---
title: "Domain Reputation API Docs | Whoisfreaks"
slug: "/documentation/domain-reputation-api"
description: "Real-time domain reputation API that returns risk scores, trust ratings, DGA analysis, threat intelligence, and security insights."
---

# Domain Reputation API Documentation

## Domain Reputation API

The WhoisFreaks Domain Reputation API is a real-time domain threat assessment service. Given any domain name, it returns a comprehensive risk verdict, trust score, DGA (Domain Generation Algorithm) analysis, threat intelligence matches, and actionable security signals — all in a single API call.

### Authorization

You can make authorized requests to our API by passing API key as a query parameter. To get your API key, login to our billing dashboard and get your API key! If your API key has been compromised, you can change it by clicking on reset button in billing dashboard.

#### Important References

*   For details on request limits and handling rate limiting, refer [here](https://whoisfreaks.com/documentation/api-rate-limiting)
*   For a complete overview of API credit consumption and usage, refer [here](https://whoisfreaks.com/documentation/credit-usage#security-lookup-api)

### Query Parameters

##### Required

*   apiKey
    
    Retrieve your API key from the billing dashboard.
    
*   domainName
    
    The domain name to assess (e.g., `example.com`). Must contain at least one dot, max 253 characters. Automatically lowercased.
    

### Fields Description

| Fields | Details | Example |
| --- | --- | --- |
| input | Input object containing the analyzed domain |  |
|   ↳ domain | Domain name being analyzed | example.com |
| assessed_at | Timestamp when the assessment was performed | 2026-07-08T08:12:29Z |
| version | API/response schema version | 1.0.0 |
| processing_time_ms | Time taken to process the request, in milliseconds | 742 |
| risk_category | Overall risk assessment for the domain |  |
|   ↳ verdict | Final verdict of the risk assessment | suspicious |
|   ↳ confidence | Confidence score for the verdict | 0.94 |
|   ↳ primary_threat | Main threat type identified | phishing |
|   ↳ severity | Severity level of the risk | high |
|   ↳ threat_types | List of threat types associated with the domain | ["phishing", "spam"] |
|   ↳ sources | Threat intelligence sources that flagged the domain |  |
|     ↳ source | Name of the threat intelligence source | Spamhaus |
|     ↳ indicator | Indicator matched by this source | example.com |
|     ↳ threat_type | Threat type reported by this source | phishing |
|     ↳ confidence | Confidence score from this source | 0.97 |
|     ↳ first_seen | First time this indicator was seen by the source | 2026-07-01T10:22:00Z |
|     ↳ last_seen | Last time this indicator was seen by the source | 2026-07-08T05:00:00Z |
|   ↳ pivot_matches | Related pivots (NS, email, etc.) linked to known threats |  |
|     ↳ pivot | Pivot value (e.g. nameserver or email) | ns1.exampledns.com |
|     ↳ pivot_type | Type of pivot | ns |
|     ↳ total_related_threats | Total number of threats related to this pivot | 34 |
|     ↳ confidence | Confidence score for the pivot match | 0.92 |
| dga_score | Domain Generation Algorithm (DGA) detection results |  |
|   ↳ score | DGA likelihood score | 0.81 |
|   ↳ is_dga | Indicates whether the domain is likely DGA-generated | true |
|   ↳ model | Model used to compute the DGA score | deterministic_features_v1 |
|   ↳ features | Underlying lexical/statistical features used in DGA detection |  |
|     ↳ domain_length | Length of the domain name | 17 |
|     ↳ vowel_consonant_ratio | Ratio of vowels to consonants in the domain | 0.18 |
|     ↳ ngram_perplexity | N-gram perplexity score of the domain string | 3.91 |
|     ↳ shannon_entropy | Shannon entropy of the domain string | 4.72 |
|     ↳ digit_letter_ratio | Ratio of digits to letters in the domain | 0.23 |
|     ↳ consonant_streak_max | Maximum consecutive consonant streak in the domain | 6 |
|     ↳ tld_in_known_dga_set | Indicates if the TLD belongs to a known DGA set | false |
|   ↳ interpretation | Human-readable interpretation of the DGA score | likely_dga |
| trust_signals | Trust scoring and supporting signals for the domain |  |
|   ↳ trust_score | Overall trust score | 12 |
|   ↳ trust_band | Trust score band/category | low |
|   ↳ signals | Signals contributing to the trust score |  |
|     ↳ positive | Signals that positively affect trust score |  |
|       ↳ code | Signal code identifier | valid_ssl |
|       ↳ weight | Weight assigned to the signal | 8 |
|       ↳ polarity | Polarity of the signal | positive |
|       ↳ category | Category the signal belongs to | ssl_certificate |
|       ↳ evidence | Evidence supporting the signal | TLS certificate issued by DigiCert |
|       ↳ confidence | Confidence score for the signal | 1.0 |
|     ↳ negative | Signals that negatively affect trust score |  |
|       ↳ code | Signal code identifier | dmarc_missing |
|       ↳ weight | Weight assigned to the signal | 5 |
|       ↳ polarity | Polarity of the signal | negative |
|       ↳ category | Category the signal belongs to | email_security |
|       ↳ evidence | Evidence supporting the signal | No DMARC record |
|       ↳ confidence | Confidence score for the signal | 1.0 |
|     ↳ neutral | Signals that are neutral to trust score |  |
|       ↳ code | Signal code identifier | content_unavailable |
|       ↳ weight | Weight assigned to the signal | 0 |
|       ↳ polarity | Polarity of the signal | neutral |
|       ↳ category | Category the signal belongs to | content_analysis |
|       ↳ evidence | Evidence supporting the signal | Website did not respond |
|       ↳ confidence | Confidence score for the signal | 1.0 |
|   ↳ indicators | Individual trust/risk indicators for the domain |  |
|     ↳ is_newly_registered | Indicates whether the domain was recently registered | true |
|     ↳ uses_free_extension | Indicates whether the domain uses a free TLD extension | false |
|     ↳ uses_free_ssl | Indicates whether the domain uses a free SSL certificate | true |
|     ↳ has_privacy_whois | Indicates whether WHOIS privacy protection is enabled | true |
|     ↳ ssl_age_days | Age of the SSL certificate in days | 18 |
|     ↳ has_dmarc | Indicates whether a DMARC record exists | false |
|     ↳ has_spf | Indicates whether an SPF record exists | true |
|     ↳ redirects_externally | Indicates whether the domain redirects to an external site | true |
|     ↳ javascript_obfuscated | Indicates whether obfuscated JavaScript was detected | true |
|     ↳ domain_age_days | Age of the domain in days | 24 |
|     ↳ registrar | Domain registrar name | Namecheap |
| intelligence | Threat intelligence details for the indicator of compromise (IOC) |  |
|   ↳ ioc_type | Type of the indicator of compromise | domain |
|   ↳ ioc_value | Value of the indicator of compromise | example.com |
|   ↳ related_iocs | Other IOCs related to this domain |  |
|     ↳ type | Type of the related IOC | ipv4 |
|     ↳ value | Value of the related IOC | 93.184.216.34 |
|     ↳ confidence | Confidence score for the related IOC | 0.91 |
|   ↳ feed_tags | Tags associated with this IOC from threat feeds | ["verdict:suspicious", "severity:high", "campaign:phishing"] |
|   ↳ stix_pattern | STIX pattern representation of the IOC | [domain-name:value='example.com'] |
|   ↳ recommended_action | Recommended action based on the assessment | block |
|   ↳ first_seen | First time this IOC was observed | 2026-07-01T10:22:00Z |
|   ↳ last_seen | Last time this IOC was observed | 2026-07-08T05:00:00Z |
| evidence_summary | Summary of reasons behind the risk assessment |  |
|   ↳ why_flagged | List of reasons why the domain was flagged | ["Detected in multiple phishing feeds", "Newly registered domain"] |
| errors | List of errors encountered during processing, if any | ["WHOIS lookup failed", "DNS lookup timed out"] |
