Public API

A free, read-only JSON endpoint to scan any Ethereum address for risky token & NFT approvals. No key, no auth, CORS-enabled — embed it anywhere.

Endpoint

GET https://wewatchyourwallet.com/api/scan/{address}

Example:

curl https://wewatchyourwallet.com/api/scan/0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045

Response

{
  "address": "0x…",
  "chainId": 1,
  "scannedAt": "2026-06-28T07:00:00Z",
  "score": 80,
  "severity": "URGENT",
  "approvalsReviewed": 42,
  "stale": false,
  "failed": false,
  "risks": [
    {
      "token": "USDC",
      "tokenAddress": "0xA0b8…48Ce",
      "spender": "MALICIOUS",
      "spenderAddress": "0x1111…1111",
      "severity": "URGENT",
      "unlimited": true,
      "limit": null,
      "explanation": "A spender flagged as malicious holds an unlimited approval on your USDC…",
      "revokeUrl": "https://revoke.cash/address/0x…?chainId=1"
    }
  ],
  "disclaimer": "Informational only — not financial, investment, or legal advice. Read-only and non-custodial."
}

Severity

Each risk and the overall result is one of INFO · WATCH · WARN · URGENT.

Limits & honesty

• Rate-limited per IP per day (shared with the website scan). Over the limit returns 429.
• If upstream risk data is unavailable, the API returns 503 — never a fake "clean" result.
• Partial upstream data sets "stale": true (the picture may be incomplete).
• CORS is open (Access-Control-Allow-Origin: *); the endpoint is sessionless and sets no cookies.
• Read-only & non-custodial: we only read public on-chain data, and revoking is done by you in your own wallet.
• Informational only — not financial, investment, or legal advice.

Scan a wallet