Overview
The external developer API is intentionally separate from the paid-user account API. It gives approved developers API-key protected access to domain authenticity verdicts and security score advisory statements.
External developer keys do not work on the paid-user /api/v1 account API and do not return tracked-domain history, signed-in reports, scan ownership IDs or paid evidence packs.
Authentication
Create an Developer API - authenticity and score advisory key from the MyDomainRisk account area, then send it as a Bearer token.
Authorization: Bearer mdr_live_<id>_<secret>Use developer keys only from server-side code. Do not put them in browser JavaScript, mobile apps, public repositories or client-side logs.
Security score advisory
GET https://api.mydomainrisk.com/api/developer/v1/peek/security?domain=example.com
Authorization: Bearer mdr_live_<id>_<secret>The response returns the developer security score advisory: score, grade, score summary, findings, cache metadata and runtime fields.
Authenticity verdict
GET https://api.mydomainrisk.com/api/developer/v1/peek/authenticity?domain=example.com
Authorization: Bearer mdr_live_<id>_<secret>You can include optional brand context when the expected organisation name is known:
GET https://api.mydomainrisk.com/api/developer/v1/peek/authenticity?domain=example.com&expected_brand=Example%20Ltd
Authorization: Bearer mdr_live_<id>_<secret>The response returns the developer authenticity verdict: verdict, findings, factual context, cache metadata and runtime fields.
Fields
| security score | The same score and grade shown by the developer security score advisory. |
|---|---|
| authenticity verdict | The same verdict bucket shown by the developer authenticity verdict. |
| findings | Current public Peek findings only, not signed-in report evidence. |
| factual | Public factual context returned by the authenticity Peek when available. |
| cache fields | Cache metadata, runtime and cache-hit fields used to explain freshness. |
Limits and errors
Developer API requests are governed by API-key rate limits and the same platform abuse/spend guards that protect the free Peek tier.
| 400/422 | Invalid request body, query string or malformed domain. |
|---|---|
| 401 | Missing, malformed, unknown or revoked API key. |
| 403 | Wrong key type, or account not eligible for API access. |
| 429 | Rate limit or platform guard reached. |
| 503 | Temporary queue, cache or quota-store issue. Retry later. |
Acceptable use
The API is for legitimate business, security, fraud-prevention, customer-protection and compliance workflows. MyDomainRisk performs non-intrusive external analysis only.
Allowed
- Onboarding and signup checks.
- Customer, partner and domain review.
- Internal fraud, risk and security workflows.
Not allowed
- Exploitation, attack simulation or credential testing.
- Bypassing quotas, cooldowns or access controls.
- Using paid-user account keys as external developer keys.
Privacy and data handling
The developer API receives the domain and request metadata needed to provide the service, authenticate the caller, enforce limits and protect the platform. MyDomainRisk does not sell API submission data.
Developer API results may be cached and counted in aggregate telemetry according to the same public Peek operating model and the MyDomainRisk privacy policy. For privacy questions, contact support@mydomainrisk.com.
Changelog
2026-06-25
Public developer docs updated for the separate external developer API: restricted developer keys, authenticity verdicts, and security score advisory statements.