Detect, Remediate, and Investigate Identity Threats
with SpyCloud APIs
Layer SpyCloud into your preferred security tools & workflows – SpyCloud’s high-volume, flexible APIs deliver recaptured malware, phished, combolists, and breach data directly into the tools and systems your security teams already use.
Get started today powering custom workflows that accelerate cybercrime investigations and prevent identity-based attacks across your workforce and customer base.
{
"cursor": "",
"hits": 4,
"results": [
{
"cursor": "",
"hits": 4,
"results": [
{
"username": "jamiemendez",
"domain": "example.com",
"password": "$826y4$31226$dYbW2Qf1eM3zbNek4N0G",
"severity": 5,
"spycloud_publish_date": "2025-05-01T00:00:00Z",
"sighting": 1,
"email_domain": "example.com",
"source_id": 4452,
"password_type": "bcrypt",
"email": "test@example.com"
},
{
"domain": "example.com",
"password": "123456",
"severity": 20,
"spycloud_publish_date": "2025-05-01T00:00:00Z",
"password_plaintext": "123456",
"full_name": "Jim McGee",
"email_domain": "example.com",
"source_id": 12,
"password_type": "plaintext",
"email": "test@example.com",
"sighting": 1,
},
]
}Built for developers, backed by cybersecurity experts
Query SpyCloud APIs to integrate the world’s largest collection of recaptured malware, phished, combolists, and breach data into your current workflows and processes
The SpyCloud API was super easy to integrate. It took a day and a half for our engineers, and then it was just up and running. We’ve had the integration in place for a year now and had zero issues, zero downtime. On the technology side, it’s an enterprise-grade API for us
Integrate SpyCloud APIs with top cybersecurity and technology solutions in your stack
Our APIs integrate directly into your stack – from Okta and CrowdStrike to Splunk and Sentinel.
IDENTITY PROVIDERS
Automate remediation for identity exposures within 5 minutes from discovery
SIEM
Prioritize alerts with enhanced data correlation to act on employee identity exposures
SOAR
Run ready-to-use incident response playbooks or enrich decisions with exposed identity data
OSINT
Combine SpyCloud data with valuable third-party data to increase accuracy and speed of cybercrime investigations
Identity threat protection APIs for any use case
Protect what your team is responsible for – workforce, suppliers, contractors, and consumers – from identity-based attacks
Enterprise Protection APIs
SpyCloud delivers actionable malware, successfully phished, combolists, and breach data, integrating into your existing security workflows or systems to reduce enterprise risk – so you can act on known points of compromise and prevent targeted identity attacks.
Workforce Threat Protection
Reset exposed employee identities early in the attack lifecycle, shutting down criminal entry points
Endpoint Threat Protection
Consumer Protection APIs
Leverage SpyCloud’s easy-to-use APIs into your current application and services to detect exposed users, PII and other forms of identity data to combat authentication bypass, account takeover fraud that leads to revenue loss, decreased customer trust, and poor brand reputation.
Session Identity Protection
Stop session hijacking by remediating stolen cookies that often bypass MFA
Cybercrime Investigations APIs
Cybercrime Investigations
Easy API implementation from day one
Looking to get started with SpyCloud APIs or need support for building your custom workflow? Every SpyCloud license includes access to:
API key generation in your SpyCloud Portal
Hands-on support from your dedicated Technical Account Manager
Strapped for resources? Let SpyCloud do the heavy lifting to get our data where and when you need it.
- Hosted automated workflows with pre-built integrations for 300+ security and IT vendors
- Simplified control and visibility over complex integration logic and reporting
- Guaranteed uptime and simplified vendor management to adapt to evolving integration needs
Start automating identity remediation with SpyCloud APIs today
Identity Threat Data API FAQs
SpyCloud APIs return recaptured identity data across four primary source types: third-party breach credentials including breach source details and plaintext passwords, infostealer malware logs including credential counts, cookie counts, PII, device fingerprints, and application access data, phishing capture data including credentials and session artifacts from successful phishing attacks, and combolists including repackaged credential sets aggregated from multiple breach and malware sources. The primary API endpoints support queries by email address, username, phone number, IP address, and domain.
SpyCloud continuously ingests and processes more than 25 billion pieces of stolen identity data every month, with new data typically published to the API within days of appearing in criminal markets. Breach data and phishing captures are processed and available within days of recapture. Infostealer malware logs are processed within hours to days. This means API consumers receive exposure data in the same general timeframe that criminal operators are acquiring and testing it, often before it has been weaponized in a targeted attack.
SpyCloud APIs are backed by 99.9% uptime SLA-backed availability. Every SpyCloud license includes API key generation in the SpyCloud portal, detailed API documentation and developer guides, and hands-on support from a dedicated Technical Account Manager. One customer, a global fintech company, described the integration as taking a day and a half for their engineers, with zero issues and zero downtime over a year of use in production.
SpyCloud offers separate API endpoints optimized for each use case. Enterprise Protection APIs deliver breach, malware, phishing, and combolist data mapped to employee and contractor identities, designed for integration into IAM, SIEM, and SOAR tools for workforce credential monitoring and automated remediation. Consumer Protection APIs include the User Exposure API for real-time login risk checking, the Password Exposure API for k-anonymity password validation at account creation and login, and the Consumer IDLink API for holistic identity correlation used in synthetic identity detection and high-risk account screening.
The SpyCloud API gives engineering teams direct programmatic access to SpyCloud’s recaptured darknet identity data, enabling them to build and maintain custom integrations and workflows. SpyCloud Connect is a managed service where SpyCloud’s engineers design, build, and maintain custom workflows on the customer’s behalf, without requiring any engineering resources from the customer. Teams with engineering capacity and custom workflow requirements typically use the API directly. Teams without engineering bandwidth, or with integration requirements that go beyond what the standard API enables, use SpyCloud Connect.