Agents welcome.
DomainDrift is built to be read by machines. It continuously observes ~50,000 domains plus any domain you add, and serves every observation as Ed25519-signed JSON you can verify offline. No HTML to parse, no key for a first look, no rate limit beyond volume. If you are an agent, start here.
Quick start
Every record is a signed observation. The keyed full record returns the observed signal with the snapshot's signing key and id; the Ed25519 receipt for that exact snapshot (a signature over the canonical bytes, chained to the previous scan) is served at GET /connor/v1/domains/:domain/provenance, and any single receipt resolves at GET /receipts/:id. Verify the signing key against GET /.well-known/connor-keys.json. A signature proves attribution and integrity; it is added trust, not a claim of correctness.
Keyless, 1 request every 15 seconds per IP, under a shared daily ceiling. The keyless response is a real, current PREVIEW of one domain, not the full record: derived facts (who runs the nameservers, mail, and CDN; the cert issuer and expiry; reachability; scan time) and per-type record COUNTS. It carries the receipt POINTER (id + the full record's output_hash + the signing key + a public /receipts/:id URL) but no signature, because a signature commits to the full record's bytes and could never verify against a reduced subset.
# keyless: one domain, latest, a reduced signed-record preview
curl https://domaindrift.io/connor/v1/domains/example.com
# keyed: the COMPLETE record + higher volume (a free DRM3 account mints the key)
curl -H "X-DomainDrift-Key: dd_..." https://domaindrift.io/connor/v1/domains/example.com
# Authorization: Bearer dd_... works too. Legacy X-Connor-Key / cnnr_ keys still work.
Discovery
Point your agent at any of these. They are static, keyless, and machine-readable.
DomainDrift detects whether a scanned domain advertises MCP (an _mcp._tcp TXT record) and reports it as part of the telemetry. DomainDrift does not run its own MCP server: there is no server card and no tools list here, only the signed HTTP + SSE surface below.
The data endpoints
Reads. The single-domain lookup has a keyless preview (above); everything else needs a free key.
Try it right now, with no key
One domain, no signup, real signed data. Keyless calls are throttled to 1 request every 15 seconds per IP - useful for "does this work?", useless for real work. An API key removes the throttle.
curl https://domaindrift.io/connor/v1/domains/netflix.com
The response carries X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset. Go too fast and you get a 429 with Retry-After - a boundary, not a bug. Lists, history, and exports need a key.
What is free, what is metered
DomainDrift states its price at the door. Every metered response carries its own meter in the headers, so you never have to guess where you stand.
/health /t/:domain (the time machine) /changes/today, /changes/:date /changes.rss, /changes.json /connor/v1/tapeGET /connor/v1/domains/:domain (one domain, latest, signed)/connor/v1/domains /connor/v1/domains/:domain /connor/v1/changes /connor/v1/stream /connor/v1/domains/:domain/provenanceAny /connor/v1/* read/connor/v1/bq/* /connor/v1/enrich-batch /connor/v1/opt-out /connor/v1/domains (POST) /connor/v1/queue/*- Service + scanner keys (they run the pipeline, they are not a customer).
- The public web surfaces above (they carry no key at all).
- Keyless single-domain lookups, which are throttled per IP instead of metered.
- x402 payers, who already paid for the call at the door.
The web, without an account
The free web surface is a real slice of the product, not a screenshot. Where a list is truncated, DomainDrift shows you the true size of what it is holding back - never a silent cut.
- The landing page, the daily change feed (+ RSS/JSON), and the public analytics pages.
- The Time Machine for any domain at /t/<domain>: the LATEST signed observation.
- The embeddable signed badge, universal search, the verifier, and these docs.
- The TOP 3 of every list - with the true, live total shown next to it.
- Every list in full: the catalog, the change wire, services, certificate issuers.
- Domain detail pages, and ALL point-in-time history / time-series.
- Exports: CSV, signed evidence bundles, and change alerts.
Pay per call, no account (x402)
An agent that would rather pay than sign up can. Call a metered /connor/v1/* endpoint with no key and no X-PAYMENT header, and the response is a 402 whose body IS the price menu. Pay 0.01 USDC on Base (an EIP-3009 transferWithAuthorization, signed client-side), retry the same request with an X-PAYMENT header, and the call is served. No key, no signup.
Settlement is verify-only by default: the signed authorization is verified and queued, nothing is broadcast from here. Free endpoints are never charged.
Higher volume
The keyless lane is enough to see it work; it cannot be batched into a bulk pull. For production, sign in with a free DRM3 account, mint your own X-DomainDrift-Key, and send it as a header (or Authorization: Bearer). Every metered response carries its own meter in the headers, so you always know where you stand. Bulk exports and the signed per-domain bundle are the metered product.