Introduction
The TLINK PRO API is a RESTful API that lets you programmatically manage assets, alert rules, run threat intelligence tools, and retrieve results. All responses are JSON.
Base URL
https://pro.threatgrid.tech/apiAll API responses follow this shape:
{
"success": true,
"data": { ... }, // present on success
"message": "...", // present on errors
"meta": { ... } // present on list endpoints (pagination, counts)
}Authentication
TLINK PRO uses two authentication methods: Bearer tokens for user sessions and API keys for programmatic access.
Session tokens (login flow)
Call POST /api/auth/login to get an access token and refresh token.
curl -X POST https://pro.threatgrid.tech/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "password": "yourpassword"}'The response includes accessToken (15-minute TTL) and refreshToken (30-day TTL). Pass the access token as a Bearer header on subsequent requests:
curl https://pro.threatgrid.tech/api/users/me \
-H "Authorization: Bearer <accessToken>"When the access token expires, refresh it:
curl -X POST https://pro.threatgrid.tech/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refreshToken": "<refreshToken>"}'API keys
For automated workflows, create an API key in Dashboard → API Keys. Pass it via the X-API-Key header:
curl https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
-H "X-API-Key: tlpro_your_api_key_here"Never commit API keys to source control. Rotate compromised keys immediately from the dashboard.
Rate Limits
Rate limits apply per API key or session token. Exceeded limits return 429 Too Many Requests.
| Plan | Requests / minute | Tool runs / month |
|---|---|---|
| Free | 30 | 100 |
| Pro | 120 | 5,000 |
| Business | 300 | Unlimited |
| Enterprise | Custom | Unlimited |
Retry-After and X-RateLimit-* headers are included in every response.
Assets
Assets represent entities you want to monitor — domains, IPs, emails, URLs, hashes, ASNs, or certificates.
/api/orgs/{orgId}/assetsList all assets in the organization
/api/orgs/{orgId}/assetsCreate a new asset
/api/orgs/{orgId}/assets/{assetId}Get a single asset and its latest scan results
/api/orgs/{orgId}/assets/{assetId}Update asset label or monitoring status
/api/orgs/{orgId}/assets/{assetId}Delete an asset
/api/orgs/{orgId}/assets/{assetId}/monitor-nowTrigger an immediate check on this asset
Create asset
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"type": "DOMAIN",
"value": "example.com",
"label": "Main site",
"isMonitored": true
}'Request body
typerequired | string | DOMAIN, IP, EMAIL, URL, HASH, ASN, or CERTIFICATE |
valuerequired | string | The asset value (e.g. example.com, 1.2.3.4) |
label | string | Optional human-readable label |
isMonitored | boolean | Whether to enable continuous monitoring (default: false) |
Alert Rules
Alert rules define conditions that trigger alerts when asset scan results match. Supports threshold, equality, contains, exists, and changed operators.
/api/orgs/{orgId}/alert-rulesList all alert rules
/api/orgs/{orgId}/alert-rulesCreate a new alert rule
/api/orgs/{orgId}/alert-rules/{ruleId}Update rule (name, condition, enabled, etc.)
/api/orgs/{orgId}/alert-rules/{ruleId}Delete a rule
Create a rule
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/alert-rules \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "High abuse score",
"condition": {
"tool": "ip-reputation",
"field": "abuseipdb.abuseConfidenceScore",
"operator": "gte",
"value": 75
},
"severity": "HIGH",
"notifyEmail": true,
"notifyWebhook": false
}'Supported operators
gt / lt / gte / lteNumeric comparisons
eq / neqEquality checks
containsString contains
existsField is present and truthy
changedValue changed since last scan
Alerts
Alerts are triggered when a rule condition is met during a scheduled or manual asset scan.
/api/orgs/{orgId}/alertsList alerts (filterable by status, severity, assetId)
/api/orgs/{orgId}/alerts/{alertId}Get alert details including triggering scan data
/api/orgs/{orgId}/alerts/{alertId}Update alert status (OPEN → RESOLVED, ACKNOWLEDGED, etc.)
List open alerts
curl "https://pro.threatgrid.tech/api/orgs/{orgId}/alerts?status=OPEN&severity=HIGH" \
-H "Authorization: Bearer <token>"Alert severities
Tool Runner
The Tool Runner lets you run threat intelligence scans against any target. Results are saved as reports and can trigger alert rules.
/api/orgs/{orgId}/tools/runRun a tool against a target (async, returns reportId)
/api/orgs/{orgId}/tools/reportsList all saved reports
/api/orgs/{orgId}/tools/reports/{reportId}Get a report and its full result data
Available tools
dnsDNS lookup (A, NS, MX, CNAME, TXT)
whoisWHOIS registration data
ip-reputationAbuseIPDB + VirusTotal IP check
emailMX, SPF, DMARC, HIBP breach check
exposureOpen ports, CVEs, risk score
sslSSL/TLS certificate analysis
threat-feedOTX + GreyNoise threat feeds
Run a tool
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/tools/run \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"toolKey": "ip-reputation",
"target": "1.2.3.4",
"assetId": "optional-asset-id-to-link-result"
}'Webhooks
When an alert rule fires, TLINK PRO can POST a JSON payload to your configured webhook URL. Set the URL in the alert rule's webhookUrl field.
Payload shape
{
"event": "alert.fired",
"alertId": "abc123",
"ruleId": "rule456",
"ruleName": "High abuse score",
"severity": "HIGH",
"asset": {
"id": "asset789",
"type": "IP",
"value": "1.2.3.4"
},
"triggeredAt": "2025-11-14T10:30:00Z",
"message": "abuseipdb.abuseConfidenceScore ≥ 75 (actual: 92)"
}Slack example
Create a Slack Incoming Webhook and use the URL in your rule. TLINK PRO sends standard JSON — wrap it with a Slack workflow or use a bridge like Zapier if you need Slack's block format.
Webhook requests include a X-TLINK-Signature header (HMAC-SHA256 of the payload) for request verification. Support for secret-based verification is coming in a future release.
API Keys
API keys allow machine-to-machine access without user sessions. Manage them from Dashboard → API Keys.
/api/users/me/api-keysList your API keys
/api/users/me/api-keysCreate a new API key
/api/users/me/api-keys/{keyId}Revoke an API key
Create an API key
curl -X POST https://pro.threatgrid.tech/api/users/me/api-keys \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"name": "CI pipeline key"}'The full key value is only returned once at creation time. Store it securely. Subsequent requests will only show the key name and last-used timestamp.
Usage
# Use X-API-Key header (no Bearer prefix)
curl https://pro.threatgrid.tech/api/orgs/{orgId}/assets \
-H "X-API-Key: tlpro_xxxxxxxxxxxxxxxxxxxx"Org Webhooks
Org Webhooks let you register persistent outbound endpoints that receive alert events from the whole organization. Unlike per-rule webhook URLs, org webhooks have a full CRUD API, delivery history, and a test-fire button.
/api/orgs/{orgId}/webhooksList all configured webhook endpoints
/api/orgs/{orgId}/webhooksCreate a new endpoint (Admin/Owner)
/api/orgs/{orgId}/webhooks/{id}Update URL, name, or enabled state (Admin/Owner)
/api/orgs/{orgId}/webhooks/{id}Delete an endpoint (Admin/Owner)
/api/orgs/{orgId}/webhooks/{id}/testSend a test payload to the endpoint (Admin/Owner)
/api/orgs/{orgId}/webhooks/{id}/deliveriesView recent delivery log and HTTP response codes
Create a webhook
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/webhooks \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Slack #security-alerts",
"url": "https://hooks.slack.com/services/T.../B.../...",
"enabled": true
}'Each delivery includes an X-TLINK-Signature HMAC-SHA256 header for payload verification. See the Alert Webhooks section for the payload shape.
Threat Feed
The Threat Feed aggregates platform-wide threat intelligence: CISA Known Exploited Vulnerabilities (KEV) and custom security bulletins published by Admiresty. All authenticated users can read; creating or managing bulletins requires a platform admin account.
/api/threatsList threat bulletins — filterable by severity, tag, and search
/api/threats/cisaCISA KEV feed (cached, refreshed daily)
/api/threatsPublish a bulletin (platform admin only)
/api/threats/{id}Update a bulletin (platform admin only)
/api/threats/{id}Delete a bulletin (platform admin only)
List threats
curl "https://pro.threatgrid.tech/api/threats?severity=CRITICAL&limit=25" \
-H "Authorization: Bearer <token>"Query parameters
severity | string | CRITICAL, HIGH, MEDIUM, LOW, or INFO |
search | string | Full-text search across title and body |
tag | string | Filter by tag |
limit | number | Results per page (default 25, max 100) |
offset | number | Pagination offset |
Incidents
Incidents represent declared under-attack states. When an incident is active, a warning banner is shown across every team member's dashboard and an alert email is sent to all org admins. Only one incident can be active per organization at a time.
/api/orgs/{orgId}/incidents/activeGet the currently active incident, or null
/api/orgs/{orgId}/incidentsList all past and present incidents (newest first)
/api/orgs/{orgId}/incidents/declareDeclare an active incident (Admin/Owner)
/api/orgs/{orgId}/incidents/resolveResolve the active incident (Admin/Owner)
Declare an incident
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/incidents/declare \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"title": "DDoS against api.example.com",
"severity": "HIGH",
"description": "Volumetric attack began at 14:30 UTC. Mitigation in progress."
}'Resolve
curl -X DELETE https://pro.threatgrid.tech/api/orgs/{orgId}/incidents/resolve \
-H "Authorization: Bearer <token>"Vulnerabilities
Track vulnerabilities discovered across your monitored assets. Vulns can be created from scan results automatically or added manually. Each follows a status lifecycle: OPEN → IN_PROGRESS → RESOLVED.
/api/orgs/{orgId}/vulnsList vulnerabilities (filterable by status, severity, assetId)
/api/orgs/{orgId}/vulnsCreate or import a vulnerability
/api/orgs/{orgId}/vulns/{id}Update status, severity, assignee, or notes
/api/orgs/{orgId}/vulns/{id}Delete a vulnerability record
Create a vulnerability
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/vulns \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"assetId": "asset-id",
"title": "TLS 1.0 still accepted",
"severity": "HIGH",
"cve": "CVE-2021-3449",
"description": "Server negotiates TLS 1.0 with legacy clients"
}'Status lifecycle
Breach Scanning
Breach scanning checks whether email addresses associated with your monitored assets have appeared in known data breaches. Results are cached per address and refreshed on demand.
/api/orgs/{orgId}/breach-scanList cached breach-scan results for the organization
/api/orgs/{orgId}/breach-scanTrigger a breach scan for one or more email addresses
Trigger a scan
curl -X POST https://pro.threatgrid.tech/api/orgs/{orgId}/breach-scan \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"emails": ["user@example.com", "admin@example.com"]
}'Breach scanning requires a Pro plan or above. Free accounts receive a 403 Forbidden response.
Correlation
The correlation endpoint aggregates threat signals across your organization — open alerts, active vulnerabilities, breach hits, and CVE matches — and returns a unified risk view with an AI-generated summary. This powers the correlation panel in the dashboard.
/api/orgs/{orgId}/correlateGet correlated threat intelligence and risk summary for the org
Example
curl "https://pro.threatgrid.tech/api/orgs/{orgId}/correlate" \
-H "Authorization: Bearer <token>"{
"success": true,
"data": {
"riskScore": 74,
"summary": "3 critical CVEs detected across 2 assets. 1 monitored email address found in recent breach.",
"findings": [
{ "type": "cve", "assetId": "...", "cveId": "CVE-2024-1234", "severity": "CRITICAL" },
{ "type": "breach", "assetId": "...", "email": "admin@...", "breachCount": 2 }
]
}
}Digest
The digest is a scheduled security summary delivered by email. It aggregates alerts, scan findings, and threat intel from the past interval. You can configure delivery schedule, retrieve past digests, and trigger on-demand sends.
/api/orgs/{orgId}/digestList past digests (paginated, newest first)
/api/orgs/{orgId}/digest/{digestId}Get a specific digest with full content
/api/orgs/{orgId}/digest/sendSend a digest immediately (Admin/Owner)
/api/orgs/{orgId}/digest/configGet current schedule and recipient configuration
/api/orgs/{orgId}/digest/configUpdate schedule or recipients (Admin/Owner)
/api/orgs/{orgId}/digest/intelAdd an intelligence note to the next digest (Admin/Owner)
Update digest config
curl -X PATCH https://pro.threatgrid.tech/api/orgs/{orgId}/digest/config \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"schedule": "weekly",
"dayOfWeek": "Monday",
"hour": 8,
"recipients": ["security@example.com", "ciso@example.com"]
}'Platform Status
Returns the current health of TLINK PRO platform components. This endpoint is unauthenticated and safe to poll from external uptime monitors. The public /status page reads from this endpoint.
/api/platform-statusGet current component health — no auth required
Example response
{
"success": true,
"data": {
"status": "degraded",
"components": [
{ "name": "API", "status": "operational" },
{ "name": "Monitoring", "status": "operational" },
{ "name": "Alerts", "status": "degraded", "message": "Elevated latency" },
{ "name": "Database", "status": "operational" }
],
"updatedAt": "2026-06-13T14:00:00Z"
}
}Top-level status is operational only when all components are operational. Any degraded or outage component sets the top-level to the worst status present.