_height to resize the image.
Query Parameters for Screenshot Image File¶
| Query Parameter | Required | Type | Valid Values | Description | Example |
|---|---|---|---|---|---|
resize_width |
no | integer | Width in pixels | If the value is less than the width of the image, the image will be shrunk horizontally to the given resize_width, preserving the aspect ratio. | resize_width=500 |
crop_height |
no | integer | Height in pixels | If the value is less than the height of the image, the image will be cropped vertically to the given crop_height, removing pixels from the bottom of the image. | crop_height=500 |
Example Query for Screenshot Image File¶
api.domaintools.com/screenshot_image?domain=domaintools.com&ts=2025-04-30T14:32:10Z&resize_width=500&crop_height=500&rurl=https://www.domaintools.com/
Interpreting Screenshot Metadata¶
Use the last_attempt, last_seen, and timestamp to interpret the screenshot.
To confirm that the most recent screenshot was gathered during the current domain lifecycle—and isn't from an older, historic screenshot—compare the screenshot's timestamp with the domain's first_seen value in the API response. If the timestamp is later than first_seen, the screenshot was taken during the current domain lifecycle.
Initial capture¶
The screenshot was successfully captured during the first and only attempt. Since there have been no subsequent checks, all timestamp fields are identical.
Relationships: timestamp = last_seen = last_attempt
Response example:
"screenshot": {
"timestamp": "2025-05-12T14:38:19Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fxumi.fr&ts=2025-05-12T14%3A38%3A19Z&token=5fbd3aa604682d26d9f1f69810a87bfd75ea25e56eadb3553cefcff2ba804f28",
"ip_address": "76.76.21.21",
"last_attempt": "2025-05-12T14:38:19Z",
"last_seen": "2025-05-12T14:38:19Z"
}
Gather attempt was duplicate of initial screenshot¶
DomainTools re-checked a domain after previously taking an initial screenshot. The result was identical to the existing image and no new screenshot was generated.
Relationships: timestamp < last_seen = last_attempt
timestampremains unchanged, preserving the original capture time.last_attemptis updated to reflect the most recent screenshot check.last_seenis updated to indicate the most recent time the image was confirmed valid.- Because no new image was needed,
last_seenandlast_attemptare equal.
Response example:
"screenshot": {
"timestamp": "2025-05-12T10:10:49Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.co.in&ts=2025-05-12T10%3A10%3A49Z&token=28d255010a09d1cc8a3326e1c1406971910293f09ddac0159eb35391f705be57",
"ip_address": "104.219.250.192",
"last_attempt": "2025-05-13T17:16:34Z",
"last_seen": "2025-05-13T17:16:34Z"
}
Recapture failed after previous successful capture¶
DomainTools successfully captured a screenshot on a previous attempt. The next attempt to capture the screenshot failed — the system was unable to retrieve a new image and could not confirm whether the content had changed.
Relationships: timestamp = last_seen, and last_seen < last_attempt
timestampreflects the time the screenshot was originally captured.last_seenis equal totimestamp, because that was the last time a screenshot was successfully observedlast_attemptis more recent thanlast_seen, but the attempt failed
Response example:
"screenshot": {
"timestamp": "2023-12-19T22:17:10Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Ffixhelpdesk.com&ts=2023-12-19T22%3A17%3A10Z&token=8cd6edb822594a0aa485e72f5cbb5414a73b657f7438b770844f46fe886c4ea9",
"ip_address": "91.195.240.19",
"last_attempt": "2025-05-13T10:25:04Z",
"last_seen": "2023-12-19T22:17:10Z"
}
Duplicate capture followed by failed attempt¶
A screenshot was captured, and subsequently re-captured as a duplicate. A subsequent attempt to refresh the (duplicate) screenshot failed.
Relationships: timestamp < last_seen, and last_seen < last_attempt
timestampreflects the original screenshot datelast_seenis later thantimestamp, indicating the image was revalidated as a duplicate on a later datelast_attemptreflects a more recent failed attempt to recapture the screenshot
Example response:
"screenshot": {
"timestamp": "2022-07-02T10:03:43Z",
"src": "https://screenshots.ar.domaintools.com/screenshot_image?s3v=1&rurl=http%3A%2F%2Fdomaintools.ca&ts=2022-07-02T10%3A03%3A43Z&token=6fa06c07ff1b7206ae8f38aadaf4e11b8cf538b7625944e2813a72ebec2c6648",
"ip_address": "158.85.87.76",
"last_attempt": "2025-05-13T10:12:04Z",
"last_seen": "2024-05-22T10:11:09Z"
}
Working with RDAP and WHOIS Registration Data¶
Domain registries and registrars are transitioning from WHOIS to the Registration Data Access Protocol (RDAP) as a method to communicate domain registration data.
In response, DomainTools is updating the Iris suite to support both WHOIS and RDAP registration data. These updates will be available in January 2025, prior to the date at which ICANN will permit gTLD registries and registrars to sunset WHOIS in their Registration Data Directory Services (RDDS).
Note that these changes apply to the subset of registration data and not other domain records provided in the responses.
New, Backward-Compatible Response Structure¶
Set parameters for parsed_whois=true and/or parsed_domain_rdap=true to return the parsed WHOIS and/or parsed RDAP record along with the default response. For example, a default query:
This query returns standard registration data as part of the response root fields. Registration data is from either RDAP or WHOIS, depending on which record is more complete. Registration data is included at the same level as other domain data. For example:
response:
limit_exceeded
has_more_results
message
result_count
total_count
results
domain
whois_url
adsense
alexa
popularity_rank
...
Include RDAP-specific and/or Whois-specific fields as their own objects, in addition to the regular response. For example, the same query but with both the full WHOIS and RDAP records specified:
https://api.domaintools.com/v1/iris-enrich/?domain=github.com&parsed_whois=true&parsed_domain_rdap=true&api_username=USERNAME&api_key=KEY
Registration data is included as before, but with additional root-level fields for parsed_whois and parsed_domain_rdap:
response:
limit_exceeded
has_more_results
message
result_count
total_count
results
domain
whois_url
adsense
alexa
popularity_rank
...
parsed_whois # PARSED WHOIS FIELD
registrant contact
...
parsed_domain_rdap # PARSED RDAP FIELD
admin_contact
...
New, Backward-Compatible Response Field: Registrar IANA ID¶
The domain registrar's IANA ID is included in the RDAP object when the parsed_domain_rdap=true parameter is used in an API request.