TLINK PRO — Threat Intelligence Platform

Introduction

The TLINK PRO API is a RESTful API that lets you programmatically manage assets, alert rules, run threat intelligence tools, and retrieve results. All responses are JSON.

Base URL

https://pro.threatgrid.tech/api

All API responses follow this shape:

{
  "success": true,
  "data": { ... },       // present on success
  "message": "...",      // present on errors
  "meta": { ... }        // present on list endpoints (pagination, counts)
}

Authentication

TLINK PRO uses two authentication methods: Bearer tokens for user sessions and API keys for programmatic access.

Session tokens (login flow)

Call POST /api/auth/login to get an access token and refresh token.

curl -X POST https://pro.threatgrid.tech/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "yourpassword"}'

The response includes accessToken (15-minute TTL) and refreshToken (30-day TTL). Pass the access token as a Bearer header on subsequent requests:

curl https://pro.threatgrid.tech/api/users/me \
  -H "Authorization: Bearer <accessToken>"

When the access token expires, refresh it:

curl -X POST https://pro.threatgrid.tech/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refreshToken": "<refreshToken>"}'

API keys

For automated workflows, create an API key in Dashboard → API Keys. Pass it via the X-API-Key header:

curl https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
  -H "X-API-Key: tlpro_your_api_key_here"

Never commit API keys to source control. Rotate compromised keys immediately from the dashboard.

Rate Limits

Rate limits apply per API key or session token. Exceeded limits return 429 Too Many Requests.

Plan	Requests / minute	Tool runs / month
Free	30	100
Pro	120	5,000
Business	300	Unlimited
Enterprise	Custom	Unlimited

Retry-After and X-RateLimit-* headers are included in every response.

Assets

Assets represent entities you want to monitor — domains, IPs, emails, URLs, hashes, ASNs, or certificates.

GET

/api/orgs/{orgId}/assets

List all assets in the organization

Auth required

POST

/api/orgs/{orgId}/assets

Create a new asset

Auth required

GET

/api/orgs/{orgId}/assets/{assetId}

Get a single asset and its latest scan results

Auth required

PATCH

/api/orgs/{orgId}/assets/{assetId}

Update asset label or monitoring status

Auth required

DELETE

/api/orgs/{orgId}/assets/{assetId}

Delete an asset

Auth required

POST

/api/orgs/{orgId}/assets/{assetId}/monitor-now

Trigger an immediate check on this asset

Auth required

Create asset

curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "DOMAIN",
    "value": "example.com",
    "label": "Main site",
    "isMonitored": true
  }'

Request body

`type`required	string	DOMAIN, IP, EMAIL, URL, HASH, ASN, or CERTIFICATE
`value`required	string	The asset value (e.g. example.com, 1.2.3.4)
`label`	string	Optional human-readable label
`isMonitored`	boolean	Whether to enable continuous monitoring (default: false)

Alert Rules

Alert rules define conditions that trigger alerts when asset scan results match. Supports threshold, equality, contains, exists, and changed operators.

GET

/api/orgs/{orgId}/alert-rules

List all alert rules

Auth required

POST

/api/orgs/{orgId}/alert-rules

Create a new alert rule

Auth required

PATCH

/api/orgs/{orgId}/alert-rules/{ruleId}

Update rule (name, condition, enabled, etc.)

Auth required

DELETE

/api/orgs/{orgId}/alert-rules/{ruleId}

Delete a rule

Auth required

Create a rule

curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/alert-rules \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "High abuse score",
    "condition": {
      "tool": "ip-reputation",
      "field": "abuseipdb.abuseConfidenceScore",
      "operator": "gte",
      "value": 75
    },
    "severity": "HIGH",
    "notifyEmail": true,
    "notifyWebhook": false
  }'

Supported operators

gt / lt / gte / lte

Numeric comparisons

eq / neq

Equality checks

contains

String contains

exists

Field is present and truthy

changed

Value changed since last scan

Alerts

Alerts are triggered when a rule condition is met during a scheduled or manual asset scan.

GET

/api/orgs/{orgId}/alerts

List alerts (filterable by status, severity, assetId)

Auth required

GET

/api/orgs/{orgId}/alerts/{alertId}

Get alert details including triggering scan data

Auth required

PATCH

/api/orgs/{orgId}/alerts/{alertId}

Update alert status (OPEN → RESOLVED, ACKNOWLEDGED, etc.)

Auth required

List open alerts

curl "https://pro.threatgrid.tech/api/orgs/{orgId}/alerts?status=OPEN&severity=HIGH" \
  -H "Authorization: Bearer <token>"

Alert severities

CRITICALHIGHMEDIUMLOWINFO

Tool Runner

The Tool Runner lets you run threat intelligence scans against any target. Results are saved as reports and can trigger alert rules.

POST

/api/orgs/{orgId}/tools/run

Run a tool against a target (async, returns reportId)

Auth required

GET

/api/orgs/{orgId}/tools/reports

List all saved reports

Auth required

GET

/api/orgs/{orgId}/tools/reports/{reportId}

Get a report and its full result data

Auth required

Available tools

dns

DNS lookup (A, NS, MX, CNAME, TXT)

whois

WHOIS registration data

ip-reputation

AbuseIPDB + VirusTotal IP check

email

MX, SPF, DMARC, HIBP breach check

exposure

Open ports, CVEs, risk score

ssl

SSL/TLS certificate analysis

threat-feed

OTX + GreyNoise threat feeds

Run a tool

curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/tools/run \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "toolKey": "ip-reputation",
    "target": "1.2.3.4",
    "assetId": "optional-asset-id-to-link-result"
  }'

Webhooks

When an alert rule fires, TLINK PRO can POST a JSON payload to your configured webhook URL. Set the URL in the alert rule's webhookUrl field.

Payload shape

{
  "event": "alert.fired",
  "alertId": "abc123",
  "ruleId": "rule456",
  "ruleName": "High abuse score",
  "severity": "HIGH",
  "asset": {
    "id": "asset789",
    "type": "IP",
    "value": "1.2.3.4"
  },
  "triggeredAt": "2025-11-14T10:30:00Z",
  "message": "abuseipdb.abuseConfidenceScore ≥ 75 (actual: 92)"
}

Slack example

Create a Slack Incoming Webhook and use the URL in your rule. TLINK PRO sends standard JSON — wrap it with a Slack workflow or use a bridge like Zapier if you need Slack's block format.

Webhook requests include a X-TLINK-Signature header (HMAC-SHA256 of the payload) for request verification. Support for secret-based verification is coming in a future release.

API Keys

API keys allow machine-to-machine access without user sessions. Manage them from Dashboard → API Keys.

GET

/api/users/me/api-keys

List your API keys

Auth required

POST

/api/users/me/api-keys

Create a new API key

Auth required

DELETE

/api/users/me/api-keys/{keyId}

Revoke an API key

Auth required

Create an API key

curl -X POST https://pro.threatgrid.tech/api/users/me/api-keys \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI pipeline key"}'

The full key value is only returned once at creation time. Store it securely. Subsequent requests will only show the key name and last-used timestamp.

Usage

# Use X-API-Key header (no Bearer prefix)
curl https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
  -H "X-API-Key: tlpro_xxxxxxxxxxxxxxxxxxxx"