CONTINUOUS INTERNET TELEMETRY24H DRIFT1,856 material changesacross 1,658 domains · -103 vs yesterdayDNS DRIFT23 domains changed DNS providertop destination parity.domains · +4 vs yesterdayEMAIL DRIFT6 domains switched email providertop destination mimecast.com · +3 vs yesterdayCERT DRIFT1 domains switched issuing CA24h · -1 vs yesterdayNOW3,461 curated domains not answeringlast probe, steadyERRORS8,542 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED2,331 throttled or blocked our scanner429 rate-limit / 403 bot-block24H DRIFT1,856 material changesacross 1,658 domains · -103 vs yesterdayDNS DRIFT23 domains changed DNS providertop destination parity.domains · +4 vs yesterdayEMAIL DRIFT6 domains switched email providertop destination mimecast.com · +3 vs yesterdayCERT DRIFT1 domains switched issuing CA24h · -1 vs yesterdayNOW3,461 curated domains not answeringlast probe, steadyERRORS8,542 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED2,331 throttled or blocked our scanner429 rate-limit / 403 bot-block

Agents welcome.

keyless · signed · discoverable

DomainDrift is built to be read by machines. It continuously observes ~50,000 domains plus any domain you add, and serves every observation as Ed25519-signed JSON you can verify offline. No HTML to parse, no key for a first look, no rate limit beyond volume. If you are an agent, start here.

Quick start

Every record is a signed observation. The keyed full record returns the observed signal with the snapshot's signing key and id; the Ed25519 receipt for that exact snapshot (a signature over the canonical bytes, chained to the previous scan) is served at GET /connor/v1/domains/:domain/provenance, and any single receipt resolves at GET /receipts/:id. Verify the signing key against GET /.well-known/connor-keys.json. A signature proves attribution and integrity; it is added trust, not a claim of correctness.

Keyless, 1 request every 15 seconds per IP, under a shared daily ceiling. The keyless response is a real, current PREVIEW of one domain, not the full record: derived facts (who runs the nameservers, mail, and CDN; the cert issuer and expiry; reachability; scan time) and per-type record COUNTS. It carries the receipt POINTER (id + the full record's output_hash + the signing key + a public /receipts/:id URL) but no signature, because a signature commits to the full record's bytes and could never verify against a reduced subset.

# keyless: one domain, latest, a reduced signed-record preview
curl https://domaindrift.io/connor/v1/domains/example.com

# keyed: the COMPLETE record + higher volume (a free DRM3 account mints the key)
curl -H "X-DomainDrift-Key: dd_..." https://domaindrift.io/connor/v1/domains/example.com
# Authorization: Bearer dd_... works too. Legacy X-Connor-Key / cnnr_ keys still work.

Discovery

Point your agent at any of these. They are static, keyless, and machine-readable.

GET/connor/v1/openapi.json
OpenAPI 3.1 - every endpoint and schema.
GET/.well-known/connor-keys.json
The Ed25519 public keys that sign every observation. Verify offline.
GET/receipts/:id
Resolve any provenance receipt by id (public commitment).
GET/llms.txt
A plain-text map of the site and API for language models.
GET/llms-full.txt
The long-form version: the full machine-readable brief.
GET/badge/:domain.svg
An embeddable signed status badge for any domain.
GET/connor/v1/tape
The 24-hour rollup as JSON. CORS-open, safe to embed.

DomainDrift detects whether a scanned domain advertises MCP (an _mcp._tcp TXT record) and reports it as part of the telemetry. DomainDrift does not run its own MCP server: there is no server card and no tools list here, only the signed HTTP + SSE surface below.

The data endpoints

Reads. The single-domain lookup has a keyless preview (above); everything else needs a free key.

GET/connor/v1/domains
List + filters (category, tag, search); ?format=csv for a download.
GET/connor/v1/domains/:domain
The latest signed record (keyless: reduced preview; keyed: full).
GET/connor/v1/domains/:domain/history
The snapshot time series for one domain.
GET/connor/v1/domains/:domain/provenance
The Ed25519 receipt chain for one domain.
GET/connor/v1/domains/:domain/planes
Latest observation per plane + completeness.
GET/connor/v1/changes
The global change feed (structured deltas), with sync cursors.
GET/connor/v1/stream
Live Server-Sent Events: scans, changes, receipts.
GET/connor/v1/stream/json
The polling fallback for clients that cannot hold an SSE.
GET/connor/v1/groups
Your bring-your-own-domain monitoring groups.
GET/connor/v1/evidence/:domain
A printable, signed evidence report for auditors.
GET/connor/v1/domains/:domain/bundle
A signed, offline-verifiable export bundle (paid, rate-capped).

Try it right now, with no key

One domain, no signup, real signed data. Keyless calls are throttled to 1 request every 15 seconds per IP - useful for "does this work?", useless for real work. An API key removes the throttle.

curl https://domaindrift.io/connor/v1/domains/netflix.com

The response carries X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset. Go too fast and you get a 429 with Retry-After - a boundary, not a bug. Lists, history, and exports need a key.

What is free, what is metered

DomainDrift states its price at the door. Every metered response carries its own meter in the headers, so you never have to guess where you stand.

Free / webNOT METERED
Free
Anyone. No key, no card, no signup.
How it is metered: Not metered. Rate limited per IP only, to keep the wire up.
/health /t/:domain (the time machine) /changes/today, /changes/:date /changes.rss, /changes.json /connor/v1/tape
Keyless API (no key, no signup)NOT METERED
Free
A developer who wants to see it work before signing up for anything.
How it is metered: Not metered against an account, because there is no account. It is THROTTLED instead: 1 request every 15 seconds per IP, under a shared daily ceiling across all keyless callers. Every response carries X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset; a throttled call gets a 429 with Retry-After and a link back here. If the shared daily ceiling is spent, the lane closes to a plain "sign in" - never an error.
GET /connor/v1/domains/:domain (one domain, latest, signed)
Keyed API (included allowance)METERED
Included with the account
A signed-in DRM3 account, using a key minted for that account.
How it is metered: ONE request = ONE unit, counted against your account (all your keys share one allowance). Enforced on TWO axes and the tighter one wins: a MONTHLY allowance and a DAILY burst cap. Both reset on UTC boundaries. Every response carries X-DomainDrift-Usage, X-DomainDrift-Remaining, X-DomainDrift-Usage-Day and X-DomainDrift-Daily-Remaining, so you never have to guess. Over allowance = HTTP 402 naming which axis tripped; it never silently drops your data.
/connor/v1/domains /connor/v1/domains/:domain /connor/v1/changes /connor/v1/stream /connor/v1/domains/:domain/provenance
Pay per call (x402)METERED
Per call, USDC on Base
A keyless agent that would rather pay than sign up.
How it is metered: Priced per call in USDC on Base. No key and no account: present an X-PAYMENT header, we verify it, serve the call, and queue the settlement. A keyless call with no payment gets a 402 that IS the price menu.
Any /connor/v1/* read
OperatorNOT METERED
Not available
DomainDrift operators and service keys only.
How it is metered: Not metered, because it is not for sale. Non-admin keys get a 403.
/connor/v1/bq/* /connor/v1/enrich-batch /connor/v1/opt-out /connor/v1/domains (POST) /connor/v1/queue/*
Never metered:
  • Service + scanner keys (they run the pipeline, they are not a customer).
  • The public web surfaces above (they carry no key at all).
  • Keyless single-domain lookups, which are throttled per IP instead of metered.
  • x402 payers, who already paid for the call at the door.

The web, without an account

The free web surface is a real slice of the product, not a screenshot. Where a list is truncated, DomainDrift shows you the true size of what it is holding back - never a silent cut.

Free, no accountOPEN
  • The landing page, the daily change feed (+ RSS/JSON), and the public analytics pages.
  • The Time Machine for any domain at /t/<domain>: the LATEST signed observation.
  • The embeddable signed badge, universal search, the verifier, and these docs.
  • The TOP 3 of every list - with the true, live total shown next to it.
With a free accountSIGN IN
  • Every list in full: the catalog, the change wire, services, certificate issuers.
  • Domain detail pages, and ALL point-in-time history / time-series.
  • Exports: CSV, signed evidence bundles, and change alerts.

Pay per call, no account (x402)

An agent that would rather pay than sign up can. Call a metered /connor/v1/* endpoint with no key and no X-PAYMENT header, and the response is a 402 whose body IS the price menu. Pay 0.01 USDC on Base (an EIP-3009 transferWithAuthorization, signed client-side), retry the same request with an X-PAYMENT header, and the call is served. No key, no signup.

Settlement is verify-only by default: the signed authorization is verified and queued, nothing is broadcast from here. Free endpoints are never charged.

Higher volume

The keyless lane is enough to see it work; it cannot be batched into a bulk pull. For production, sign in with a free DRM3 account, mint your own X-DomainDrift-Key, and send it as a header (or Authorization: Bearer). Every metered response carries its own meter in the headers, so you always know where you stand. Bulk exports and the signed per-domain bundle are the metered product.

Open the API console →