Sionix API Documentation
Real-time risk scoring, threat detection, and network intelligence across 7 EVM chains. Integrate in minutes. Powered by the Prism engine.
Overview
Sionix provides a REST API for detecting automated fraud, threat networks, and high-risk wallet activity on EVM-compatible chains. Every request returns a risk score, threat classification, and recommended action. A full wallet scan typically completes in about one to three seconds (it reads live on-chain data); the pre-transaction screening endpoint is optimized for sub-second decisions in a signing path.
Base URL: https://api.sionix.tech
Sionix offers three plans: Trial (limited evaluation access), Business, and Enterprise. All production endpoints require a Business or Enterprise API key. Enterprise adds deeper intelligence fields, threat feed access, ecosystem management, and higher rate limits.
All responses follow a consistent format:
{
"success": true,
"data": { ... },
"meta": {
"requestId": "req_abc123",
"version": "1.0.0"
}
}
Quickstart
Get a risk score in under 60 seconds.
1. Get your API key
Start with a free 7-day trial key — no sales call required. Request one and it is emailed to you instantly:
curl -X POST https://api.sionix.tech/v1/early-access \
-H "Content-Type: application/json" \
-d '{"name": "Your Name", "email": "you@company.com", "company": "Your Company"}'
Your trial key arrives by email within seconds and works immediately. Trial keys are bounded to 100 scans, 10 requests/minute, and expire after 7 days. For a Business or Enterprise key with higher limits and deeper intelligence fields, email sales@sionix.tech.
Pass your key in the x-api-key header on every request (or Authorization: Bearer YOUR_API_KEY).
2. Scan a wallet
curl -X POST https://api.sionix.tech/v1/wallet/scan \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18", "chain": "ETH"}'
const response = await fetch("https://api.sionix.tech/v1/wallet/scan", {
method: "POST",
headers: {
"Content-Type": "application/json",
"x-api-key": "YOUR_API_KEY",
},
body: JSON.stringify({
address: "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
chain: "ETH",
}),
});
const result = await response.json();
console.log(result.data);
import requests
response = requests.post(
"https://api.sionix.tech/v1/wallet/scan",
headers={
"Content-Type": "application/json",
"x-api-key": "YOUR_API_KEY",
},
json={
"address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
"chain": "ETH",
},
)
result = response.json()
print(result["data"])
3. Response (Business tier)
{
"success": true,
"data": {
"address": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
"chain": "ETH",
"riskScore": 14,
"riskTier": "low",
"isMalicious": false,
"threatType": "SAFE",
"threatCategory": "NONE",
"recommendedAction": "allow",
"summary": "No threat indicators detected",
"threatIntel": {
"sanctioned": false,
"reportedScam": false,
"knownEntity": false,
"feedSources": 0
}
}
}
Authentication
Every request requires an API key. Pass it using either header format:
x-api-key: YOUR_API_KEY
Authorization: Bearer YOUR_API_KEY
API keys are tied to your account and plan tier. Keep them secret — keys are hashed on our side and cannot be recovered if lost.
To request an API key, email sales@sionix.tech.
Never expose your API key in client-side code, public repos, or browser requests. Use a server-side proxy.
Core Concepts
Read this once and every endpoint response will make sense.
Risk score & tiers
Every scan returns a riskScore from 0–100 and a riskTier. Higher means more dangerous. The tier is what you branch on in code.
| Tier | Score | Meaning | Typical action |
|---|---|---|---|
| low | 0–39 | No meaningful risk | allow |
| medium | 40–59 | Elevated / associated risk | warn |
| high | 60–79 | Strong threat indicators | block or warn |
| critical | 80–100 | Confirmed threat | block |
isMalicious is a convenience boolean (true once a wallet is a confirmed threat or compromised). recommendedAction gives you the decision directly — allow, warn, or block — so you never have to hard-code thresholds.
Threat type & category
| Field | Values |
|---|---|
| threatType | SAFE, SUSPICIOUS, HIGH_RISK, CONFIRMED_THREAT |
| threatCategory | NONE, WALLET_DRAINER, THEFT_INFRASTRUCTURE, LAUNDERING_ACTIVITY, PHISHING_ASSOCIATED, SANCTIONED_ENTITY, FRAUD_NETWORK, HIGH_RISK_COUNTERPARTY |
These are human-readable classifications. Sionix never returns internal detection signals, weights, or logic — only the verdict and its classification.
Response fields (Business)
| Field | Type | Description |
|---|---|---|
| address | string | The wallet that was scanned |
| chain | string | Chain the scan ran on |
| riskScore | integer | 0–100 risk score |
| riskTier | string | low / medium / high / critical |
| isMalicious | boolean | Confirmed threat or compromised |
| threatType | string | Overall classification (see above) |
| threatCategory | string | Specific category (see above) |
| recommendedAction | string | allow / warn / block |
| summary | string | Plain-language explanation of the verdict |
| threatIntel.sanctioned | boolean | On a sanctions list (e.g. OFAC) |
| threatIntel.reportedScam | boolean | Reported in scam/abuse feeds |
| threatIntel.knownEntity | boolean | A known exchange/protocol/token |
| threatIntel.feedSources | integer | How many intel feeds matched |
Enterprise keys receive all of the above plus deeper intelligence fields — see Response Tiers.
Integration Guide
Everything you need to go from a trial key to production. If you have a security or platform team reviewing this, this section answers their questions up front.
Which endpoint should I use?
| Your goal | Use |
|---|---|
| Check a wallet at connect / onboarding | POST /v1/wallet/scan |
| Decide allow/warn/block in a signing path | POST /v1/transaction/screen (sub-second) |
| Audit an existing user base | POST /v1/wallet/batch (≤100), or Ecosystem import (Enterprise) |
| Keep watching wallets over time | Monitors + Webhooks |
| Fast yes/no | GET /v1/wallet/:address/is-compromised |
Where to call it
Call Sionix server-side only. Never embed your API key in a browser extension, mobile app, or frontend bundle — proxy requests through your own backend so the key never reaches a client. Store it in a secret manager or environment variable, not in source control.
Reliability & retries
- Every endpoint returns the same envelope — branch on
successand, on failure,error.code. GETendpoints are safe to retry. A scan of the same address is effectively idempotent (results are cached), so retrying after a network error is safe.- On
429, back off and retry after the 60-second rolling window resets. - Set a client timeout around 5s for scans; pre-transaction screening is sub-second.
- Log the
meta.requestIdfrom every response — it's what support needs to trace a specific call.
Fail-open vs fail-closed
Decide up front what happens if Sionix is unreachable or times out. For high-value or irreversible actions, fail closed (block or add friction) is the safer default. For low-risk flows you may prefer to fail open. Make this an explicit configuration in your integration, not an accident of error handling.
Continuous protection
For ongoing coverage, create a monitor on the wallets you care about and register a webhook to receive risk-change and compromise events in real time. Always verify the webhook signature before acting on a payload.
Testing your integration
Two public test vectors to confirm your wiring end-to-end:
| Test | Address | Expected |
|---|---|---|
| Known-bad (OFAC-sanctioned) | 0x722122df12d4e14e13ac3b6895a86e84145b6967 | critical / block |
| Known-good (a normal EOA) | any fresh wallet with benign history | low / allow |
Go-live checklist
- API key stored server-side (secret manager / env var), never client-exposed
- UX handles all three of
allow/warn/block 429handled with backoff- Webhook signatures verified
requestIdlogged for support- Fail-open vs fail-closed decided explicitly
Scan Wallet
Analyze a wallet and return a full risk assessment. Enterprise keys receive additional intelligence fields (see Response Tiers).
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| address | string | Yes | Ethereum-format address (0x...) |
| chain | string | No | Chain to scan. Default: ETH |
| includeHistory | boolean | No | Include historical context. Default: false |
Example request
curl -X POST https://api.sionix.tech/v1/wallet/scan \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"address": "0x...", "chain": "ETH"}'
Example response (Business tier)
{
"success": true,
"data": {
"address": "0x...",
"chain": "ETH",
"riskScore": 85,
"riskTier": "critical",
"isMalicious": true,
"threatType": "CONFIRMED_THREAT",
"threatCategory": "WALLET_DRAINER",
"recommendedAction": "block",
"summary": "Confirmed threat — wallet exhibits drainer behavior",
"threatIntel": {
"sanctioned": false,
"reportedScam": true,
"knownEntity": false,
"feedSources": 2
}
}
}
threatType is one of: CONFIRMED_THREAT, HIGH_RISK, SUSPICIOUS, SAFE.
Response Tiers — Business vs Enterprise
Enterprise keys receive all Business fields plus deeper intelligence. Below is a side-by-side comparison for the same flagged wallet.
{
"address": "0x...",
"chain": "ETH",
"riskScore": 85,
"riskTier": "critical",
"isMalicious": true,
"threatType": "CONFIRMED_THREAT",
"threatCategory": "WALLET_DRAINER",
"recommendedAction": "block",
"summary": "...",
"threatIntel": {
"sanctioned": false,
"reportedScam": true,
"knownEntity": false,
"feedSources": 2
}
}
{
// ... all Business fields, plus:
"threatSeverity": "CRITICAL",
"assessmentConfidence": 0.95,
"lifecycleStage": "ACTIVE",
"behavioralContext": ["..."],
"classifications": ["..."],
"riskWindow": "24h",
"riskStability": "VOLATILE",
"threatNetwork": true,
"networkSeverity": "CRITICAL",
"networkThreatType": "DRAINER",
"networkSize": 14,
"associatedVictimCount": 230,
"estimatedLossEth": 412.5,
"networkConfidence": 0.92,
"threatPersistence": "PERSISTENT",
"threatRecurrence": "PATTERN_DETECTED",
"walletClassification": {
"role": "WALLET_DRAINER",
"confidence": 0.95,
"recommendedAction": "block"
},
"riskIndicators": [
{ "category": "...",
"severity": "...",
"description": "..." }
],
"riskContext": {
"category": "...",
"confidence": 0.95,
"networkAssociation": true,
"activeThreats": 3,
"firstSeen": "...",
"lastActivity": "...",
"chainsAffected": ["ETH", "BSC"]
},
"recommendedMonitoringWindow": "24h",
"threatIntel": {
"sanctioned": false,
"reportedScam": true,
"knownEntity": false,
"entityType": null,
"entityLabel": null,
"feedMatches": [
{ "source": "...",
"category": "...",
"severity": "...",
"label": "..." }
],
"feedSources": 2,
"riskBoost": 15
}
}
Batch Scan
Scan up to 100 wallets in a single request.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| addresses | string[] | Yes | Array of addresses (1–100) |
| chain | string | No | Chain to scan. Default: ETH |
Example request
curl -X POST https://api.sionix.tech/v1/wallet/batch \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"addresses": ["0xabc...", "0xdef..."], "chain": "ETH"}'
Get Risk Score
Get the cached risk score for a previously scanned wallet.
Check Compromised
Quick boolean check — is this wallet compromised?
Example response
{
"success": true,
"data": {
"address": "0x...",
"chain": "ETH",
"compromised": true
}
}
Risk History
Historical risk data for a wallet. Business gets a summary; Enterprise gets the full timeline with compliance fields.
Pre-Transaction Screen
Screen a wallet before allowing a transaction. Returns a verdict of ALLOW, WARN, or BLOCK, optimized for sub-second decisions in a signing path.
Example response
{
"success": true,
"data": {
"verdict": "WARN",
"riskScore": 54,
"riskTier": "medium",
"isMalicious": false,
"counterparty": {
"address": "0x...",
"threatType": "HIGH_RISK",
"isCompromised": false
},
"latencyMs": 180
}
}
Monitors
Set up continuous monitoring on wallets. Sionix rescans them on a configurable interval and fires alerts via webhooks when risk changes.
Create a new wallet monitor. Business: up to 50 monitors. Enterprise: unlimited.
List all active monitors.
Get details for a specific monitor.
Update monitor settings (threshold, interval, active state).
Delete a monitor.
Create monitor — request body
| Field | Type | Required | Description |
|---|---|---|---|
| address | string | Yes | Wallet address to monitor |
| chain | string | No | Default: ETH |
| label | string | No | Friendly name (max 100 chars) |
| alertThreshold | number | No | Risk score to trigger alert (0–100). Default: 50 |
| scanInterval | number | No | Rescan interval in seconds (60–86400). Default: 300 |
| webhookUrl | string | No | URL to receive alerts |
Webhooks
Register a webhook endpoint for real-time alerts. Business: up to 5 webhooks. Enterprise: unlimited.
List registered webhooks.
Supported events
| Event | Description |
|---|---|
| monitor.alert | Risk score crossed alert threshold |
| monitor.risk_change | Risk tier changed (e.g. LOW → HIGH) |
| monitor.compromise_detected | Wallet flagged as compromised |
| monitor.cluster_match | Wallet linked to a known threat group |
| scan.complete | Async scan finished |
Every webhook we send is signed so you can verify authenticity and integrity. See Webhook Security for the signature headers and a verification example.
Threat Groups
Aggregate statistics on tracked threat groups.
Get details on a specific threat group.
Threat Feed
Live threat intelligence feed with cluster summaries, threat categories, and estimated losses.
Ecosystem Import
Import your entire wallet base for continuous risk monitoring.
Import up to 10,000 wallets in a single call. Returns a job ID for tracking.
Aggregate risk summary across your entire imported wallet base.
Trigger a full rescan of all imported wallets.
Check status of a background scan job.
Compliance Reports
Generate a compliance-grade risk report across your ecosystem. Includes risk trajectory, tier changes, compromise history, and audit metadata.
Security & Data Handling
Sionix is built to be evaluated by a security team. This section states exactly what data we process, how it is protected, and how to verify us — so you can complete a review without a single email. In one line: Sionix reads only public on-chain data and never touches private keys.
What we process — and what we never touch
| Category | Detail |
|---|---|
| Inputs | The wallet address(es) and chain you submit, plus the public on-chain data we read to score them. |
| Never requested | Private keys, seed phrases, or signing material. The API has no path to request or receive them. No end-user PII is required to use the service. |
| Never returned | Detection methodology, internal signals, or scoring internals. Every response is verdict-level only (score, classification, recommended action). |
Data retention
Scan results are cached for up to 90 days to power Risk History and continuous monitoring, then automatically purged. You may request earlier deletion of your data at any time by emailing security@sionix.tech.
Encryption
| Layer | Protection |
|---|---|
| In transit | TLS 1.2+ on all endpoints (terminated at Cloudflare). |
| At rest | Sensitive fields encrypted with AES-256-GCM; underlying database storage is encrypted at rest by our host. |
| API keys | Stored only as salted hashes — never in plaintext, and unrecoverable if lost. |
| Webhook secrets | Encrypted at rest; the plaintext secret is shown once at creation and never again. |
Authentication & key management
- Keys are passed in a request header (
x-api-keyorAuthorization: Bearer) and are never accepted in query strings, so they cannot leak into server logs, proxies, or browser history. - Rotate or revoke keys at any time via
GET/POST/DELETE /v1/auth/keys. - Every key is scoped to a single plan tier; a key never grants access above its tier.
Response data minimization
Responses contain only what you need to make an allow / warn / block decision. Internal detection signals, weights, and cluster internals are never present in any response, by design — this keeps your integration stable and protects the integrity of the detection engine.
Webhook security
Every webhook Sionix sends is signed so you can verify it originated from us and was not altered in transit. Each delivery includes these headers:
| Header | Value |
|---|---|
| X-Sionix-Signature | HMAC-SHA256 of the raw request body, hex-encoded, keyed with your webhook secret |
| X-Sionix-Event | The event type (e.g. monitor.alert) |
| X-Sionix-Delivery | Unique delivery ID (for idempotency and support) |
Your webhook secret (whsec_…) is returned once when you create the webhook. Verify every payload before trusting it, comparing in constant time:
const crypto = require("crypto");
// Express: capture the raw body so the signature matches byte-for-byte.
// app.use(express.json({ verify: (req, _res, buf) => { req.rawBody = buf; } }));
function verifySionixWebhook(req, secret) {
const signature = req.headers["x-sionix-signature"];
const expected = crypto
.createHmac("sha256", secret)
.update(req.rawBody)
.digest("hex");
return signature &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
Reject any request whose signature does not match. Failed deliveries are retried up to 3 times with backoff; a webhook is automatically disabled after 5 consecutive failures.
Infrastructure & subprocessors
Sionix is hosted in the United States. We use the subprocessors below to deliver the service. We do not sell your data, and we do not share it with third parties for their own purposes.
| Subprocessor | Purpose |
|---|---|
| Alchemy | Blockchain data (public on-chain reads) |
| Cloudflare | DNS, TLS termination, CDN, WAF |
| Railway | Application and database hosting |
| Resend | Transactional email (trial keys, alerts) |
| Stripe | Billing and payment processing |
Privacy & compliance
- Hosting region: United States.
- GDPR: a Data Processing Agreement (DPA) is available on request — email security@sionix.tech.
- SOC 2: not yet certified — on our roadmap. We are glad to complete security questionnaires in the meantime.
- Sionix never asks for, stores, or transmits private keys or seed phrases.
Responsible disclosure
Found a vulnerability? Email security@sionix.tech. We investigate every report and will coordinate remediation and disclosure with you. Please avoid testing that degrades service for other users, and allow us a reasonable window to remediate before any public disclosure.
Error Codes
| Code | Meaning |
|---|---|
| 400 | Invalid request — check your request body against the schema |
| 401 | Invalid or missing API key |
| 403 | Feature not available on your plan |
| 404 | Resource not found |
| 429 | Rate limit exceeded — back off and retry |
| 500 | Internal server error |
All error responses include a structured body:
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid request body",
"details": [...]
}
}
Rate Limits
| Plan | Requests / min | Scans |
|---|---|---|
| Trial | 10 | 100 total (7-day) |
| Business | 200 | 250,000 / month |
| Enterprise | 1,000 | Unlimited |
When you exceed a rate limit, the API returns 429 Too Many Requests. Back off and retry after the window resets (60-second rolling window).
Supported Chains
| Code | Chain |
|---|---|
| ETH | Ethereum |
| POLYGON | Polygon |
| ARBITRUM | Arbitrum One |
| BASE | Base |
| OPTIMISM | Optimism |
| BSC | BNB Smart Chain |
| AVALANCHE | Avalanche C-Chain |
Versioning & Stability
The API is versioned under /v1. The response envelope (success, data, meta) is stable, and error shapes are consistent across every endpoint. Backwards-incompatible changes ship under a new version path, and we announce deprecations in advance with a migration window. New fields may be added within a version — write parsers that ignore unknown fields so your integration keeps working as we ship.
Changelog
| Version | Changes |
|---|---|
| 1.0.0 | Initial public release — wallet scanning, batch scanning, pre-transaction screening, continuous monitoring with webhooks, and threat intelligence across seven EVM chains. |
Support
Need help integrating? Have a question about your plan?
| Channel | Contact |
|---|---|
| Sales & API keys | sales@sionix.tech |
| General support | support@sionix.tech |
| Security | security@sionix.tech |
| Privacy policy | sionix.tech/privacy |
| Terms of service | sionix.tech/terms |
| SLA (uptime commitment) | sionix.tech/sla |
| API status | api.sionix.tech/health |
Official Sionix domains
Sionix will never ask for your private keys, seed phrases, or wallet credentials. The only legitimate Sionix domains are:
- sionix.tech — Website
- api.sionix.tech — API
- docs.sionix.tech — Documentation
If you encounter a site impersonating Sionix, report it to security@sionix.tech.