Skip to main content
shadom.co

shadom.co Domain API

A REST API for domain lookups and monitoring: WHOIS/RDAP lookup, a monitored domains list, and alerts, all authenticated with a single API key.

Authentication

Every endpoint accepts an API key. Generate one from the API Key page in your dashboard, then send it as a bearer token:

Authorization: Bearer sk_your_key_here

API key auth does not require CSRF tokens. Browser sessions can also call the API with a cookie, but mutating requests (POST, DELETE) then require an X-CSRF-Token header. API key management (generating or revoking a key) is cookie-auth only, so you cannot rotate a key using itself.

Endpoints

GET/api/domains/lookup?domain=example.com

WHOIS/RDAP lookup for any domain. Does not require monitoring.

Rate limit: 20 requests/minute per user

GET/api/domains

List all domains you are monitoring.

Rate limit: none

POST/api/domains

Add a domain to monitoring.

Rate limit: 10 additions/hour per user

GET/api/domains/:id

Detailed info for a monitored domain: latest snapshot and event history.

Rate limit: none

POST/api/domains/:id

Trigger a manual WHOIS/RDAP check for a monitored domain.

Rate limit: 30 checks/hour per user

DELETE/api/domains/:id

Remove a domain from monitoring (deletes its snapshots, events, and alerts).

Rate limit: none

GET/api/alerts

List alerts for your account. Filter by type or unread status.

Rate limit: none

POST/api/alerts/mark-all-read

Mark all alerts as read.

Rate limit: none

Example: cURL

# WHOIS/RDAP lookup
curl -H "Authorization: Bearer sk_your_key_here" \
  "https://shadom.co/api/domains/lookup?domain=example.com"

# List monitored domains
curl -H "Authorization: Bearer sk_your_key_here" \
  https://shadom.co/api/domains

# Add a domain to monitoring
curl -X POST -H "Authorization: Bearer sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"domain":"example.com"}' \
  https://shadom.co/api/domains

Errors

Errors follow a consistent shape: { "error": "..." }. A 429 response includes a Retry-After header telling you how long to wait before the rate limit resets.

More ways to integrate

Building an AI agent instead of a script? The shadom.co MCP server exposes the same domain data as tools for Claude and other MCP clients. For the full endpoint reference with request/response examples, see the in-app API documentation.

Read the full API docs

Frequently asked questions

Is there a free API?

Yes. The shadom.co API is available on the free plan, the same plan that covers up to 100 monitored domains. There is no separate paid API tier and no credit card required to generate a key.

How do I get an API key?

Log in to your dashboard, open the API Key page, and generate one. The raw key is shown once, so store it securely. You can regenerate or revoke it at any time from the same page.

What are the rate limits?

The domain lookup endpoint (GET /api/domains/lookup) allows 20 requests per minute per user. Adding domains to monitoring is limited to 10 additions per hour, and manual re-checks of a monitored domain to 30 checks per hour. Responses that exceed a limit return 429 with a Retry-After header.

Does the API support WHOIS and RDAP lookups?

Yes. GET /api/domains/lookup queries live RDAP with WHOIS fallback for any domain, registered or not, and does not require the domain to be monitored first.