API Documentation
HYPERION OSINT PLATFORM — REST API v1
Overview
The Hyperion API provides programmatic access to a continuously updated index of internet hosts, open ports, service banners, TLS certificates, web intelligence, and identity data. All endpoints are read-only.
Base URL: https://api.hyperionosint.com
All responses are JSON. All requests must use HTTPS. The API only accepts GET requests.
Authentication
The Hyperion website is fully public — no key needed to search or browse.

If you want programmatic access in your own application, you need an API key. Sign in with GitHub at hyperionosint.com/account — a key is generated automatically and shown in your dashboard.
Request Header (external / programmatic use)
X-Hyperion-Key: hk_your_key_here
Example — curl
curl https://api.hyperionosint.com/api/stats \ -H "X-Hyperion-Key: hk_your_key_here"
Example — JavaScript
const res = await fetch('https://api.hyperionosint.com/api/search?q=port:22', { headers: { 'X-Hyperion-Key': 'hk_your_key_here' } }); const data = await res.json();
Keep your API key private. Regenerate it any time from your account dashboard.
Rate Limits
Two rolling window rate limits are enforced. Exceeding either returns a 429 response with no body. The window resets automatically — wait and retry.
LimitWindowScopeResponse on exceed
60 requests60 secondsPer API keyHTTP 429
120 requests60 secondsPer IP addressHTTP 429
GET /api/stats
GET
/api/stats
Returns platform-wide counters updated continuously by the scanner.
Response
{ "ips": 4820000000, "ports": 1240000000, "people": 2841000, "vehicles": 980000, "updated_at": "2025-03-13T12:00:00Z" }
GET /api/worldview
GET
/api/worldview
Returns pre-aggregated geo-bucketed data for map visualisation layers.
ParameterTypeDefaultDescription
typesstringipheat,identity,
breach,scannode,
camera,tor		Comma-separated layer types. Valid: ipheat identity breach scannode camera tor cable isp
Response
{ "buckets": [ { "type": "ipheat", "lat": 51.5, "lon": -0.1, "value": 4200, "label": "London" } ] }
GET /api/worldview/heatmap
GET
/api/worldview/heatmap
Computes a live IP density heatmap from the hosts collection. Heavy query on large datasets — cache results where possible.
ParameterTypeDefaultDescription
resolutionfloat2.0Grid cell size in degrees (0.5–10.0). 2.0 ≈ 200km cells.
Response
{ "buckets": [ { "lat": 50.0, "lon": -0.0, "value": 8420 } ], "resolution": 5.0 }
GET /api/worldview/live
GET
/api/worldview/live
Returns recently enriched hosts with geo coordinates. Poll every few seconds to flash live scan activity on the map. Use the since parameter to fetch only new enrichments since your last poll.
ParameterTypeDefaultDescription
limitinteger200Number of hosts to return (1–500).
sincestringISO 8601 datetime. Only return hosts enriched after this timestamp.
Response
{ "hosts": [ { "lat": 51.5, "lon": -0.1, "enriched_at": "2025-03-13T12:00:01.000Z" } ] }
GET /api/worldview/stats
GET
/api/worldview/stats
Returns aggregated counts per worldview layer type.
Response
{ "ipheat": 4820000, "identity": 284100, "breach": 19200, "camera": 8840, "tor": 3210 }
Query Prefixes
Prefix your query with a field name followed by a colon to search a specific field. The API auto-detects bare IPs, emails, domains, CVEs, and ASNs without a prefix.
port:port:22 / port:80,443
cve:cve:CVE-2021-44228
asn:asn:AS15169
org:org:Amazon
isp:isp:Cloudflare
tag:tag:redis-noauth
country:country:US / country:Germany
city:city:Berlin
cms:cms:WordPress
tech:tech:Nginx
title:title:Dashboard
hostname:hostname:example.com
keyword:keyword:admin
tls:tls:TLSv1.1
ssh:ssh:OpenSSH / ssh:Dropbear
version:version:7.4
hash:hash:<favicon_hash>
body:body:<md5_fingerprint>
phone:phone:+1234567890
username:username:johndoe
name:name:John Smith / name:
Auto-detected without prefix: IP addresses, email addresses, domain names, CVE IDs, and ASNs.
name: with no value returns a browse index of all identities. name:John Smith returns a full profile with linked IPs, accounts, and breach records.
Filters
Filters are applied as additional constraints on top of the main query and can be combined freely.
Examples
# WordPress in the US with vulns, port 443 open GET /api/search?q=cms:WordPress&country=US&has_vulns=true&port=443 # Redis in Google's ASN, sorted by most ports GET /api/search?q=port:6379&org=Google&sort=port_count # Hosts with port 8443 AND SSH open GET /api/search?q=port:8443&has_ssh=true
Sorting
ValueDescription
last_seenMost recently scanned first (default)
first_seenOldest indexed hosts first
countryAlphabetical by country name
orgAlphabetical by organisation
ipNumerical by IP address
port_countHosts with most open ports first
Combine with order=asc or order=desc (default: desc).
Host Result
IP lookups return cards covering network intelligence, open ports, service banners, web intelligence, TLS details, vulnerabilities, and tags.
Key fields
{ "ip": "1.2.3.4", "hostname": "mail.example.com", "asn": "AS15169", "org": "Google LLC", "country_name": "United States", "ports": [22, 80, 443], "vulns": ["CVE-2021-44228"], "tags": ["self-signed-cert"], "http": { "title": "Example Corp", "cms": "WordPress 6.2" }, "ssl": { "subject": "example.com", "tls_version": "TLSv1.3", "valid": true }, "last_seen": "2025-03-10T14:22:00Z" }
Identity Result
Email, phone, username, and name lookups cross-reference the identity collection against the host index. Results include breach records, linked accounts, associated IPs, and sites exposing the identifier.
Key fields
{ "name": "John Doe", "emails": ["john@example.com"], "usernames": ["jdoe92"], "ips": ["1.2.3.4"], "breaches": [{ "source": "LinkedIn", "year": 2021 }], "accounts": [{ "platform": "github", "handle": "jdoe92" }] }
Errors
StatusMeaning
400Bad request — invalid query format or parameter value
403Forbidden — missing or invalid API key
429Rate limit exceeded — wait and retry
500Internal server error
403 and 429 responses return no body. 400 responses include a detail field.