The URL Pivot Encyclopedia
A reference catalog of 145 OSINT URL patterns across 17 categories — the "URL trick" patterns that turn a single known identifier (handle, email, phone, ID) into identity-revealing data on a third-party service. Filter by category, search by service or what the URL reveals, and click any row to see the pattern.
Each entry is status-flagged: working public URL, JSON API endpoint, RSS feed for passive monitoring, login required, partial (works with caveats), or dead. The list is verified during the 2026 site rebuild and reflects the post-Twitter-API era where services like Instagram and X have closed off most public access while federated networks (Bluesky, Mastodon) and crypto identity (ENS, Farcaster, Lens) have opened theirs.
For an interactive multi-platform username scanner that runs many of these patterns simultaneously, see the Username Search page. For email-specific pivots see Email Profiler. For active tools that consume these APIs and render results see the dedicated pages — Bluesky Lookup, Mastodon Lookup, Crypto Address Profiler, and others.
Frequently asked questions
What is this list?
A status-flagged catalog of OSINT URL patterns that pivot from a known identifier (handle, email, phone, ID) to identity-revealing data on third-party services. Inspired by the WhatsMyName project and the OSINT Framework reference, but focused on the "URL trick" — public endpoints that reveal more than they look like they should.
How do I use these patterns?
Replace the placeholder in {curly braces} with the value you have. {handle} is a username, {phone} is a phone number (typically without the + sign), {md5(email)} means the MD5 hash of the email, etc. Then visit the URL or fetch it programmatically.
What do the status flags mean?
The status legend above the table is the canonical reference. W = working public URL (just visit). API = returns JSON, often CORS-friendly enough for browser-side fetch. RSS = a feed you can subscribe to in any RSS reader for passive monitoring. LR = login required. PARTIAL = works with caveats (rate limits, header requirements, geographic restrictions). DEAD = no longer functional, kept for historical reference.
Why is RSS so valuable for OSINT?
RSS subscriptions are silent — the target gets no notification. You can monitor a Bluesky/Mastodon/Substack/Reddit/GitHub user from any reader and they have no idea. This is the legitimate, low-cost way to track public activity on services that don't expose a "follow" notification. The RSS rows in this table are pre-built endpoints; just paste them into any feed reader.
How current is this list?
Verified during the 2026 site rebuild against working endpoints. Some services tighten access frequently — Instagram and X/Twitter in particular have moved most data behind login walls since 2023. The PARTIAL flag highlights those moving targets.
Can I use these in automated tools?
For your own internal use: yes, mostly. Each service has its own ToS — check carefully if you plan to query at scale. The API-flagged endpoints generally permit responsible automated use within their published rate limits; the W-flagged HTML pages are typically accessed via headless browser or the service's own scraper-tolerance.