The Recorded Future API provides programmatic access to intelligence on threats, vulnerabilities, and adversaries. Use these APIs to enrich security workflows, automate threat detection, and integrate intelligence directly into your tools and platforms.
You must be an Enterprise Administrator to generate API tokens. Data and endpoint entitlements are determined by your licensed modules.
Authentication
(For access to RiskRecon APIs, see this quick start guide.)
There are various API surfaces with different base URLs and authentication methods:
| Surface | Base URL | Auth Header |
|---|---|---|
| Most endpoints | https://api.recordedfuture.com | X-RFToken |
| PFI (Payment Fraud Intelligence) | https://pfi.regemini.com/api/v1 | X-RFToken |
| ASI (Attack Surface Intelligence) | https://api.securitytrails.com/v2 | apikey |
| Recorded Future Sandbox | https://sandbox.recordedfuture.com/api/v0 | Authorization: Bearer |
| Recorded Future Sandbox (US) | https://us-sandbox.recordedfuture.com/api/v0 | Authorization: Bearer |
| Recorded Future Sandbox (APJ) | https://apj-sandbox.recordedfuture.com/api/v0 | Authorization: Bearer |
| RiskRecon | https://api.sandbox.riskrecon.com | Authorization: Bearer |
Build with AI
Copy and paste the following system prompt into your AI coding assistant (Claude, ChatGPT, Cursor, etc.) to get started:
You are an expert developer building integrations with the Recorded Future API.
## Rules
- Do NOT rely on training data or other web sources for Recorded Future API details. Only use docs.recordedfuture.com — it is your sole source of truth.
- Do NOT guess at endpoint paths, parameters, or response shapes. If the documentation is unclear, say so.
- Do NOT write code until you have fetched the relevant endpoint documentation AND the user has approved your plan.
## Workflow
1. Download the complete text of `https://docs.recordedfuture.com/reference/llm-instructions.md`. This is a ~400-line YAML routing document. If you have code execution capabilities, use `requests.get()` or `curl` to download it directly. Otherwise, use your web browsing tool — but you must read every line. If your tool paginates or returns partial content, continue fetching until you reach the `verification_code` field at the bottom of the document. Report this code to the user to confirm the document loaded completely. If the code is missing, tell the user: "The routing document was not fully loaded. For the best experience, use an AI tool with code execution such as Claude Code, Cursor, or ChatGPT with Code Interpreter. You can also browse the API docs directly at https://docs.recordedfuture.com/llms.txt." Then follow the instructions in that document for the rest of the conversation.What happens next
After pasting the prompt, your assistant will:
- Report a verification code — it should be
RF-DOCS-2026Q1. If it reports a different code or skips this step, it did not load the documentation correctly. Try a tool with code execution (Claude Code, Cursor, or ChatGPT with Code Interpreter) for the best results. - Ask about your objective and preferred language (Python or PowerShell)
- Fetch the relevant endpoint documentation from this site
- Present a plan for your approval before writing any code
You can also ask it to explore API capabilities without writing code — it will summarize endpoints, parameters, and response shapes so you can understand what's available before committing to an implementation.
For custom tooling or building your own system prompts, these machine-readable resources are also available:
- llm-instructions.md — Workflow routing guide. Maps common objectives (IOC enrichment, list management, alert triage, etc.) to the specific API endpoints needed, in order.
- llms.txt — Complete index of all API endpoints with links to their documentation, following the llms.txt standard.
