Skip to main content
GET
/
v1
/
indicators
/
{id}
Get Indicator
curl --request GET \
  --url https://api.example.com/v1/indicators/{id} \
  --header 'Authorization: <api-key>'
import requests

url = "https://api.example.com/v1/indicators/{id}"

headers = {"Authorization": "<api-key>"}

response = requests.get(url, headers=headers)

print(response.text)
const options = {method: 'GET', headers: {Authorization: '<api-key>'}};

fetch('https://api.example.com/v1/indicators/{id}', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://api.example.com/v1/indicators/{id}",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"Authorization: <api-key>"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"net/http"
"io"
)

func main() {

url := "https://api.example.com/v1/indicators/{id}"

req, _ := http.NewRequest("GET", url, nil)

req.Header.Add("Authorization", "<api-key>")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.get("https://api.example.com/v1/indicators/{id}")
.header("Authorization", "<api-key>")
.asString();
require 'uri'
require 'net/http'

url = URI("https://api.example.com/v1/indicators/{id}")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Get.new(url)
request["Authorization"] = '<api-key>'

response = http.request(request)
puts response.read_body
{
  "indicator": {
    "id": "<string>",
    "type": "INDICATOR_TYPE_UNSPECIFIED",
    "value": "<string>",
    "categories": [
      "THREAT_CATEGORY_UNSPECIFIED"
    ],
    "severity": "SEVERITY_UNSPECIFIED",
    "confidenceScore": 123,
    "tlp": "TLP_MARKING_UNSPECIFIED",
    "state": "INDICATOR_STATE_UNSPECIFIED",
    "firstSeen": "2023-11-07T05:31:56Z",
    "lastSeen": "2023-11-07T05:31:56Z",
    "validUntil": "2023-11-07T05:31:56Z",
    "sources": [
      {
        "id": "<string>",
        "name": "<string>",
        "reliability": 123,
        "reportedAt": "2023-11-07T05:31:56Z"
      }
    ],
    "sightings": [
      {
        "sourceId": "<string>",
        "observedAt": "2023-11-07T05:31:56Z",
        "count": "<string>"
      }
    ],
    "enrichment": {
      "geo": {
        "countryCode": "<string>",
        "city": "<string>",
        "latitude": 123,
        "longitude": 123
      },
      "asn": {
        "number": 123,
        "organization": "<string>"
      },
      "reverseDns": "<string>",
      "malwareFamilies": [
        "<string>"
      ],
      "attackTechniques": [
        "<string>"
      ],
      "aiSummary": "<string>",
      "riskScore": 123,
      "enrichedAt": "2023-11-07T05:31:56Z"
    },
    "tags": [
      "<string>"
    ],
    "labels": [
      {
        "key": "<string>",
        "value": "<string>"
      }
    ],
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "protocol": "PROTOCOL_UNSPECIFIED",
    "sensorType": "SENSOR_TYPE_UNSPECIFIED"
  }
}
{
"code": 123,
"message": "<string>",
"details": [
{
"@type": "<string>"
}
]
}
Fetch one indicator by its deterministic ID (derived from sensor event fingerprint).

Indicator states

Only indicators in ENRICHED or VERIFIED state are returned via the public API. Raw pipeline events are not exposed.

Example

curl -s https://api.reyhford.com/v1/indicators/{id} \
  -H "Authorization: Bearer $REYHFORD_API_KEY"

Response fields

Includes protocol, source IP, destination port, MITRE technique/tactic, confidence score, sensor metadata, and optional IP reputation JSON.

Authentication

Requires WorkOS JWT or API key with indicators:read scope.

Authorizations

Authorization
string
header
required

WorkOS JWT or machine API key: Bearer

Path Parameters

id
string
required

Response

A successful response.

indicator
object

A threat indicator (IOC) — the core entity of the platform.