T
Tokenkit
Tokenkit Starknet Tokenkit Documentation

Documentation

Domain Reputation

Shared blacklist and whitelist of dApp domains

A community-maintained reputation layer for Starknet dApp domains. Wallets check this before letting a user connect to an unfamiliar site.

Anyone can check a domain. Anyone can report a bad one. Wallets, dApp browsers, and explorers all read from the same shared signal.

List domains

GET /api/dapps/domains/

FilterNotes
domainMatch a specific domain
statuswhitelisted, blacklisted, etc.
categoryPhishing, scam, malware, ...
risk_levellow, medium, high
activetrue to only show currently active flags
Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domains/?status=blacklisted&active=true' \
2  -H 'api-key: YOUR_API_KEY'

GET /api/dapps/domains/{id}/ - one domain

Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domains/42/' \
2  -H 'api-key: YOUR_API_KEY'

GET /api/dapps/domains/blacklist/ - blacklist only

Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domains/blacklist/?search=phish' \
2  -H 'api-key: YOUR_API_KEY'

GET /api/dapps/domains/whitelist/ - whitelist only

Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domains/whitelist/' \
2  -H 'api-key: YOUR_API_KEY'

Check a single domain

GET /api/dapps/domain-check/

The endpoint your wallet should hit before opening a dApp.

ParameterRequiredNotes
domainyesThe host you want to check
Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domain-check/?domain=example.com' \
2  -H 'api-key: YOUR_API_KEY'

The response tells you whether the domain is whitelisted, blacklisted, or unknown, plus any risk metadata.

Reports

Anyone with an API key can submit a report. We review and act on them.

GET /api/dapps/domain-reports/ - list reports

Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domain-reports/' \
2  -H 'api-key: YOUR_API_KEY'

POST /api/dapps/domain-reports/ - submit a report

Code
bash 
1curl -X POST 'https://api.tokenkithq.io/api/dapps/domain-reports/' \
2  -H 'api-key: YOUR_API_KEY' \
3  -H 'Content-Type: application/json' \
4  -d '{
5    "domain": "phishy-example.com",
6    "category": "phishing",
7    "reason": "Clone of jediswap.xyz prompting for seed phrase",
8    "evidence": "https://twitter.com/.../status/..."
9  }'

GET /api/dapps/domain-reports/{id}/ - one report

Code
bash 
1curl 'https://api.tokenkithq.io/api/dapps/domain-reports/123/' \
2  -H 'api-key: YOUR_API_KEY'
Info
A domain on the blacklist isn't a guarantee a domain is safe to ignore - it's a strong signal. Wallets typically block connection by default and let users override with a warning.

See also

Report an issue
Previous
dApps Directory