crt.sh + certspotter + hackertarget + rapiddns + VirusTotal queried in parallel, plus an always-on DNS bruteforce as the structural floor and background enrichment aggregating 25+ passive sources for comprehensive coverage. Returns real subdomain data even when individual upstreams are rate-limited. Deduplicated, sorted, free tier.
Type any domain to see the live Subdomain list response from the API. Free, no signup — rate-limited to 5 lookups/day per browser.
// Click "Run lookup" to see the live API response for this endpoint
CT log aggregators rate-limit and time out constantly. Single-source subdomain tools fail silently when upstream is broken. This API queries 5 sources in parallel with always-on DNS bruteforce as the structural floor, so you always get usable results.
sources_used field shows which sources contributed and any rate-limit / timeout warnings./domain/{d}/subdomains, or grab subdomains + DNS + WHOIS + SSL + email security in a single /lookup/{d} call. Same API key, same pricing.Below: a real response for cloudflare.com. The sources_used array tells you what each source contributed (or why it failed) so you can audit data quality.
{
"domain": "cloudflare.com",
"count": 204,
"returned": 204,
"sources_used": [
"crt.sh ok +156", // CT logs — the richest source
"certspotter ok +49",
"hackertarget rate-limited", // still full coverage without it
"rapiddns ok +57",
"virustotal ok +40",
"dns-brute ok +38 (wordlist 773)" // always runs — the structural floor
],
"warnings": [], // coverage-aware: only populated if count <20
"subdomains": [
"api.cloudflare.com",
"blog.cloudflare.com",
"developers.cloudflare.com",
"workers.cloudflare.com",
// ... 200 more, deduplicated and sorted
]
}
Authenticate with your RapidAPI key, then call GET /domain/{domain}/subdomains. Returns within 5-15 seconds typically (multiple upstreams need time to complete).
curl "https://domain-intelligence-api.p.rapidapi.com/domain/cloudflare.com/subdomains" \ -H "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com" \ -H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY"
import requests
domain = "cloudflare.com"
url = f"https://domain-intelligence-api.p.rapidapi.com/domain/{domain}/subdomains"
headers = {
"X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
"X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}
r = requests.get(url, headers=headers, timeout=30)
data = r.json()
print(f"Found {data['count']} subdomains")
for sub in data["subdomains"][:10]:
print(f" - {sub}")// Node 18+ has built-in fetch - no import needed
const domain = "cloudflare.com";
const res = await fetch(
`https://domain-intelligence-api.p.rapidapi.com/domain/${domain}/subdomains`,
{ headers: {
"X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
"X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}}
);
const data = await res.json();
console.log(`Found ${data.count} subdomains`);
console.log(data.subdomains.slice(0, 10));<?php
$domain = "cloudflare.com";
$ch = curl_init("https://domain-intelligence-api.p.rapidapi.com/domain/$domain/subdomains");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com",
"X-RapidAPI-Key: YOUR_RAPIDAPI_KEY",
]);
$data = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "Found " . $data["count"] . " subdomains";Security teams, bug bounty hunters, IT operations, and infrastructure auditors are the primary users.
One subscription covers WHOIS, DNS, SSL, subdomains, email security, and the bundled /lookup. Billed monthly via RapidAPI. Cancel anytime.
Quick answers to common developer questions about the subdomain enumeration API.
sources_used array showing which sources contributed and which failed.app/subdomains.py in the open-source repo (MIT-licensed on GitHub).Free tier · No credit card · All endpoints included
Get your API key →