Recorded Future delivers threat intelligence via two TAXII services, making risk-scored indicators available in STIX format for automated consumption by SIEMs, TIPs, and SOAR platforms.

TAXII 1.x

Endpoint: https://api.recordedfuture.com/taxii
Data format: STIX 1.1.1 (XML)
Auth: Basic Auth or X-RFToken header
Collections: 280 granular collections — one per risk rule, per IOC type
Write support: No (read-only)

TAXII 2.1

Endpoint: https://api.recordedfuture.com/taxii2
Data format: STIX 2.1 (JSON)
Auth: HTTP Basic (empty username, API token as password)
Collections: 5 per API root — one per IOC type (IP, domain, URL, hash, vulnerability)
Write support: No (read-only)
Interactive docs: api.recordedfuture.com/taxii2/docs

Which version should I use?

Use TAXII 2.1 if your platform supports it. It returns structured JSON, supports pagination, and offers purpose-built API roots for different use cases (default, large, OpenCTI, test).

Use TAXII 1.x if your integration requires STIX 1.1.1 XML, or if you need per-risk-rule collections (e.g., pulling only IPs matching a single risk rule like "Actively Communicating Validated C&C Server" rather than the full aggregated risk list).

Authentication

Both services require a valid Recorded Future API token. Access is limited to clients with an Integration subscription.

TAXII 1.x accepts either:

HTTP Basic Auth with any username and your API token as the password
Your API token in the X-RFToken request header

TAXII 2.1 uses HTTP Basic Auth as defined by the TAXII 2.1 standard:

Username: empty string
Password: your API token

IOC types available

Both services provide risk-scored indicators for:

IOC Type	Description
IP addresses	IPv4 addresses with risk scores and triggered risk rules
Domains	Internet domain names flagged by Recorded Future risk rules
URLs	Specific URLs associated with malicious activity
Hashes	File hashes (MD5, SHA-1, SHA-256) linked to malware or exploits
Vulnerabilities	CVEs with risk scores based on exploitation activity and threat intelligence

Note: The indicator sets returned by TAXII may not be identical to risk lists downloaded from Fusion or the Connect API. The TAXII 2.1 server performs a live search upon each request, while downloadable risk list files are periodically updated snapshots.