Resolve an IPv4 or IPv6 address to its geolocation, ASN, org name, and city/country. Use when you need network or location context for a raw IP address; prefer dns_lookup or dossier_dns for hostname resolution. Queries ipinfo.io with a server-side token — the token is never exposed to callers. Returns a JSON object with fields ip, city, region, country, org, loc, and timezone. On failure, returns an error string describing what went wrong.

Resolve a single DNS record type (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, or SRV) and return the raw answers. Use for quick, targeted lookups of one record type; prefer dossier_dns for a full multi-type DNS audit in parallel, or dossier_full for a complete domain health check. Queries Cloudflare DoH (1.1.1.1/dns-query) over HTTPS, follows CNAME chains, 5 s timeout. Returns a JSON array of answer objects with name, type, and data fields. On error, returns a string describing the DNS failure.

Fetch a domain's full DNS profile — A, AAAA, NS, SOA, CAA, and TXT records — all in parallel. Use as the first step of a domain audit or when you need a comprehensive DNS snapshot in one call; prefer dns_lookup for a single record type, or dossier_full for all 10 dossier checks at once. Fires six Cloudflare DoH (1.1.1.1) queries concurrently, each with a 5 s timeout. Returns a CheckResult discriminated union: on success, {status:"ok", records:{a, aaaa, ns, soa, caa, txt}}; on failure, {status:"error", reason}.

Look up a domain's MX (mail exchanger) records and return them sorted ascending by priority. Use when verifying inbound-mail routing or as a precursor to SPF or DMARC checks; prefer dns_lookup with type=MX if you only need the raw DNS answer without the ranked view. Queries Cloudflare DoH (1.1.1.1), follows CNAME aliases, 5 s timeout. Returns a CheckResult discriminated union: on success, {status:"ok", records:[{exchange, priority},...]} sorted by priority; on failure, {status:"error", reason}.

Retrieve and parse a domain's SPF record, decomposing it into mechanisms and qualifiers. Use to verify email sender policy, debug delivery failures, or check the 10-lookup limit; pair with dossier_dmarc for full email-auth coverage, or use dns_lookup with type=TXT for the raw record only. Fetches TXT records via Cloudflare DoH (1.1.1.1), 5 s timeout, locates the v=spf1 record and parses all mechanisms. Returns a CheckResult: on success, {status:"ok", raw, mechanisms:[{type, value, qualifier},...], lookupCount}; on failure, {status:"error", reason}.

Retrieve and parse a domain's DMARC policy from its _dmarc. TXT record, returning all tags. Use to audit email authentication policy, verify the p (policy) and rua (reporting) settings, or confirm alignment mode; pair with dossier_spf and dossier_dkim for complete email-auth coverage. Queries _dmarc. via Cloudflare DoH (1.1.1.1), 5 s timeout; parses each tag=value pair. Returns a CheckResult: on success, {status:"ok", raw, tags:{p, rua, ruf, adkim, aspf,...}}; on failure, {status:"error", reason}.

Probe a domain's DKIM public keys by querying ._domainkey. for each selector. Use to verify signing configuration or discover active selectors; supply selectors when you know the ESP's selector, or omit to probe six common selectors (default, google, k1, selector1, selector2, mxvault). Issues parallel Cloudflare DoH (1.1.1.1) TXT queries per selector, 5 s timeout each. Returns a CheckResult: {status:"ok", found:[{selector, publicKey, raw},...], notFound:[...]} or {status:"error", reason}.

Fetch and inspect the TLS certificate presented by a domain on port 443, returning chain details and validity period. Use to verify certificate expiry, issuer, Subject Alternative Names, or detect mismatched or self-signed certs; not a full cipher-suite scanner. Performs a TLS handshake from the server edge, 5 s timeout; extracts the leaf certificate. Returns a CheckResult: on success, {status:"ok", subject, issuer, validFrom, validTo, daysRemaining, sans, fingerprint}; on failure, {status:"error", reason}.

Trace the full HTTP redirect chain starting from https:///, recording each hop's status code and destination URL. Use to debug redirect loops, verify HTTP→HTTPS upgrades, or audit link shorteners; stops at 10 hops to prevent infinite loops. Follows Location headers with fetch (no auto-redirect), 5 s per hop. Returns a CheckResult: on success, {status:"ok", hops:[{url, statusCode, redirectsTo},...], final}; on failure, {status:"error", reason}.

Fetch https:/// and return all HTTP response headers, with an audit highlighting missing or misconfigured security headers. Use to review CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy; for redirect tracing use dossier_redirects instead. Single GET via fetch, 5 s timeout, captures raw response headers before any redirect is followed. Returns a CheckResult: on success, {status:"ok", headers:{...}, securityAudit:[{header, present, value},...]}; on failure, {status:"error", reason}.

Send a CORS preflight OPTIONS request to https:/// and return the access-control-* response headers. Use to verify CORS policy for a specific origin-method pair, or to check whether a domain allows cross-origin requests; provide origin and method to simulate a precise preflight, or omit to use defaults (origin: https://drwho.me, method: GET). Single OPTIONS request via fetch, 5 s timeout. Returns a CheckResult: on success, {status:"ok", headers:{access-control-allow-origin,...}}; on failure, {status:"error", reason}.

Snapshot a domain's public web surface: robots.txt, sitemap.xml, and the home-page metadata (title, description, OpenGraph, Twitter cards). Use for SEO audits, content discovery, or verifying metadata before sharing; for HTTP headers use dossier_headers, for redirect behavior use dossier_redirects. Fetches /, /robots.txt, and /sitemap.xml concurrently via HTTPS, 5 s each; parses with a lightweight HTML parser. Returns a composite CheckResult: {status:"ok", meta:{title, description, og, twitter}, robots, sitemapPresent} or {status:"error", reason}.

Parse a User-Agent header string into structured browser, OS, device type, and rendering-engine components. Use to identify client capabilities from a raw UA string, e.g. when analysing server logs or request headers; does not perform any network lookups — entirely local parsing. Runs synchronously using the ua-parser-js library with no external calls. Returns a JSON object with browser.name, browser.version, os.name, os.version, device.type, device.vendor, and engine.name fields; unknown fields are empty strings.

Validate and pretty-print a JSON string at a configurable indent width (2 or 4 spaces). Use to detect parse errors in raw JSON or to normalize minified JSON for readability; for schema validation or data transformation, apply your own logic. Runs JSON.parse + JSON.stringify locally with no network calls. On success, returns the formatted JSON string. On parse failure, returns an error message describing the position and nature of the syntax error.

Encode a UTF-8 plaintext string to standard Base64 (RFC 4648 §4, +/= alphabet). Use when you need to embed binary-safe text in HTTP headers, data URIs, or JSON payloads; note this tool uses the standard alphabet — replace + with - and / with _ manually if URL-safe Base64 is required. Pure local encoding with no network calls. Returns the Base64-encoded string as plain text. Always succeeds for valid UTF-8 input.

Decode a Base64 or Base64url string back to its original UTF-8 plaintext. Use to inspect encoded payloads, credentials, or embedded data; accepts both standard (+/) and URL-safe (-_) alphabets, with or without trailing = padding. Pure local decode with no network calls; validates that the result is valid UTF-8. Returns the decoded string on success. On failure (invalid Base64 or non-UTF-8 bytes), returns an error message describing what went wrong.

Percent-encode an arbitrary string so it is safe to embed as a URL component (query value, path segment, or fragment). Use to escape characters like &, =, #, spaces, and non-ASCII before appending to a URL; uses encodeURIComponent semantics, so / is encoded — do not pass a full URL, only the component that needs escaping. Pure local transform with no network calls. Returns the percent-encoded string as plain text. Always succeeds.

Decode a percent-encoded URL component back to its original string. Use to read query parameters, path segments, or form-encoded values containing %XX sequences; accepts both +-as-space (form encoding) and %20 representations. Pure local decode via decodeURIComponent with no network calls. Returns the decoded string on success. On failure (malformed %XX sequence or invalid UTF-8), returns an error message describing the problem.

Decode a JWT (JSON Web Token) into its header, payload, and raw signature without verifying the cryptographic signature. Use to inspect token claims (sub, exp, iat, aud, etc.) or debug auth flows; do NOT use the decoded claims for access-control decisions since the signature is not validated. Splits on ".", base64url-decodes each segment, and JSON-parses header and payload — no network calls, no key lookup. Returns JSON with header, payload, and signature fields. On malformed input, returns an error message.

Generate a single UUID in either v4 (random) or v7 (time-ordered, Unix-ms prefix) format. Use v4 for general-purpose identifiers; use v7 when UUIDs must sort chronologically by creation time (e.g. database primary keys or distributed tracing). Both versions use cryptographically random bits in their non-timestamp positions. Uses Node.js crypto.randomUUID() for v4 and a spec-compliant implementation for v7; no network calls. Returns a UUID string in canonical xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx format.

Run all 10 Domain Dossier checks — dns, mx, spf, dmarc, dkim, tls, redirects, headers, cors, web-surface — in parallel and return all results in a single response. Use when you need a comprehensive domain health snapshot in one call; counts as ONE paywall call regardless of how many checks run. For a single focused check, prefer the individual dossier_* tools to minimise latency. Fires all 10 checks concurrently via Cloudflare DoH or direct HTTPS, 5 s per-check timeout. Returns a JSON object keyed by check id (dns, mx, etc.), each value a CheckResult discriminated union ({status:"ok",...} or {status:"error", reason}).