Skip to content
ZygenTrust
Status · checking
Documentation

Domain trust API reference.

Use ZygenTrust to score business websites, review domain risk signals, and automate async checks with webhooks, watchlist monitoring, and plan-aware workflows.

Quickstart

Sign up at /app/signup, create a test API key from the dashboard, then call the analyze endpoint. The current beta base URL is https://zygentrust-api.salarylab.workers.dev and all endpoints live under /v1. Free accounts use self-serve zt_test_ keys. Paid live access is issued to approved beta customers.

request
cURL
curl "https://zygentrust-api.salarylab.workers.dev/v1/analyze?domain=example.com" \
  -H "Authorization: Bearer zt_test_..."
JavaScript (fetch)
const response = await fetch(
  "https://zygentrust-api.salarylab.workers.dev/v1/analyze?domain=example.com",
  { headers: { "Authorization": "Bearer zt_test_..." } }
);
const data = await response.json();
console.log(data.trust_score);
Python
import requests

response = requests.get(
    "https://zygentrust-api.salarylab.workers.dev/v1/analyze?domain=example.com",
    headers={"Authorization": "Bearer zt_test_..."}
)
data = response.json()
print(data["trust_score"])

Authentication

Pass your API key with the Authorization header or the x-api-key header. Self-serve keys start with zt_test_ and live on the Free plan; zt_live_ keys are issued manually for approved paid beta plans.

  • Free test keys: 50 checks per month, no card required.
  • Cached responses count against your monthly quota.
  • /v1/keys uses your dashboard session, not a ZygenTrust API key.
  • Protected environments set ALLOW_PUBLIC_ANALYZE=false; an API key is required.

GET /v1/analyze

Returns trust score, risk level, recommended action, confidence, structured signals, and explainable insights for a domain.

Param Required Description
domain yes Any business domain. URLs and www. are normalized server-side.
ttl no Growth and Pro only. Growth allows 1..72 hours. Pro allows 1..168.
refresh no Growth and Pro only. Forces a fresh analysis instead of using cache.
profile no Use-case weighting preset such as onboarding or fraud_triage.

Async workflows

For single domains, call GET /v1/analyze. For larger workloads, use async jobs so the client can poll status cleanly and download final results without holding one long request open.

Endpoint Plan Use
POST /v1/jobs Growth / Pro Create an async multi-domain analysis job.
GET /v1/jobs/:job_id Growth / Pro Poll progress and job status.
GET /v1/jobs/:job_id/results Growth / Pro Fetch final JSON or CSV results.
POST /v1/webhooks Growth / Pro Register signed event delivery for completed analyses.
/v1/watchlist/* Growth / Pro Track trust-score changes and run manual rechecks.
GET /v1/audit-log Pro Read API-key-scoped audit rows for sensitive actions.

Plan gates

The API enforces plan boundaries server-side. Public docs and dashboard copy are aligned to these current gates.

  • Free: analyze only, fixed 24h cache, 50 checks/month.
  • Starter: paid analyze, fixed 24h cache, 2,500 checks/month.
  • Growth: custom TTL 1..72h, jobs, webhooks, watchlist.
  • Pro: custom TTL 1..168h, jobs, webhooks, watchlist, audit log.
  • Paid plans are currently issued as a private paid beta with manual approval.

Response example

response
application/json
{
  "domain": "example.com",
  "normalized_domain": "example.com",
  "trust_score": 82,
  "risk_level": "low",
  "recommended_action": "approve",
  "confidence": 0.78,
  "summary": "Strong technical and business trust signals.",
  "business_posture": "strong",
  "known_threat_status": "no_known_hit",
  "threat_sources_checked": ["urlhaus", "spamhaus_dbl"],
  "identity_verification": "not_performed",
  "evidence_coverage": "high",
  "evidence_freshness": "live",
  "confidence_reasons": [
    "Website reachable",
    "Legal pages present",
    "No known threat hit from checked sources",
    "Identity verification not performed"
  ],
  "signals": { "technical": { "...": "..." } },
  "insights": [
    {
      "severity": "positive",
      "category": "technical_trust",
      "title": "Strong technical trust signals",
      "evidence": ["dns_resolves", "uses_https", "has_mx_records"],
      "impact": "Improves trust score and supports lower-friction review."
    }
  ],
  "next_steps": ["Allow lower-friction review for low-risk workflows."],
  "metadata": {
    "checked_at": "2026-05-18T10:00:00.000Z",
    "cache": { "hit": false, "ttl_seconds": 86400 },
    "version": "0.4.0"
  }
}

`no_known_hit` means no checked source returned a known threat signal. It does not mean the domain is proven safe, and ZygenTrust reports `identity_verification` separately.

Error format

error envelope
{
  "error": {
    "code": "INVALID_DOMAIN",
    "message": "The domain parameter is invalid.",
    "details": {}
  }
}

Common codes: INVALID_DOMAIN, INVALID_REQUEST, UNAUTHORIZED, INVALID_API_KEY, QUOTA_EXCEEDED, RATE_LIMITED, TURNSTILE_FAILED, ANALYSIS_FAILED, INTERNAL_ERROR.

OpenAPI

The live OpenAPI document is served as JSON. Pipe it into any compatible client generator, or open it in your browser. For the full written contract, use docs/API_DESIGN.md in the repo.