Documentation menu

Docs

Domain Monitoring

Read leaked-credential and dark-web findings for monitored domains, and work domain alerts (acknowledge / resolve).

Read leaked-credential and dark-web findings for monitored domains, and work domain alerts (acknowledge / resolve). All reads require whmcs_customer_id and return only that customer's domains.

List monitored domains

GET/api/v1/domains
Auth: Bearer API keyRate limit: 60 requests / minute per API key

List a customer's monitored domains with their latest leak counts, plus how many domain slots the customer has used. When the customer has no domain-monitoring subscription, the response instead describes the product (subscribed: false).

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer whose domains to list.
Example request
curl -X GET 'https://portal.example.com/api/v1/domains?whmcs_customer_id=1042' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "subscribed": true,
    "domains": [
      {
        "id": "5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b",
        "domain": "example.com",
        "status": "active",
        "scan_status": "completed",
        "last_scan_at": "2026-07-11T22:00:00+00:00",
        "employees_compromised": 2,
        "customers_compromised": 14,
        "third_parties_compromised": 5,
        "dark_web_mentions_count": 3,
        "portal_detail_path": "/domains/5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b"
      }
    ],
    "slots_used": 1,
    "slots_total": 5,
    "portal_add_path": "/domains"
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.

Domain summary

GET/api/v1/domains/{id}/summary
Auth: Bearer API keyRate limit: 60 requests / minute per API key

One domain's monitoring status in a single call: scan state, compromised-credential counts per category, dark-web mention count, password-strength summary and slot usage.

  • password_strength is null until enough leak data exists to summarize.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/summary?whmcs_customer_id=1042' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "id": "5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b",
    "domain": "example.com",
    "status": "active",
    "scan_status": "completed",
    "last_scan_at": "2026-07-11T22:00:00+00:00",
    "dark_web_last_scan_at": "2026-07-11T22:05:00+00:00",
    "employees_compromised": 2,
    "customers_compromised": 14,
    "third_parties_compromised": 5,
    "dark_web_mentions_count": 3,
    "password_strength": null,
    "slots_used": 1,
    "slots_total": 5,
    "portal_detail_path": "/domains/5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b",
    "created_at": "2026-06-15T10:00:00+00:00"
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.

List domain alerts

GET/api/v1/domains/{id}/alerts
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Page through a domain's leak alerts. Filter by status, type (credential leak vs dark-web mention), category or severity.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
statusstringOptionalFilter by alert status.one of: open, acknowledged, resolved
typestringOptionalFilter by finding type.one of: credential_leak, dark_web_mention
categorystringOptionalFilter by who was compromised.one of: employees, customers, third_parties
severitystringOptionalFilter by severity.one of: critical, high, medium
per_pageintegerOptionalPage size (max 50).min:1 · max:50
pageintegerOptionalPage number.min:1
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/alerts?whmcs_customer_id=1042&status=open&type=credential_leak&category=employees&severity=critical&per_page=25&page=1' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "alerts": [
      {
        "id": "6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c",
        "monitored_domain_id": "5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b",
        "domain": "example.com",
        "type": "credential_leak",
        "category": "employees",
        "severity": "critical",
        "new_count": 2,
        "previous_count": 0,
        "status": "open",
        "details": null,
        "created_at": "2026-07-11T22:10:00+00:00",
        "acknowledged_at": null,
        "resolved_at": null
      }
    ],
    "total": 1,
    "current_page": 1,
    "last_page": 1,
    "has_more": false
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.

Get a domain alert

GET/api/v1/domains/{id}/alerts/{alertId}
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Fetch one domain alert with a plain-language explanation of what the finding means.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/alerts/6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c?whmcs_customer_id=1042' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "alert": {
      "id": "6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c",
      "monitored_domain_id": "5e4d3c2b-1a0f-4e9d-8c7b-6a5f4e3d2c1b",
      "domain": "example.com",
      "type": "credential_leak",
      "category": "employees",
      "severity": "critical",
      "new_count": 2,
      "previous_count": 0,
      "status": "open",
      "details": null,
      "explanation": "Two staff accounts on example.com appeared in a new credential dump…",
      "created_at": "2026-07-11T22:10:00+00:00",
      "acknowledged_at": null,
      "resolved_at": null
    }
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.
ALERT_NOT_FOUND404No alert with that ID on this domain.

List dark-web mentions

GET/api/v1/domains/{id}/dark-web-mentions
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Page through dark-web posts and listings that mention the domain. Filter to only new (unseen) mentions with is_new.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
is_newbooleanOptionalOnly mentions not seen before.
per_pageintegerOptionalPage size (max 50).min:1 · max:50
pageintegerOptionalPage number.min:1
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/dark-web-mentions?whmcs_customer_id=1042&is_new=true&per_page=25&page=1' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "mentions": [
      {
        "id": "7a6b5c4d-3e2f-4a1b-8c9d-0e1f2a3b4c5e",
        "title": "Combo list mentioning example.com",
        "content_preview": "…credentials for example.com users…",
        "source_name": "forum",
        "author": "unknown",
        "published_at": "2026-07-10T00:00:00+00:00",
        "is_new": true,
        "created_at": "2026-07-11T22:05:00+00:00"
      }
    ],
    "total": 1,
    "current_page": 1,
    "last_page": 1,
    "has_more": false
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.

List credential leaks

GET/api/v1/domains/{id}/credential-leaks
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Page through the individual leaked-credential records behind a domain's counts, optionally filtered by category. Backed by the upstream breach dataset. Record fields vary by source dump.

  • enabled: false means the upstream credential dataset is not configured for this platform.
  • If the upstream dataset is temporarily unreachable, the endpoint returns HTTP 503 with success: true, empty items and an error message in data.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
categorystringOptionalFilter by who was compromised.one of: employees, customers, third_parties
pageintegerOptionalPage number (50 records per page).min:1
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/credential-leaks?whmcs_customer_id=1042&category=employees&page=1' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "enabled": true,
    "items": [],
    "total": 0,
    "page": 1,
    "page_size": 50
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.

Domain scan history

GET/api/v1/domains/{id}/scan-history
Auth: Bearer API keyRate limit: 60 requests / minute per API key

The domain's last 25 leak scans, newest first, with compromised-credential counts per category at each scan.

Query parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer who owns the domain.
Example request
curl -X GET 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/scan-history?whmcs_customer_id=1042' \
  -H 'Authorization: Bearer $AEGIS_API_KEY'
Response: 200
{
  "success": true,
  "data": {
    "scans": [
      {
        "id": "8b7a6c5d-4e3f-4a2b-9c8d-7e6f5a4b3c2e",
        "status": "completed",
        "employees_compromised": 2,
        "customers_compromised": 14,
        "third_parties_compromised": 5,
        "created_at": "2026-07-11T22:00:00+00:00"
      }
    ]
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.

Acknowledge a domain alert

POST/api/v1/domains/{id}/alerts/{alertId}/acknowledge
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Mark a domain alert as seen. Acknowledging is required before the alert can be resolved.

Body parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer acknowledging the alert.
Example request
curl -X POST 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/alerts/6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c/acknowledge' \
  -H 'Authorization: Bearer $AEGIS_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
  "whmcs_customer_id": 1042
}'
Response: 200
{
  "success": true,
  "data": {
    "message": "Alert acknowledged.",
    "alert": {
      "id": "6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c",
      "status": "acknowledged",
      "acknowledged_at": "2026-07-12T09:30:00+00:00"
    }
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.
ALERT_NOT_FOUND404No alert with that ID on this domain.
ALERT_ALREADY_RESOLVED422The alert is already resolved.
USER_NOT_FOUND500The customer has no portal account yet. Provision one first.

Resolve a domain alert

POST/api/v1/domains/{id}/alerts/{alertId}/resolve
Auth: Bearer API keyRate limit: 60 requests / minute per API key

Mark an acknowledged domain alert as resolved, typically after forcing password resets for the affected accounts.

Body parameters

NameTypeRequiredNotes
whmcs_customer_idintegerRequiredThe customer resolving the alert.
Example request
curl -X POST 'https://portal.example.com/api/v1/domains/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/alerts/6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c/resolve' \
  -H 'Authorization: Bearer $AEGIS_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
  "whmcs_customer_id": 1042
}'
Response: 200
{
  "success": true,
  "data": {
    "message": "Alert resolved.",
    "alert": {
      "id": "6f5e4d3c-2b1a-4f0e-9d8c-7b6a5f4e3d2c",
      "status": "resolved",
      "resolved_at": "2026-07-12T09:30:00+00:00"
    }
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Errors

CodeStatusMeaning
TENANT_NOT_FOUND401The API key did not resolve to an account.
DOMAIN_NOT_FOUND404No monitored domain with that ID belongs to the customer.
ALERT_NOT_FOUND404No alert with that ID on this domain.
ALERT_NOT_ACKNOWLEDGED422The alert must be acknowledged before it can be resolved.
USER_NOT_FOUND500The customer has no portal account yet. Provision one first.

Compiled from the AegisWhite platform (build 6bffe04, module v1.7.3, 2026-07-14).