> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# GET /api/taxii2/api/collections — list TAXII collections

> List all available TAXII 2.1 collections on the SOC Defenders server, including all IOCs, IP-only, hash-only, and CVE collections. Requires Pro.

The collections endpoint returns all TAXII 2.1 collections available on the SOC Defenders server. Each collection groups STIX objects by indicator type — you can poll all IOCs at once, or target a specific collection such as IP addresses, file hashes, or CVEs depending on what your integration needs.

## Endpoint

**Method:** `GET https://www.socdefenders.ai/api/taxii2/api/collections/`

**Authentication:** Required — pass your API key in the `Authorization` header as a Bearer token.

**Tier:** Pro.

## Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://www.socdefenders.ai/api/taxii2/api/collections/"
```

## Example response

```json theme={null}
{
  "collections": [
    {
      "id": "all-iocs",
      "title": "All IOCs",
      "description": "All indicators of compromise across all types",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "ip-addresses",
      "title": "IP Addresses",
      "description": "IPv4 and IPv6 indicators only",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "file-hashes",
      "title": "File Hashes",
      "description": "MD5, SHA1, and SHA256 file hash indicators",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "cves",
      "title": "CVEs",
      "description": "CVE vulnerability indicators",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    }
  ]
}
```

The collection IDs shown above are illustrative. Use the `id` values returned by your live response when constructing object requests.

## Response fields

<ResponseField name="collections" type="object[]">
  Array of collection objects available on the server.

  <Expandable title="properties">
    <ResponseField name="collections[].id" type="string">
      Unique collection identifier. Pass this as the `{id}` path parameter when fetching objects from `GET /api/taxii2/api/collections/{id}/objects/`.
    </ResponseField>

    <ResponseField name="collections[].title" type="string">
      Human-readable name of the collection.
    </ResponseField>

    <ResponseField name="collections[].description" type="string">
      Description of what indicator types or data this collection contains.
    </ResponseField>

    <ResponseField name="collections[].can_read" type="boolean">
      `true` if your API key has read access to this collection.
    </ResponseField>

    <ResponseField name="collections[].can_write" type="boolean">
      `true` if your API key has write access to this collection. SOC Defenders collections are read-only; this field will always be `false`.
    </ResponseField>

    <ResponseField name="collections[].media_types" type="string[]">
      Array of MIME types supported by this collection. SOC Defenders serves STIX 2.1 objects: `application/stix+json;version=2.1`.
    </ResponseField>
  </Expandable>
</ResponseField>

## Next steps

Use a collection `id` to fetch its STIX objects at [GET /api/taxii2/api/collections/{id}/objects/](/api-reference/taxii/objects).
