City of Hats - Exposure Intelligence Platform
πŸ“§ Intelligence API

Email Intelligence API

Credential Exposure & Identity Risk β€” Delivered in Real-Time

Built for banks, fintechs, marketplaces, telecoms & identity platforms

The Email Intelligence API helps your platform instantly determine whether an identity is at risk β€” before fraud, account takeover, or abuse occurs.

By analyzing breach exposure, reputation signals, and attacker-side telemetry, City of Hats transforms every email lookup into an actionable trust decision.

50B+ Records Monitored
<200ms API Response Time
99.9% Uptime SLA
Instead of asking:

"Has this email appeared in a breach?"

β†’
Your team finally sees:

"Is this user currently risky?"

View API Documentation Get API Key
Detection

What the API Detects

Every lookup returns risk-enriched intelligence across three key dimensions.

1

Credential Exposure Signals

  • πŸ” Appears in breach datasets
  • πŸ” Password reuse detection
  • πŸ“… Leak recency
  • πŸ“ˆ Exposure velocity
  • βœ… Source confidence
2

Identity Reputation Signals

  • 🎭 Disposable / alias / masked email
  • ⏳ Age & stability
  • ⚠️ Prior malicious activity
  • πŸ€– Bot-like registration behavior
  • 🌐 Domain trust classification
3

Threat Funnel Indicators

We classify risk based on attacker lifecycle stage:

CLEAN β†’ LEAKED β†’ REPOSTED β†’ TRADED β†’ TESTED β†’ ATTACKED

This helps teams distinguish:

πŸ”Ή Passive exposure vs πŸ”Έ Active criminal interest
Response

Risk Model Output

Each lookup returns structured intelligence so your systems can automate decisions β€” not alerts.

πŸ“Š

Identity Risk Score

0–100 scale

πŸ“

Threat Funnel Stage

Attack lifecycle position

🎯

Exposure Confidence

Signal reliability

🏷️

Risk Reason Codes

Explainable risk factors

⚑

Recommended Action

allow / step_up / block

Applications

Common Use Cases

🚫

Fraud & Trust

Stop:

  • Fake account creation
  • Refund abuse
  • ATO-based takeover
  • Bonus abuse
πŸ”

Authentication & IAM

Enable:

  • Adaptive MFA
  • Step-up verification
  • Trust-based login flows
  • Risk-aware password resets
πŸ›‘οΈ

SOC & Security Ops

Reduce noise:

  • Score identity events
  • Enrich SIEM alerts
  • Accelerate investigations
  • Prioritize response
Comparison

Why We're Different

City of Hats goes beyond simple breach lookups to deliver real-time identity risk intelligence.

πŸ”Ž

Other Tools

  • Tell you if an email appeared in a breach
  • Binary yes/no response
  • Static, historical data
  • No attacker context
  • No recommended action
VS
🧠

City of Hats

  • Tells you whether the identity is risky right now
  • Real-time risk score (0–100)
  • Attacker-side telemetry + lifecycle analysis
  • Threat funnel stage classification
  • Actionable recommendations

The difference: We don't just tell you what happened β€” we tell you what's likely to happen next.

Integration

Example Workflow

πŸ‘€
User signs up
β†’
πŸ“§
Email submitted
β†’
🧠
City of Hats
β†’
πŸ“Š
Risk Score
β†’
βš™οΈ
Policy Engine Acts

Policy Examples:

Low risk β†’ Allow
Medium risk β†’ Step-up
High risk β†’ Block / Review
Developer

API Reference

Simple REST API with JSON request/response.

POST /api/v1/intel/analyze
cURL 
curl -X POST "https://api.cityofhats.com/api/v1/intel/analyze" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "email": "user@example.com"
  }'
Response 200 OK 
{
  "email": "user@example.com",
  "risk_score": 78,
  "threat_stage": "TEST",
  "exposed": true,
  "exposure_count": 12,
  "last_seen": "2025-01-09",
  "disposable": false,
  "domain_age_days": 4521,
  "risk_reasons": [
    "recent credential exposure",
    "password reuse risk",
    "known criminal trade source"
  ],
  "recommended_action": "step_up_auth",
  "confidence": "high"
}

Response Field Reference

Field Type Description
risk_score integer 0–100 risk score (higher = more risky)
threat_stage string CLEAN | LEAKED | REPOSTED | TRADED | TESTED | ATTACKED
exposed boolean Whether email appears in breach data
exposure_count integer Number of breach sources found
last_seen string ISO 8601 date of most recent exposure
disposable boolean Whether email is from disposable provider
risk_reasons array Human-readable risk factor explanations
recommended_action string allow | step_up_auth | block | review
confidence string low | medium | high β€” signal reliability
Compatible

Integrates Anywhere

IAM
SIEM
SOAR
Fraud Platforms
Risk Engines
Onboarding Flows

πŸ” Security & Privacy

Designed for enterprise compliance environments.

  • Never sells lookup data
  • Never stores raw passwords
  • Anonymizes processing
  • Encrypts all requests (TLS 1.3)
  • Supports regional routing
  • SOC 2 Type II compliant

πŸš€ Performance

Built for high-volume, real-time decisioning.

  • ⚑ Real-time API response
  • 🌍 Globally distributed
  • πŸ“ˆ Scales to billions of lookups
  • 🟒 99.9% uptime SLA
  • ⏱️ <200ms p95 latency
  • ♾️ Unlimited lookups (Enterprise)
Resources

Documentation & Guides

πŸ“š

Email Intelligence API Docs

See request/response fields

View Documentation β†’
πŸš€

Quickstart Guide

Start calling the API in minutes

Get Started β†’
🧠

Risk Scoring Model

Learn how the score works

Learn More β†’
πŸ’»

SDKs & Libraries

Python, Node.js, Go, and more

View SDKs β†’

The Email Intelligence API is designed for platforms that need
risk β€” not breach trivia.

Because knowing a password leaked isn't enough.
You need to know what it means.

Start Using Email Intelligence API

Transform email lookups into actionable risk decisions. Free tier available β€” no credit card required.

Get API Key β€” Free View Full API Docs
REST API JSON Response 99.9% Uptime Enterprise SLA