API Endpoint

The ThreatSTOP Platform API is a REST API. It uses HTTPs for transport and encryption. Objects are provided and returned in JSON format.

The API endpoint is https://rest.threatstop.com/v4.0/

The current version of the API is v4.0. Changes to this API are documented in the changelog section below. Changes in the same version are backward compatible with existing clients.


CORS is currently not supported by the API. Please contact us if you are interested in this feature.


A sandbox is available for testing client code without making operations in the ThreatSTOP production environment. The sandbox contains the Admin Portal application and its API. Changes made through this system do not impact productions.

Sandbox endpoints

Accessing the sandbox

Access to the sandbox is restricted to authorized users by IP address. Please contact support@threatstop.com to provide or update the list of subnets that requires sandbox access.

Data refresh

The dataset is refreshed every time the sandbox is upgraded with the newest ThreatSTOP release. Typically, new versions are released every 2 to 4 weeks.

During releases:

  • the sandbox will be unavailable for a short amount of time (approximately one hour)
  • the data will be refreshed with the latest copy of the production data

Sandbox API Keys

To prevent a client configuration error from resulting in using test code against the production system, the production API keys are not available in the Sandbox, and vice-versa. API keys can be created and managed in the Sandbox using the Portal user interface as they would be in the production environment.