IntelBase API
A single REST endpoint turns an email address into a full intelligence profile — registered accounts, profile data, data breaches and infostealer logs. All requests are made against the base URL below and authenticated with your API key.
Base URL
https://api.intelbase.isYour API key lives in your dashboard. A paid plan with API access is required — the API is not available on the free plan.
Authentication
Authenticate every request by sending your API key in the
x-api-key header. Keep
your key secret — treat it like a password. If it leaks, regenerate it
from the dashboard.
x-api-key: YOUR_API_KEYRequests without a valid key return 401 Unauthorized.
Requests from a free plan, or a plan without API access, also return
401.
IP whitelisting & debugging
For security, API requests must originate from an IP address you've
whitelisted (configurable in your dashboard, or per-team). If the IP a
request comes from isn't on the list, the API returns
401 Unauthorized with
"Your IP is not whitelisted."
The IP you think you're calling from is often not the IP the
server actually sees — proxies, NAT, load balancers and IPv6 vs IPv4
all get in the way. To debug, call
GET /account/ip from
the exact same machine/network that makes your API calls and make
sure the IP it returns is the one you've whitelisted.
curl https://api.intelbase.is/account/ip{ "ip": "203.0.113.24" }Whatever value comes back here is what needs to be in your whitelist. If it doesn't match, add that exact IP (or fix your egress so it resolves to a whitelisted one).
/lookup/emailEmail lookup
Runs a full lookup against a single email address. Send a JSON body
with the parameters below. Requires the
x-api-key header and
Content-Type: application/json.
Body parameters
| Field | Type | Default | Description |
|---|---|---|---|
email req | string | — | The target email address to investigate. |
timeout_ms | integer | 10000 | Max time to wait for the lookup, in milliseconds (100–120000). Values under 5000 automatically skip slower modules (dropbox, google, gravatar). |
include_data_breaches | boolean | true | Include data breaches and stealer-log results. Breach visibility also depends on your plan. |
exclude_modules | string[] | [] | Module names to skip. Mutually exclusive with include_modules. |
include_modules | string[] | [] | Restrict the lookup to only these module names. Mutually exclusive with exclude_modules. |
Example request
curl -X POST https://api.intelbase.is/lookup/email \
-H "x-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"timeout_ms": 10000,
"include_data_breaches": true
}'Response schema
A successful lookup returns 200 OK
with the following top-level structure.
| Field | Type | Description |
|---|---|---|
identifier.accounts | object[] | Accounts found for the email. Each item has a `module` (id, name, name_formatted, domain, type) and a flat `data` map of the harvested fields (username, full_name, avatar_url, …). |
validator.registered | module[] | Services the email is confirmed registered on. |
validator.unregistered | module[] | Services the email is not registered on. |
data_breaches | object | `{ amount, sources, results, redacted }`. Each result includes email, password, username, full_name, ip_address, phone_number, hash, and a `source` (name, date). Results may be redacted depending on your plan. |
stealer_logs | object | `{ count, results, has_stealer_log_type, redacted, compromised }`. Each result includes data_type (combo | stealerlog), origin, login, password. |
stealer_enrichment | object | null | Aggregated infostealer intelligence (autofill, accounts, user_info, card_holders, scanned_files, posted_at) when available and permitted by your plan. `null` otherwise. |
meta | object | `{ email, first_seen, last_seen, cloaked, timeline }`. The `timeline` array (source, name, date) is only present when at least two dated events exist. |
Example response
{
"identifier": {
"accounts": [
{
"module": {
"id": "5f9a...",
"name": "google",
"name_formatted": "Google",
"domain": "google.com",
"type": 0
},
"data": {
"id": "1178...",
"username": "targetuser",
"full_name": "Target User",
"avatar_url": "https://.../photo.jpg"
}
}
]
},
"validator": {
"registered": [
{ "id": "…", "name": "spotify", "name_formatted": "Spotify", "domain": "spotify.com", "type": 1 }
],
"unregistered": [
{ "id": "…", "name": "duolingo", "name_formatted": "Duolingo", "domain": "duolingo.com", "type": 1 }
]
},
"data_breaches": {
"amount": 3,
"sources": 2,
"results": [
{
"email": "[email protected]",
"password": "hunter2",
"username": "targetuser",
"full_name": "Target User",
"ip_address": "203.0.113.9",
"phone_number": "",
"hash": "",
"source": { "name": "ExampleBreach", "date": "2021-06" }
}
],
"redacted": false
},
"stealer_logs": {
"count": 1,
"results": [
{ "data_type": "stealerlog", "origin": "https://accounts.google.com", "login": "[email protected]", "password": "hunter2" }
],
"has_stealer_log_type": true,
"redacted": false,
"compromised": true
},
"stealer_enrichment": {
"autofill": [
{
"tag": "email",
"label": "Email",
"total": 4,
"unique": 2,
"values": [
{ "value": "[email protected]", "count": 3 },
{ "value": "[email protected]", "count": 1 }
]
}
],
"accounts": [
{
"platform": "instagram.com",
"value": "[email protected]",
"kind": "username",
"source": "credential",
"id_link": "https://instagram.com/username"
}
],
"user_info": {
"username": "targetuser",
"ip_address": "203.0.113.9",
"country": "US",
"location": "New York, NY",
"zip_code": "10001"
},
"scanned_files": 128,
"posted_at": "2025-02-14T00:00:00Z",
"realtime": false,
"redacted": false
},
"meta": {
"email": "[email protected]",
"first_seen": "2016-04-12T00:00:00Z",
"last_seen": "2023-09-01T00:00:00Z",
"cloaked": false,
"timeline": [
{ "source": "creation_date", "name": "Google", "date": "2016-04-12T00:00:00Z" },
{ "source": "data_breach", "name": "ExampleBreach", "date": "2021-06-01T00:00:00Z" }
]
}
}Errors
Errors are returned with the appropriate HTTP status and, where
applicable, a JSON body of the form
{ "error": "message" }.
400 Bad Request
Malformed JSON, invalid email, or both exclude_modules and include_modules supplied.
401 Unauthorized
Missing/invalid API key, a free plan, a plan without API access, an IP that is not whitelisted, or your daily lookup limit was reached.
403 Forbidden
The email address is blacklisted and cannot be looked up.
429 Too Many Requests
You exceeded your plan's per-minute API rate limit.
500 Server Error
An unexpected error occurred while running the lookup.
/account/ipYour IP (debug)
A public, unauthenticated helper that echoes back the IP address the server sees your request coming from. Use it to verify what to add to your IP whitelist (see IP whitelisting & debugging).
curl https://api.intelbase.is/account/ip{ "ip": "203.0.113.24" }Rate limits & quotas
Two limits apply to API usage, both determined by your plan:
Per-minute rate limit. Exceeding it returns
429 Too Many Requests.Daily lookup quota. Once reached, further lookups return
401 Unauthorizeduntil the counter resets. On teams, the quota is shared across members.
Need higher limits?
Compare plans or reach out about enterprise volume.