API Documentation

First-party endpoints for account, data, and platform operations.

First-party only
This documentation covers endpoints owned and operated by swatted.wtf. Third-party services are not listed here. For Bulk API and partner endpoints, visit /partner.
Table of Contents

Getting Started

The Core API powers the swatted.wtf web experience. It is designed for account management, community features, and access to internal data sets. All responses are JSON unless noted.
Base URL
https://swatted.wtf

What you need

  • Active swatted.wtf account and API key
  • Session token from /api/login_token for authenticated calls
  • CSRF token for state-changing requests

Authentication

Authentication uses a session token. Exchange your API key for a session token via /api/login_token, then include the token on every request.

Session token header format

HTTP 
Authorization: Bearer <sessionToken>
X-User-ID: <userID>
If you are using browser cookies, the session token and user ID cookies are set automatically and the X-User-ID header is optional.

CSRF protection

State-changing endpoints require a matching CSRF token. The token is returned by /api/register and /api/login_token, and is also set as a cookie.
HTTP 
X-CSRF-Token: <csrfToken>
Username and password login is disabled
Use /api/login_token with your API key. The /api/login endpoint always returns an error.

Rate Limits

Rate limits are enforced per account. Some endpoints have stricter limits. Lookup endpoints also consume usage credits that reset every 12 hours.
Default limits
50
requests per hour
200
requests per day
25
lookups per 12 hours

API Endpoints

Auth and Sessions

POST /api/register
Create a new account. A system-generated username and API key are returned.
Parameter Required Description
cf_turnstile_token Required Cloudflare Turnstile token (required when Turnstile is enabled).
POST /api/login_token
Exchange an API key for a session token and CSRF token.
Parameter Required Description
api_key Required Your swatted.wtf API key.
cf_turnstile_token Optional Required when Turnstile is enabled.
POST /api/logout
Revoke the current session. Requires CSRF protection.
Parameter Required Description
userID Optional Uses cookie or header if omitted.
sessionToken Optional Uses cookie or header if omitted.
GET /api/sessions
List all active sessions for the current account.
DELETE /api/sessions
Revoke a specific session token. Requires CSRF protection.
Parameter Required Description
session_token Required The session token to revoke.
POST /api/reset_api_key
Rotate your API key. Requires CSRF protection.

Account and Security

GET /api/me
Export account data for the current user.
POST /api/accept_disclaimer
Accept the platform disclaimer. Requires CSRF protection.
GET /api/disclaimer_status
Check whether the current user has accepted the disclaimer.
POST /api/request_removal
Submit an account deletion request. Requires CSRF protection.
Parameter Required Description
reason Optional Short reason for deletion (max 500 chars).
POST /api/verify_2fa
Confirm a two-factor setup with a TOTP code.
Parameter Required Description
userID Required User ID for the session.
sessionToken Required Active session token.
code Required TOTP code from your authenticator.
POST /api/disable_2fa
Disable two-factor authentication for the account.
Parameter Required Description
userID Required User ID for the session.
sessionToken Required Active session token.

Profile and Social

POST /api/check_auth
Validate a session and optionally check follow status for a target user.
Parameter Required Description
userID Optional Uses cookie or header if omitted.
sessionToken Optional Uses cookie or header if omitted.
targetUserID Optional User ID to compare follow status against.
POST /api/follow
Follow or unfollow a user. Requires CSRF protection.
Parameter Required Description
targetUserID Required User ID to follow or unfollow.
POST /api/check_follow_status
Return whether the current user follows the target user.
Parameter Required Description
targetUserID Required User ID to check.
POST /api/upload_avatar
Upload a profile avatar. Requires CSRF protection and multipart form data.
Parameter Required Description
avatar Required Image file (JPG, PNG, GIF).
userID Optional Defaults to cookie or header.
sessionToken Optional Defaults to cookie or header.
POST /api/upload_banner
Upload a profile banner. Requires CSRF protection and multipart form data.
Parameter Required Description
banner Required Image file (JPG, PNG, GIF).
userID Optional Defaults to cookie or header.
sessionToken Optional Defaults to cookie or header.

Internal Data Sets

GET /api/restorecord_lookup
Search the RestoreCord data set by user ID, username, or IP address.
Parameter Required Description
userId Optional Discord user ID.
username Optional Discord username.
ip Optional IP address.
At least one parameter is required.
GET /api/doxbin_lookup
Search the Doxbin data set by ID, username, or email.
Parameter Required Description
id Optional Doxbin record ID.
username Optional Username search.
email Optional Email search.
At least one parameter is required.
GET /api/brazzers_lookup
Search the Brazzers data set by email or password.
Parameter Required Description
email Optional Email address.
password Optional Password search.
At least one parameter is required.
GET /api/coinmarket_lookup
Search the CoinMarketCap data set by email or password.
Parameter Required Description
email Optional Email address.
password Optional Password search.
At least one parameter is required.

Utilities and Public

POST /api/exif_extract
Extract EXIF metadata from an uploaded image. Requires CSRF protection.
Parameter Required Description
file Required Image file uploaded as multipart form data.
GET /api/database_freshness
Return the last modified timestamp and size of internal databases.
GET /api/announcements
Fetch current site announcements.
GET /api/docs
Read the dynamic API metadata file.

Integrations

POST /api/connect_telegram
Link a Telegram account using a one-time token from the bot.
Parameter Required Description
token Required Connection token generated by the Telegram bot.

Error Handling

Errors are returned as JSON with an error field and an HTTP status code.
Code Meaning Description
200 OK Request successful
201 Created Resource created successfully
400 Bad Request Missing or invalid parameters
401 Unauthorized Invalid session token or missing credentials
403 Forbidden CSRF failure or permission denied
404 Not Found Resource does not exist
423 Locked Account suspended
429 Too Many Requests Rate limit exceeded
500 Internal Server Error Unexpected server error

Code Examples

Login and rotate API key (cURL)

Bash 
# Login and store cookies
curl -c cookies.txt -X POST https://swatted.wtf/api/login_token \
  -H "Content-Type: application/json" \
  -d '{"api_key":"YOUR_API_KEY"}'

# Use cookies and CSRF for a state change
curl -b cookies.txt -X POST https://swatted.wtf/api/reset_api_key \
  -H "X-CSRF-Token: YOUR_CSRF_TOKEN"

Authenticated request (Node.js)

JavaScript 
import fetch from "node-fetch";

const sessionToken = "SESSION_TOKEN";
const userId = "USER_ID";

const res = await fetch("https://swatted.wtf/api/me", {
  method: "GET",
  headers: {
    "Authorization": `Bearer ${sessionToken}`,
    "X-User-ID": userId
  }
});

const data = await res.json();
console.log(data);

Lookup example (Python)

Python 
import requests

session_token = "SESSION_TOKEN"
user_id = "USER_ID"

response = requests.get(
    "https://swatted.wtf/api/restorecord_lookup",
    params={"userId": "1234567890"},
    headers={
        "Authorization": f"Bearer {session_token}",
        "X-User-ID": user_id
    }
)

print(response.json())
Need help?
For account questions or platform support, visit the Help Center or open a ticket through your dashboard.