From af5172b855ee836d418777a37639cb937437897b Mon Sep 17 00:00:00 2001
From: Francis Labelle <francis.labelle@flare.systems>
Date: Thu, 2 Apr 2026 09:18:19 -0400
Subject: [PATCH] document `include` param in firework & astp cred search with
 examples

---
 docs/api-reference/spec/firework-v4-openapi.json       | 10 +++++++++-
 docs/changelog/overview.mdx                            |  4 ++++
 .../credentials/astp-and-global-search-common.mdx      |  8 ++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/docs/api-reference/spec/firework-v4-openapi.json b/docs/api-reference/spec/firework-v4-openapi.json
index 2848572..e2ef309 100644
--- a/docs/api-reference/spec/firework-v4-openapi.json
+++ b/docs/api-reference/spec/firework-v4-openapi.json
@@ -15299,6 +15299,13 @@
                             }
                         ],
                         "title": "Event Uid"
+                    },
+                    "auth_domains": {
+                        "items": {
+                            "type": "string"
+                        },
+                        "type": "array",
+                        "title": "Auth Domains"
                     }
                 },
                 "type": "object",
@@ -21029,7 +21036,8 @@
             "IncludeOptions": {
                 "type": "string",
                 "enum": [
-                    "known_password_id"
+                    "known_password_id",
+                    "auth_domains"
                 ],
                 "title": "IncludeOptions"
             },
diff --git a/docs/changelog/overview.mdx b/docs/changelog/overview.mdx
index 3021773..d62ff10 100644
--- a/docs/changelog/overview.mdx
+++ b/docs/changelog/overview.mdx
@@ -13,6 +13,10 @@ Release notes for the Flare Platform can be found on the [product documentation
 </Note>
 
 <Update label="2026-03" description="API - March 2026">
+  Added new value for the `include` parameter in the [Global Search Credentials Endpoint <Icon icon="code" size={16} />](/api-reference/v4/endpoints/credentials-global-search).
+
+  Added documentation for the `include` parameter in the [ASTP Search Credentials Endpoint <Icon icon="code" size={16} />](/api-reference/astp/endpoints/post-credentials-search).
+
   Replaced the `leak` event type for individual `leaked_credential` events. See [Leaked Credentials <Icon icon="book" size={16} />](/event-types/leaked-credential)
 </Update>
 
diff --git a/docs/snippets/credentials/astp-and-global-search-common.mdx b/docs/snippets/credentials/astp-and-global-search-common.mdx
index 7c36326..adb44e8 100644
--- a/docs/snippets/credentials/astp-and-global-search-common.mdx
+++ b/docs/snippets/credentials/astp-and-global-search-common.mdx
@@ -4,6 +4,7 @@
 {
     "items": [
         {
+            "auth_domains": ["login.live.com"],
             "domain": "scatterholt.com",
             "hash": "B@dPassw0rd",
             "hash_type": null,
@@ -23,6 +24,7 @@
             "source_id": "combolists"
         },
         {
+            "auth_domains": ["www.facebook.com", "discord.com"],
             "domain": "scatterholt.com",
             "hash": "1qaz2wsx",
             "hash_type": "unknown",
@@ -63,6 +65,12 @@ This endpoint supports the
   The `next` value from the last response.
 </ParamField>
 
+<ParamField body="include" type="string[]">
+  Additional fields to return. Available options:
+    - `known_password_id`: ID of the credential's password.
+    - `auth_domains`: for each credential, return up to 10 domains where this credential was used.
+</ParamField>
+
 <ParamField body="order" type="string" default="desc">
   The order in which the results will be returned. (`asc` or `desc`)
 </ParamField>