Sionix API Documentation

Real-time risk scoring, threat detection, and network intelligence across 7 EVM chains. Integrate in minutes. Powered by the Prism engine.

Overview

Sionix provides a REST API for detecting automated fraud, threat networks, and high-risk wallet activity on EVM-compatible chains. Every request returns a risk score, threat classification, and recommended action. A full wallet scan typically completes in about one to three seconds (it reads live on-chain data); the pre-transaction screening endpoint is optimized for sub-second decisions in a signing path.

Base URL: https://api.sionix.tech

Sionix offers three plans: Trial (limited evaluation access), Business, and Enterprise. All production endpoints require a Business or Enterprise API key. Enterprise adds deeper intelligence fields, threat feed access, ecosystem management, and higher rate limits.

All responses follow a consistent format:

{
  "success": true,
  "data": { ... },
  "meta": {
    "requestId": "req_abc123",
    "version": "1.0.0"
  }
}

Quickstart

Get a risk score in under 60 seconds.

1. Get your API key

Start with a free 7-day trial key — no sales call required. Request one and it is emailed to you instantly:

curl -X POST https://api.sionix.tech/v1/early-access \
  -H "Content-Type: application/json" \
  -d '{"name": "Your Name", "email": "you@company.com", "company": "Your Company"}'

Your trial key arrives by email within seconds and works immediately. Trial keys are bounded to 100 scans, 10 requests/minute, and expire after 7 days. For a Business or Enterprise key with higher limits and deeper intelligence fields, email sales@sionix.tech.

Pass your key in the x-api-key header on every request (or Authorization: Bearer YOUR_API_KEY).

2. Scan a wallet

cURL
curl -X POST https://api.sionix.tech/v1/wallet/scan \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{"address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18", "chain": "ETH"}'
Node.js (fetch)
const response = await fetch("https://api.sionix.tech/v1/wallet/scan", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "x-api-key": "YOUR_API_KEY",
  },
  body: JSON.stringify({
    address: "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
    chain: "ETH",
  }),
});

const result = await response.json();
console.log(result.data);
Python (requests)
import requests

response = requests.post(
    "https://api.sionix.tech/v1/wallet/scan",
    headers={
        "Content-Type": "application/json",
        "x-api-key": "YOUR_API_KEY",
    },
    json={
        "address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
        "chain": "ETH",
    },
)

result = response.json()
print(result["data"])

3. Response (Business tier)

{
  "success": true,
  "data": {
    "address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
    "chain": "ETH",
    "riskScore": 14,
    "riskTier": "low",
    "isMalicious": false,
    "threatType": "SAFE",
    "threatCategory": "NONE",
    "recommendedAction": "allow",
    "summary": "No threat indicators detected",
    "threatIntel": {
      "sanctioned": false,
      "reportedScam": false,
      "knownEntity": false,
      "feedSources": 0
    }
  }
}

Authentication

Every request requires an API key. Pass it using either header format:

x-api-key: YOUR_API_KEY
Authorization: Bearer YOUR_API_KEY

API keys are tied to your account and plan tier. Keep them secret — keys are hashed on our side and cannot be recovered if lost.

To request an API key, email sales@sionix.tech.

Never expose your API key in client-side code, public repos, or browser requests. Use a server-side proxy.

Core Concepts

Read this once and every endpoint response will make sense.

Risk score & tiers

Every scan returns a riskScore from 0–100 and a riskTier. Higher means more dangerous. The tier is what you branch on in code.

TierScoreMeaningTypical action
low0–39No meaningful riskallow
medium40–59Elevated / associated riskwarn
high60–79Strong threat indicatorsblock or warn
critical80–100Confirmed threatblock

isMalicious is a convenience boolean (true once a wallet is a confirmed threat or compromised). recommendedAction gives you the decision directly — allow, warn, or block — so you never have to hard-code thresholds.

Threat type & category

FieldValues
threatTypeSAFE, SUSPICIOUS, HIGH_RISK, CONFIRMED_THREAT
threatCategoryNONE, WALLET_DRAINER, THEFT_INFRASTRUCTURE, LAUNDERING_ACTIVITY, PHISHING_ASSOCIATED, SANCTIONED_ENTITY, FRAUD_NETWORK, HIGH_RISK_COUNTERPARTY

These are human-readable classifications. Sionix never returns internal detection signals, weights, or logic — only the verdict and its classification.

Response fields (Business)

FieldTypeDescription
addressstringThe wallet that was scanned
chainstringChain the scan ran on
riskScoreinteger0–100 risk score
riskTierstringlow / medium / high / critical
isMaliciousbooleanConfirmed threat or compromised
threatTypestringOverall classification (see above)
threatCategorystringSpecific category (see above)
recommendedActionstringallow / warn / block
summarystringPlain-language explanation of the verdict
threatIntel.sanctionedbooleanOn a sanctions list (e.g. OFAC)
threatIntel.reportedScambooleanReported in scam/abuse feeds
threatIntel.knownEntitybooleanA known exchange/protocol/token
threatIntel.feedSourcesintegerHow many intel feeds matched

Enterprise keys receive all of the above plus deeper intelligence fields — see Response Tiers.

Integration Guide

Everything you need to go from a trial key to production. If you have a security or platform team reviewing this, this section answers their questions up front.

Which endpoint should I use?

Your goalUse
Check a wallet at connect / onboardingPOST /v1/wallet/scan
Decide allow/warn/block in a signing pathPOST /v1/transaction/screen (sub-second)
Audit an existing user basePOST /v1/wallet/batch (≤100), or Ecosystem import (Enterprise)
Keep watching wallets over timeMonitors + Webhooks
Fast yes/noGET /v1/wallet/:address/is-compromised

Where to call it

Call Sionix server-side only. Never embed your API key in a browser extension, mobile app, or frontend bundle — proxy requests through your own backend so the key never reaches a client. Store it in a secret manager or environment variable, not in source control.

Reliability & retries

Fail-open vs fail-closed

Decide up front what happens if Sionix is unreachable or times out. For high-value or irreversible actions, fail closed (block or add friction) is the safer default. For low-risk flows you may prefer to fail open. Make this an explicit configuration in your integration, not an accident of error handling.

Continuous protection

For ongoing coverage, create a monitor on the wallets you care about and register a webhook to receive risk-change and compromise events in real time. Always verify the webhook signature before acting on a payload.

Testing your integration

Two public test vectors to confirm your wiring end-to-end:

TestAddressExpected
Known-bad (OFAC-sanctioned)0x722122df12d4e14e13ac3b6895a86e84145b6967critical / block
Known-good (a normal EOA)any fresh wallet with benign historylow / allow

Go-live checklist

Scan Wallet

POST /v1/wallet/scan Business

Analyze a wallet and return a full risk assessment. Enterprise keys receive additional intelligence fields (see Response Tiers).

Request body

FieldTypeRequiredDescription
addressstringYesEthereum-format address (0x...)
chainstringNoChain to scan. Default: ETH
includeHistorybooleanNoInclude historical context. Default: false

Example request

curl -X POST https://api.sionix.tech/v1/wallet/scan \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{"address": "0x...", "chain": "ETH"}'

Example response (Business tier)

{
  "success": true,
  "data": {
    "address": "0x...",
    "chain": "ETH",
    "riskScore": 85,
    "riskTier": "critical",
    "isMalicious": true,
    "threatType": "CONFIRMED_THREAT",
    "threatCategory": "WALLET_DRAINER",
    "recommendedAction": "block",
    "summary": "Confirmed threat — wallet exhibits drainer behavior",
    "threatIntel": {
      "sanctioned": false,
      "reportedScam": true,
      "knownEntity": false,
      "feedSources": 2
    }
  }
}

threatType is one of: CONFIRMED_THREAT, HIGH_RISK, SUSPICIOUS, SAFE.

Response Tiers — Business vs Enterprise

Enterprise keys receive all Business fields plus deeper intelligence. Below is a side-by-side comparison for the same flagged wallet.

Business
{
  "address": "0x...",
  "chain": "ETH",
  "riskScore": 85,
  "riskTier": "critical",
  "isMalicious": true,
  "threatType": "CONFIRMED_THREAT",
  "threatCategory": "WALLET_DRAINER",
  "recommendedAction": "block",
  "summary": "...",
  "threatIntel": {
    "sanctioned": false,
    "reportedScam": true,
    "knownEntity": false,
    "feedSources": 2
  }
}
Enterprise
{
  // ... all Business fields, plus:
  "threatSeverity": "CRITICAL",
  "assessmentConfidence": 0.95,
  "lifecycleStage": "ACTIVE",
  "behavioralContext": ["..."],
  "classifications": ["..."],
  "riskWindow": "24h",
  "riskStability": "VOLATILE",
  "threatNetwork": true,
  "networkSeverity": "CRITICAL",
  "networkThreatType": "DRAINER",
  "networkSize": 14,
  "associatedVictimCount": 230,
  "estimatedLossEth": 412.5,
  "networkConfidence": 0.92,
  "threatPersistence": "PERSISTENT",
  "threatRecurrence": "PATTERN_DETECTED",
  "walletClassification": {
    "role": "WALLET_DRAINER",
    "confidence": 0.95,
    "recommendedAction": "block"
  },
  "riskIndicators": [
    { "category": "...",
      "severity": "...",
      "description": "..." }
  ],
  "riskContext": {
    "category": "...",
    "confidence": 0.95,
    "networkAssociation": true,
    "activeThreats": 3,
    "firstSeen": "...",
    "lastActivity": "...",
    "chainsAffected": ["ETH", "BSC"]
  },
  "recommendedMonitoringWindow": "24h",
  "threatIntel": {
    "sanctioned": false,
    "reportedScam": true,
    "knownEntity": false,
    "entityType": null,
    "entityLabel": null,
    "feedMatches": [
      { "source": "...",
        "category": "...",
        "severity": "...",
        "label": "..." }
    ],
    "feedSources": 2,
    "riskBoost": 15
  }
}

Batch Scan

POST /v1/wallet/batch Business

Scan up to 100 wallets in a single request.

Request body

FieldTypeRequiredDescription
addressesstring[]YesArray of addresses (1–100)
chainstringNoChain to scan. Default: ETH

Example request

curl -X POST https://api.sionix.tech/v1/wallet/batch \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{"addresses": ["0xabc...", "0xdef..."], "chain": "ETH"}'

Get Risk Score

GET /v1/wallet/:address/risk Business

Get the cached risk score for a previously scanned wallet.

Check Compromised

GET /v1/wallet/:address/is-compromised Business

Quick boolean check — is this wallet compromised?

Example response

{
  "success": true,
  "data": {
    "address": "0x...",
    "chain": "ETH",
    "compromised": true
  }
}

Risk History

GET /v1/wallet/:address/history Business

Historical risk data for a wallet. Business gets a summary; Enterprise gets the full timeline with compliance fields.

Pre-Transaction Screen

POST /v1/transaction/screen Business

Screen a wallet before allowing a transaction. Returns a verdict of ALLOW, WARN, or BLOCK, optimized for sub-second decisions in a signing path.

Example response

{
  "success": true,
  "data": {
    "verdict": "WARN",
    "riskScore": 54,
    "riskTier": "medium",
    "isMalicious": false,
    "counterparty": {
      "address": "0x...",
      "threatType": "HIGH_RISK",
      "isCompromised": false
    },
    "latencyMs": 180
  }
}

Monitors

Set up continuous monitoring on wallets. Sionix rescans them on a configurable interval and fires alerts via webhooks when risk changes.

POST /v1/monitors Business

Create a new wallet monitor. Business: up to 50 monitors. Enterprise: unlimited.

GET /v1/monitors Business

List all active monitors.

GET /v1/monitors/:id Business

Get details for a specific monitor.

PATCH /v1/monitors/:id Business

Update monitor settings (threshold, interval, active state).

DELETE /v1/monitors/:id Business

Delete a monitor.

Create monitor — request body

FieldTypeRequiredDescription
addressstringYesWallet address to monitor
chainstringNoDefault: ETH
labelstringNoFriendly name (max 100 chars)
alertThresholdnumberNoRisk score to trigger alert (0–100). Default: 50
scanIntervalnumberNoRescan interval in seconds (60–86400). Default: 300
webhookUrlstringNoURL to receive alerts

Webhooks

POST /v1/webhooks Business

Register a webhook endpoint for real-time alerts. Business: up to 5 webhooks. Enterprise: unlimited.

GET /v1/webhooks Business

List registered webhooks.

Supported events

EventDescription
monitor.alertRisk score crossed alert threshold
monitor.risk_changeRisk tier changed (e.g. LOW → HIGH)
monitor.compromise_detectedWallet flagged as compromised
monitor.cluster_matchWallet linked to a known threat group
scan.completeAsync scan finished

Every webhook we send is signed so you can verify authenticity and integrity. See Webhook Security for the signature headers and a verification example.

Threat Groups

GET /v1/cluster/stats Business

Aggregate statistics on tracked threat groups.

GET /v1/cluster/:id Enterprise

Get details on a specific threat group.

Threat Feed

GET /v1/threat-feed Enterprise

Live threat intelligence feed with cluster summaries, threat categories, and estimated losses.

Ecosystem Import

Import your entire wallet base for continuous risk monitoring.

POST /v1/ecosystem/import Enterprise

Import up to 10,000 wallets in a single call. Returns a job ID for tracking.

GET /v1/ecosystem/summary Enterprise

Aggregate risk summary across your entire imported wallet base.

POST /v1/ecosystem/rescan Enterprise

Trigger a full rescan of all imported wallets.

GET /v1/ecosystem/scan/:jobId Enterprise

Check status of a background scan job.

Compliance Reports

GET /v1/ecosystem/compliance Enterprise

Generate a compliance-grade risk report across your ecosystem. Includes risk trajectory, tier changes, compromise history, and audit metadata.

Security & Data Handling

Sionix is built to be evaluated by a security team. This section states exactly what data we process, how it is protected, and how to verify us — so you can complete a review without a single email. In one line: Sionix reads only public on-chain data and never touches private keys.

What we process — and what we never touch

CategoryDetail
InputsThe wallet address(es) and chain you submit, plus the public on-chain data we read to score them.
Never requestedPrivate keys, seed phrases, or signing material. The API has no path to request or receive them. No end-user PII is required to use the service.
Never returnedDetection methodology, internal signals, or scoring internals. Every response is verdict-level only (score, classification, recommended action).

Data retention

Scan results are cached for up to 90 days to power Risk History and continuous monitoring, then automatically purged. You may request earlier deletion of your data at any time by emailing security@sionix.tech.

Encryption

LayerProtection
In transitTLS 1.2+ on all endpoints (terminated at Cloudflare).
At restSensitive fields encrypted with AES-256-GCM; underlying database storage is encrypted at rest by our host.
API keysStored only as salted hashes — never in plaintext, and unrecoverable if lost.
Webhook secretsEncrypted at rest; the plaintext secret is shown once at creation and never again.

Authentication & key management

Response data minimization

Responses contain only what you need to make an allow / warn / block decision. Internal detection signals, weights, and cluster internals are never present in any response, by design — this keeps your integration stable and protects the integrity of the detection engine.

Webhook security

Every webhook Sionix sends is signed so you can verify it originated from us and was not altered in transit. Each delivery includes these headers:

HeaderValue
X-Sionix-SignatureHMAC-SHA256 of the raw request body, hex-encoded, keyed with your webhook secret
X-Sionix-EventThe event type (e.g. monitor.alert)
X-Sionix-DeliveryUnique delivery ID (for idempotency and support)

Your webhook secret (whsec_…) is returned once when you create the webhook. Verify every payload before trusting it, comparing in constant time:

const crypto = require("crypto");

// Express: capture the raw body so the signature matches byte-for-byte.
// app.use(express.json({ verify: (req, _res, buf) => { req.rawBody = buf; } }));

function verifySionixWebhook(req, secret) {
  const signature = req.headers["x-sionix-signature"];
  const expected = crypto
    .createHmac("sha256", secret)
    .update(req.rawBody)
    .digest("hex");
  return signature &&
    crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Reject any request whose signature does not match. Failed deliveries are retried up to 3 times with backoff; a webhook is automatically disabled after 5 consecutive failures.

Infrastructure & subprocessors

Sionix is hosted in the United States. We use the subprocessors below to deliver the service. We do not sell your data, and we do not share it with third parties for their own purposes.

SubprocessorPurpose
AlchemyBlockchain data (public on-chain reads)
CloudflareDNS, TLS termination, CDN, WAF
RailwayApplication and database hosting
ResendTransactional email (trial keys, alerts)
StripeBilling and payment processing

Privacy & compliance

Responsible disclosure

Found a vulnerability? Email security@sionix.tech. We investigate every report and will coordinate remediation and disclosure with you. Please avoid testing that degrades service for other users, and allow us a reasonable window to remediate before any public disclosure.

Error Codes

CodeMeaning
400Invalid request — check your request body against the schema
401Invalid or missing API key
403Feature not available on your plan
404Resource not found
429Rate limit exceeded — back off and retry
500Internal server error

All error responses include a structured body:

{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request body",
    "details": [...]
  }
}

Rate Limits

PlanRequests / minScans
Trial10100 total (7-day)
Business200250,000 / month
Enterprise1,000Unlimited

When you exceed a rate limit, the API returns 429 Too Many Requests. Back off and retry after the window resets (60-second rolling window).

Supported Chains

CodeChain
ETHEthereum
POLYGONPolygon
ARBITRUMArbitrum One
BASEBase
OPTIMISMOptimism
BSCBNB Smart Chain
AVALANCHEAvalanche C-Chain

Versioning & Stability

The API is versioned under /v1. The response envelope (success, data, meta) is stable, and error shapes are consistent across every endpoint. Backwards-incompatible changes ship under a new version path, and we announce deprecations in advance with a migration window. New fields may be added within a version — write parsers that ignore unknown fields so your integration keeps working as we ship.

Changelog

VersionChanges
1.0.0Initial public release — wallet scanning, batch scanning, pre-transaction screening, continuous monitoring with webhooks, and threat intelligence across seven EVM chains.

Support

Need help integrating? Have a question about your plan?

ChannelContact
Sales & API keyssales@sionix.tech
General supportsupport@sionix.tech
Securitysecurity@sionix.tech
Privacy policysionix.tech/privacy
Terms of servicesionix.tech/terms
SLA (uptime commitment)sionix.tech/sla
API statusapi.sionix.tech/health

Official Sionix domains

Sionix will never ask for your private keys, seed phrases, or wallet credentials. The only legitimate Sionix domains are:

  • sionix.tech — Website
  • api.sionix.tech — API
  • docs.sionix.tech — Documentation

If you encounter a site impersonating Sionix, report it to security@sionix.tech.