Search Credentials

Credentials Global Search

curl --request POST \
  --url https://api.flare.io/firework/v4/credentials/global/_search \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "query": {
    "type": "<string>",
    "fqdn": "<string>"
  },
  "filters": {
    "imported_at": {
      "gte": "2023-11-07T05:31:56Z",
      "lte": "2023-11-07T05:31:56Z"
    }
  },
  "from": "<string>",
  "size": 10,
  "include": [
    "known_password_id"
  ],
  "order": "desc"
}
'

{
    "items": [
        {
            "domain": "scatterholt.com",
            "hash": "B@dPassw0rd",
            "hash_type": null,
            "id": 33880703907,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        },
        {
            "domain": "scatterholt.com",
            "hash": "1qaz2wsx",
            "hash_type": "unknown",
            "id": 33880703906,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        }
    ],
    "next": "WyJjb20uc2NhdHRlcmhvbHQiLCAxNjczNjg4ODg4NV0"
}

POST

firework

credentials

global

_search

Credentials Global Search

curl --request POST \
  --url https://api.flare.io/firework/v4/credentials/global/_search \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "query": {
    "type": "<string>",
    "fqdn": "<string>"
  },
  "filters": {
    "imported_at": {
      "gte": "2023-11-07T05:31:56Z",
      "lte": "2023-11-07T05:31:56Z"
    }
  },
  "from": "<string>",
  "size": 10,
  "include": [
    "known_password_id"
  ],
  "order": "desc"
}
'

{
    "items": [
        {
            "domain": "scatterholt.com",
            "hash": "B@dPassw0rd",
            "hash_type": null,
            "id": 33880703907,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        },
        {
            "domain": "scatterholt.com",
            "hash": "1qaz2wsx",
            "hash_type": "unknown",
            "id": 33880703906,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        }
    ],
    "next": "WyJjb20uc2NhdHRlcmhvbHQiLCAxNjczNjg4ODg4NV0"
}

This endpoint is subject to quotas and is subject to the Search ratelimiting tier. See Rate Limits and Quotas .

Flare supports searching in credentials via two endpoints:

The Global Credentials Search endpoint : This endpoint counts towards your global search quota.
The ASTP Credentials Search Endpoint : This endpoint does not count towards your search quota but requires ASTP to be enabled on your account. For more information about ASTP, contact your Customer Success Manager.

Returns a list of credentials matching the query provided.

{
    "items": [
        {
            "domain": "scatterholt.com",
            "hash": "B@dPassw0rd",
            "hash_type": null,
            "id": 33880703907,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        },
        {
            "domain": "scatterholt.com",
            "hash": "1qaz2wsx",
            "hash_type": "unknown",
            "id": 33880703906,
            "identity_name": "ryan.howard@scatterholt.com",
            "imported_at": "2024-07-22T19:25:52.893439+00:00",
            "known_password_id": null,
            "source": {
                "breached_at": null,
                "description_en": "Collection of multiple combo lists (emails and passwords) exchanged on illicit networks.",
                "description_fr": "Collection de multiples listes \"combos\" (adresses courriel et mots de passe) \u00e9chang\u00e9es sur des r\u00e9seaux illicites.",
                "id": "combolists",
                "is_alert_enabled": true,
                "leaked_at": null,
                "name": "Combolists"
            },
            "source_id": "combolists"
        }
    ],
    "next": "WyJjb20uc2NhdHRlcmhvbHQiLCAxNjczNjg4ODg4NV0"
}

Paging

This endpoint supports the Flare standard paging pattern .

Body Parameters

size

number

Maximum size of the JSON object that will be returned (maximum 10 000)

from

string

The next value from the last response.

order

string

default:"desc"

The order in which the results will be returned. (asc or desc)

query

object

One of the supported queries.

Domain Query
Auth Domain Query
Password Query
Email Query
Keyword Query

This query will match all credentials that contain the specified domain in the email address.

{
  "type": "domain",
  "fqdn": "<string>"
}

This query will match the domain of the service that this credential might have been used to log in to.

{
  "type": "auth_domain",
  "fqdn": "<string>"
}

This query will match all credentials that contain the specified password.

{
  "type": "secret",
  "secret": "<string>"
}

This query will match all credentials for the exact email address.

{
  "type": "email",
  "email": "<string>"
}

This query will match with the credential’s username, which is the portion of the identity_name that preceeds @.

{
  "type": "keyword",
  "keyword": "<string>"
}

filters

object

Hide child attributes

imported_at

object

This filter only works for Auth Domain Queries. It will be ignored if used with other query types.

Show child attributes

gte

string

Matches values greater than or equal to the specified timestamp.Format: ISO-8601

lte

string

Matches values lesser than or equal to the specified timestamp.Format: ISO-8601

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

query

DomainQuery · object

required

DomainQuery
EmailQuery
KeywordQuery
SecretQuery
AuthDomainQuery

Show child attributes

filters

CredentialsQueryFilters · object

Show child attributes

from

string | null

size

integer

default:10

Required range: 1 <= x <= 10000

include

enum<string>[]

Available options:

known_password_id

order

enum<string>

default:desc

Available options:

asc,

desc

Response

Successful Response

items

Credential · object[]

required

Show child attributes

string | null

required

Search Events

Search Credentials

⌘I

Authentication API

Events API

Global Search API

Account and Session Takeover Prevention (ASTP) API

Management API

Threat-Flow API

Deprecated APIs

Search Credentials

Paging

Body Parameters

Authorizations

Body

Response

Authentication API

Events API

Global Search API

Account and Session Takeover Prevention (ASTP) API

Management API

Threat-Flow API

Deprecated APIs

​Paging

​Body Parameters

Authorizations

Body

Response

Paging

Body Parameters