IntelBase
API Reference

IntelBase API

A single REST endpoint turns an email address into a full intelligence profile — registered accounts, profile data, data breaches and infostealer logs. All requests are made against the base URL below and authenticated with your API key.

Base URL

Base URL
https://api.intelbase.is

Your API key lives in your dashboard. A paid plan with API access is required — the API is not available on the free plan.

Authentication

Authenticate every request by sending your API key in the x-api-key header. Keep your key secret — treat it like a password. If it leaks, regenerate it from the dashboard.

Header
x-api-key: YOUR_API_KEY

Requests without a valid key return 401 Unauthorized. Requests from a free plan, or a plan without API access, also return 401.

IP whitelisting & debugging

For security, API requests must originate from an IP address you've whitelisted (configurable in your dashboard, or per-team). If the IP a request comes from isn't on the list, the API returns 401 Unauthorized with "Your IP is not whitelisted."

Trouble authorizing your IP?

The IP you think you're calling from is often not the IP the server actually sees — proxies, NAT, load balancers and IPv6 vs IPv4 all get in the way. To debug, call GET /account/ip from the exact same machine/network that makes your API calls and make sure the IP it returns is the one you've whitelisted.

cURL
curl https://api.intelbase.is/account/ip
Response
{ "ip": "203.0.113.24" }

Whatever value comes back here is what needs to be in your whitelist. If it doesn't match, add that exact IP (or fix your egress so it resolves to a whitelisted one).

POST /lookup/email

Email lookup

Runs a full lookup against a single email address. Send a JSON body with the parameters below. Requires the x-api-key header and Content-Type: application/json.

Body parameters

Field Type Default Description
email req string The target email address to investigate.
timeout_ms integer 10000 Max time to wait for the lookup, in milliseconds (100–120000). Values under 5000 automatically skip slower modules (dropbox, google, gravatar).
include_data_breaches boolean true Include data breaches and stealer-log results. Breach visibility also depends on your plan.
exclude_modules string[] [] Module names to skip. Mutually exclusive with include_modules.
include_modules string[] [] Restrict the lookup to only these module names. Mutually exclusive with exclude_modules.

Example request

cURL
curl -X POST https://api.intelbase.is/lookup/email \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "timeout_ms": 10000,
    "include_data_breaches": true
  }'

Response schema

A successful lookup returns 200 OK with the following top-level structure.

Field Type Description
identifier.accounts object[] Accounts found for the email. Each item has a `module` (id, name, name_formatted, domain, type) and a flat `data` map of the harvested fields (username, full_name, avatar_url, …).
validator.registered module[] Services the email is confirmed registered on.
validator.unregistered module[] Services the email is not registered on.
data_breaches object `{ amount, sources, results, redacted }`. Each result includes email, password, username, full_name, ip_address, phone_number, hash, and a `source` (name, date). Results may be redacted depending on your plan.
stealer_logs object `{ count, results, has_stealer_log_type, redacted, compromised }`. Each result includes data_type (combo | stealerlog), origin, login, password.
stealer_enrichment object | null Aggregated infostealer intelligence (autofill, accounts, user_info, card_holders, scanned_files, posted_at) when available and permitted by your plan. `null` otherwise.
meta object `{ email, first_seen, last_seen, cloaked, timeline }`. The `timeline` array (source, name, date) is only present when at least two dated events exist.

Example response

200 OK
{
  "identifier": {
    "accounts": [
      {
        "module": {
          "id": "5f9a...",
          "name": "google",
          "name_formatted": "Google",
          "domain": "google.com",
          "type": 0
        },
        "data": {
          "id": "1178...",
          "username": "targetuser",
          "full_name": "Target User",
          "avatar_url": "https://.../photo.jpg"
        }
      }
    ]
  },
  "validator": {
    "registered": [
      { "id": "…", "name": "spotify", "name_formatted": "Spotify", "domain": "spotify.com", "type": 1 }
    ],
    "unregistered": [
      { "id": "…", "name": "duolingo", "name_formatted": "Duolingo", "domain": "duolingo.com", "type": 1 }
    ]
  },
  "data_breaches": {
    "amount": 3,
    "sources": 2,
    "results": [
      {
        "email": "[email protected]",
        "password": "hunter2",
        "username": "targetuser",
        "full_name": "Target User",
        "ip_address": "203.0.113.9",
        "phone_number": "",
        "hash": "",
        "source": { "name": "ExampleBreach", "date": "2021-06" }
      }
    ],
    "redacted": false
  },
  "stealer_logs": {
    "count": 1,
    "results": [
      { "data_type": "stealerlog", "origin": "https://accounts.google.com", "login": "[email protected]", "password": "hunter2" }
    ],
    "has_stealer_log_type": true,
    "redacted": false,
    "compromised": true
  },
  "stealer_enrichment": {
    "autofill": [
      {
        "tag": "email",
        "label": "Email",
        "total": 4,
        "unique": 2,
        "values": [
          { "value": "[email protected]", "count": 3 },
          { "value": "[email protected]", "count": 1 }
        ]
      }
    ],
    "accounts": [
      {
        "platform": "instagram.com",
        "value": "[email protected]",
        "kind": "username",
        "source": "credential",
        "id_link": "https://instagram.com/username"
      }
    ],
    "user_info": {
      "username": "targetuser",
      "ip_address": "203.0.113.9",
      "country": "US",
      "location": "New York, NY",
      "zip_code": "10001"
    },
    "scanned_files": 128,
    "posted_at": "2025-02-14T00:00:00Z",
    "realtime": false,
    "redacted": false
  },
  "meta": {
    "email": "[email protected]",
    "first_seen": "2016-04-12T00:00:00Z",
    "last_seen": "2023-09-01T00:00:00Z",
    "cloaked": false,
    "timeline": [
      { "source": "creation_date", "name": "Google", "date": "2016-04-12T00:00:00Z" },
      { "source": "data_breach", "name": "ExampleBreach", "date": "2021-06-01T00:00:00Z" }
    ]
  }
}

Errors

Errors are returned with the appropriate HTTP status and, where applicable, a JSON body of the form { "error": "message" }.

400

Bad Request

Malformed JSON, invalid email, or both exclude_modules and include_modules supplied.

401

Unauthorized

Missing/invalid API key, a free plan, a plan without API access, an IP that is not whitelisted, or your daily lookup limit was reached.

403

Forbidden

The email address is blacklisted and cannot be looked up.

429

Too Many Requests

You exceeded your plan's per-minute API rate limit.

500

Server Error

An unexpected error occurred while running the lookup.

GET /account/ip

Your IP (debug)

A public, unauthenticated helper that echoes back the IP address the server sees your request coming from. Use it to verify what to add to your IP whitelist (see IP whitelisting & debugging).

cURL
curl https://api.intelbase.is/account/ip
200 OK
{ "ip": "203.0.113.24" }

Rate limits & quotas

Two limits apply to API usage, both determined by your plan:

  • Per-minute rate limit. Exceeding it returns 429 Too Many Requests.

  • Daily lookup quota. Once reached, further lookups return 401 Unauthorized until the counter resets. On teams, the quota is shared across members.

Need higher limits?

Compare plans or reach out about enterprise volume.