GET Parameters

token

(Required) Your unique API authentication token, received when you signed up. This token verifies your access to the Webz.io API.

&token=[MY TOKEN]

format

The default format is JSON only.

&format=json

crawled_from

Returns entities crawled after this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter

• If neither crawled_from nor crawled_to is provided, the default range is all time.

• If crawled_from is provided but crawled_to is not, the default is all data available from crawled_from until now.

&crawled_from=1578504734000

crawled_to

Returns entities crawled before this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter

• If neither crawled_to nor crawled_from is provided, the default range is all time.

• If crawled_to is provided but crawled_from is not, the default is all data available up to crawled_to.

&crawled_to=1758382842000

breach_from

Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is earlier than this specified Unix timestamp (in milliseconds).

&breach_from=1578504734000

breach_to

Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is later than this specified Unix timestamp (in milliseconds).

&breach_to=1758382842000

*email

Search compromised data by a specific email address.

&email=

[email protected]

*email_domain

Search compromised data by email domain.

(*The email_domain can be used with login_domain,)

&email_domain=mydomain.com

*login_domain

Search compromised data by login domain. Returns all leaked credentials that were used to log into the specified domain, including credentials linked to that domain through a data breach.

• If login_domain is a root domain, results include both the root domain and all of its subdomains.

• If login_domain is a subdomain, results are limited to that specific subdomain.

(*The login_domain can be used with email_domain.)

&login_domain=mydomain.com

data_type

Search compromised data by the breach sub type.

Accepted values:

• infostealer - credentials obtained from stealer logs files.
• data_breach - credentials obtained from database files.

Ifdata_type is used twice in the request URL - it means OR relation. Without using this parameter - the default is all.

&data_type=data_breach

sub_type

Search compromised data by the breach sub type.

Accepted values:

• database_dump
• data_breach_combo_list
• stealer_logs
• stealers_combo_list
• cookies

If sub_type is used twice in the request URL - it means OR relation. Without using this parameter - the default is all.

&sub_type=stealer_logs

breach_uuid

Search compromised data by the breach_uuid they are associated with.

*Relevant only for data_type=data_breach

&breach_uuid=XXXXXXXXXXX

has_password

Filter compromised data by password existence.

• If has_password = true, returns only results that include a password.
• If has_password = false, returns only results where no password is available.

&has_password=true

password_type

Filter compromised data by password type.

Accepted values:

• plaintext
• unsalted_hash
• salted_hash
• encrypted

&password_type=plaintext

is_premium

Filter infostealer data by premium channels.

&is_premium=true

sort_by

Defines the field used for sorting results.

Supported values:
• crawled → Sort by crawled_date.
• breached → Sort by breach_time.

default is sort=crawled&order=asc

&sort_by=crawled

order_by

Defines the sorting direction.

Supported values:
• asc → Ascending order, based on the field defined in sort.
• desc → Descending order, based on the field defined in sort.

&order_by=asc