Subdomain Finder API - Discover Active, Inactive & Historical Subdomains
Every domain accumulates subdomains nobody is tracking - a staging box from a project that shipped two years ago, a vendor endpoint spun up and forgotten, a dev host that still resolves. Each one is an entry point, and the ones you've lost track of are the ones that get taken over. The Subdomain Finder API surfaces them all: query a domain and it returns every subdomain on record - active, inactive, and historical - with the dates each was first and last seen. Results are paginated, filterable by state and date range, and delivered as JSON or XML. It's built for security engineers mapping an attack surface, penetration testers who need a full subdomain lookup during reconnaissance, and infrastructure teams tracking asset sprawl. Start with 10,000 free credits, no credit card required.
Features
Complete subdomain inventory with lifecycle dates
Every request returns a subdomains array where each entry carries the hostname plus first_seen and last_seen dates, so you get both the asset and its timeline in one response. The top-level total_records field reports the full count for the domain before pagination, and total_pages tells you how many 100-record pages exist. Unlike a find-subdomains API that hands back a flat, context-free list, this returns a complete, timestamped inventory of a domain's exposed hostnames - the asset and the history behind it.
Active and inactive state tracking
When a subdomain stops resolving, the API records an inactive_from date on that entry; active subdomains omit the field. This lets you separate live infrastructure from decommissioned or dangling assets without a second lookup.
Use it to surface forgotten endpoints that still resolve in historical data but no longer serve traffic - the kind of stale asset that leads to subdomain takeover.
Status filtering
The status parameter accepts active or inactive, returning only subdomains in that state. Combine it with pagination to walk large result sets one slice at a time.
Use it to pull a clean list of currently live subdomains for a monitoring dashboard, or to isolate every inactive host for a cleanup and retirement pass.
Date-range filtering
The before and after parameters bound results to subdomains recorded within a specific window, matched against the discovery timeline. Pass both to target an exact range, or one to set a single boundary.
Use it to diff a domain's subdomain footprint over time - for example, retrieving only assets first observed after a given date to catch newly exposed infrastructure since your last scan.
Pagination for large footprints
Results are paginated at 100 subdomains per page, controlled by the page parameter, with current_page, total_pages, and total_records in every response so you always know your position in the set. Large domains can carry tens of thousands of subdomains; pagination keeps each response fast and predictable.
Use it to stream a full subdomain set into your own store without timeouts or truncated payloads.
JSON and XML output
The format parameter returns results as JSON (default) or XML, so the response drops directly into whatever your pipeline already parses. Every field - subdomain, first_seen, last_seen, inactive_from - is present in both formats.
Use it to feed subdomain data straight into SIEM ingestion, an asset-inventory database, or a security dashboard without a transformation layer.
Built for These Use Cases
Attack surface mapping
Pull the full list of a domain's subdomains - active and long-dormant - to inventory every hostname an attacker could probe. The lifecycle dates let you prioritise recently exposed assets and flag forgotten ones that still resolve, the classic entry points for takeover.Continuous exposure monitoring
Wire the endpoint in as a subdomain monitoring API: re-query a domain on a schedule and compare each run against the last, using the date filters to isolate subdomains that appeared since your previous check. New, unannounced subdomains often signal shadow IT, a misconfigured deploy, or an unauthorised asset.Penetration testing reconnaissance
During the information-gathering phase of an engagement, use it as a subdomain enumeration API to retrieve a target's complete footprint in one pass, instead of stitching together manual lookups. Pair it with the Reverse DNS Lookup API to resolve which hosts sit on which IP ranges.Domain intelligence and cleanup
Audit an organisation's or a competitor's subdomain sprawl to find legacy endpoints, retired services, and dangling records. Feed the results alongside a Domain WHOIS Lookup to tie infrastructure back to ownership and registration history.API Endpoint
$ pip install requestsimport requests
url = "https://api.apifreaks.com/v1.0/subdomains/lookup?domain=google.com"
payload = {}
headers = {
'X-apiKey': 'API-KEY'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)
How-To-Guides
Find all subdomains of a domain
Start here: give the API a domain and it returns the first page of its subdomain inventory. Read total_records to see the full footprint at a glance and total_pagesto know how many calls it takes to pull everything. This one call is enough to answer "what's actually exposed under this domain?" before you decide where to dig.
# Response { "domain": "google.com", "status": true, "query_time": "2026-06-17T11:33:37.892722269", "current_page": 1, "total_pages": 3, "total_records": 299, "subdomains": [ { "subdomain": "c.drive.google.com", "first_seen": "2025-12-09", "last_seen": "2026-02-26" } ] }curl -X GET "https://api.apifreaks.com/v1.0/subdomains/lookup?domain=google.com&apiKey=API-KEY"
Filter to active or inactive subdomains
A dangling subdomain - one that still appears in records but no longer resolves - is prime takeover territory. Set status=inactive to pull exactly those hosts, each stamped with the inactive_from date marking when it went dark, so you can build a takedown or cleanup list. Flip to status=activewhen you only want what's live today.
# Response { "domain": "google.com", "status": true, "current_page": 1, "total_pages": 1, "total_records": 2, "subdomains": [ { "subdomain": "rr4---sn-p5qs7nsr.c.drive.google.com", "first_seen": "2025-02-16", "last_seen": "2025-09-26", "inactive_from": "2025-09-26" } ] }curl -X GET "https://api.apifreaks.com/v1.0/subdomains/lookup?domain=google.com&status=inactive&apiKey=API-KEY"
Narrow results by date range
To catch what's new rather than re-reading the whole footprint, bound the query with after and before (YYYY-MM-DD). Setting after to the date of your last scan returns only subdomains recorded since - the shadow IT and unannounced deploys worth reviewing. Combine it with status=active to focus on new, live assets only.
curl -X GET "https://api.apifreaks.com/v1.0/subdomains/lookup?domain=google.com&after=2026-01-01&before=2026-06-01&status=active&apiKey=API-KEY"
Page through a large footprint
A big domain can carry tens of thousands of subdomains, delivered 100 per page. Take total_pages from your first response, then loop the page parameter from 1 to that number to pull the complete set into your own store - no timeouts, no truncated payloads. Track current_page in each response so an interrupted run can resume where it stopped.
curl -X GET "https://api.apifreaks.com/v1.0/subdomains/lookup?domain=google.com&page=2&apiKey=API-KEY"
Frequently Asked Questions
Pricing
To use the Subdomain Lookup API, you will need API credits. We only charge for successful queries, defined by a 2xx status code. If your request results in a 4xx or 5xx status code, no credits will be charged, and any deducted credits will be returned.
For each successful request, 35 credits are charged.
Utilize the Credits Usage API to efficiently monitor your recent consumption of both one-off and subscription credits. This API provides a streamlined way to track and manage your credit usage, ensuring you stay informed about your remaining balance and can optimize your resource allocation effectively.