API Reference
Every public ThreatChain endpoint, how to call it, and what it returns. All examples are live against https://threatchain.io.
Overview
ThreatChain exposes a read-first REST API backed by 9M+ malware hashes, 345K+ CVEs with EPSS + CISA KEV enrichment, and real-time feeds from VirusTotal, MalwareBazaar, and Hybrid Analysis. All responses are JSON. All endpoints are over HTTPS.
Base URL: https://threatchain.io
Routes under /threatchain/* are the stable, versioned data API. Routes like /scan and /quick-check are the SolidGuard contract-scanner API. We document both below.
Authentication
The Free tier is usable without any authentication — just make the request. Everything else — higher rate limits, enrichment calls, sample downloads — is unlocked by sending your API key in the X-API-Key header.
# With an API key
curl -H "X-API-Key: tck_live_yourkey" \
https://threatchain.io/threatchain/lookup?hash=44d88612fea8a8f36de82e1278abb02fGet a key at api-pricing. API keys start with tck_live_. They carry the rate limits of whichever tier you bought (Researcher, Team, Enterprise).
Rate limits
Limits apply per-IP for anonymous traffic and per-key for authenticated traffic. When you exceed a limit you receive 429 Too Many Requests with a Retry-After header.
| Tier | Lookups / day | Enrichments / day | Burst |
|---|---|---|---|
| Free | 100 | 10 | 30 req/min |
| Researcher | 10,000 | 1,000 | 60 req/min |
| Team | 100,000 | 10,000 | 120 req/min |
| Enterprise | Unlimited | Unlimited | Custom |
Error format
All error responses use HTTP status codes and a JSON body with a detail or error field.
| Code | Meaning | Typical cause |
|---|---|---|
400 | Bad request | Invalid hash format, missing required field |
401 | Unauthorized | Missing or invalid API key on an authenticated endpoint |
403 | Forbidden | API key lacks the tier for this endpoint |
404 | Not found | Hash / CVE / contract address not in database |
429 | Rate limited | Back off and retry after the Retry-After seconds |
500 | Server error | Transient — email us if it persists |
Hash lookup
Check a file hash against 9M+ known-bad indicators. Accepts SHA-256, SHA-1, or MD5.
curl "https://threatchain.io/threatchain/lookup?hash=44d88612fea8a8f36de82e1278abb02f"import httpx
r = httpx.get("https://threatchain.io/threatchain/lookup",
params={"hash": "44d88612fea8a8f36de82e1278abb02f"})
print(r.json())const r = await fetch("https://threatchain.io/threatchain/lookup?hash=44d88612fea8a8f36de82e1278abb02f");
const data = await r.json();Response (found):
{
"hash": "44d88612fea8a8f36de82e1278abb02f",
"found": true,
"signature": "EICAR-Test-File",
"malware_family": "test",
"first_seen": "2020-05-14T09:12:33Z",
"sources": ["malwarebazaar", "local"]
}Response (not found): {"hash": "...", "found": false}
Batch lookup
Look up up to 500 hashes in a single request. Body is a JSON object with a hashes array.
curl -X POST "https://threatchain.io/threatchain/lookup/batch" \
-H "Content-Type: application/json" \
-d '{"hashes":["44d88612...","d41d8cd9..."]}'Enrichment Researcher+
Pulls live data from VirusTotal, Hybrid Analysis, and MalwareBazaar and returns consolidated detection, YARA, and network IOCs.
curl -H "X-API-Key: tck_live_yourkey" \
https://threatchain.io/threatchain/enrich/44d88612fea8a8f36de82e1278abb02fCVE search
Search across 345K+ CVEs with CVSS, EPSS, CISA KEV, and vendor/product metadata. Free, no key required.
Query parameters
| Param | Type | Description |
|---|---|---|
q | string | Keyword or CVE ID. CVE-2021-44228 matches exact, other strings are full-text. |
severity | string | critical, high, medium, low |
vendor | string | Substring match on vendor |
product | string | Substring match on product |
min_cvss | float | 0–10 |
min_epss | float | 0–1 — filter on exploit prediction |
kev_only | bool | Only CISA Known-Exploited Vulnerabilities |
year_from, year_to | int | Filter by CVE year |
sort | string | published (default), modified, cvss, epss |
limit, offset | int | Pagination — max 200 per page |
Example — CISA KEV only, sorted by EPSS
curl "https://threatchain.io/threatchain/cve/search?kev_only=true&sort=epss&limit=10"Batch CVE lookup
Retrieve enriched records for up to 200 CVE IDs in one call.
curl -X POST "https://threatchain.io/threatchain/cve/batch" \
-H "Content-Type: application/json" \
-d '{"cve_ids":["CVE-2021-44228","CVE-2017-5638","CVE-2024-3400"]}'CVE stats
Total counts, severity breakdown, KEV count, and the 5 most-recent CVEs — useful for dashboards.
Threat feed & search
Full-text search across the threat database (signatures, malware family names, file paths).
Rolling feed of newly-seen hashes — paginate with limit and offset. Returns in newest-first order.
Download the raw sample if we have it on hand. 404 if the sample isn't available. Rate-limited and bot-blocked.
Wallet exposure
Check any EVM wallet for interaction with known scam, compromised, or sanctioned addresses across Ethereum, Arbitrum, Base, and Polygon.
Chains: ethereum, arbitrum, base, polygon. Defaults to ethereum.
curl "https://threatchain.io/wallet/check?address=0x1234...&chain=ethereum"Full product docs at /docs/wallet-check.
Rugpull score
Risk-score any ERC-20 contract from 0 (safe) to 100 (very risky). Detects honeypots, owner-power abuse, and known scam-deployer wallets.
curl "https://threatchain.io/rugpull/score?address=0xtoken...&chain=ethereum"Full product docs at /docs/rugpull-scorer.
SDKs & wrappers
No official SDK yet — the API is small and idiomatic HTTP is plenty. If you want one, tell us which language and we'll prioritize.
For Claude Desktop / Cursor / Cline / any MCP-compatible agent, the MCP server exposes every major endpoint as a native tool — no wrapper code required.
Changelog
Breaking changes and dated additions live on this page. Watch the GitHub org for release notes.