API Documentation
FightPhishing.com provides a free public API for accessing phishing threat data. Rate limits are per-endpoint, per IP: check endpoints (/api/check-url, /api/check-email, /api/check-phone) allow 30 requests/minute; /api/v1/blacklist allows 100 requests/hour; /api/subscribe 10 per 10 minutes; /api/report-scam 10 per hour. Exceeding a limit returns HTTP 429 with a Retry-After header.
https://fightphishing.comAll endpoints return JSON unless a different format is specified. CORS is enabled on /api/v1/* endpoints.
/api/v1/blacklistReturns the active domain blacklist. Supports multiple export formats and pagination. Shared-infrastructure apexes (e.g. docs.google.com) carry a do_not_block flag: they are excluded from the hosts/txt blocklist exports but included in json/csv with do_not_block=1 so consumers can decide.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
format | string | json | Response format: json, csv, txt, or hosts. hosts/txt exclude do_not_block entries; json/csv include them with the flag. |
limit | number | 100 | Number of results (max 1000) |
offset | number | 0 | Pagination offset |
since | string | — | ISO date filter (e.g. 2024-01-01) |
Response Headers
X-Total-Count: total active domainsX-Last-Updated: last blacklist update timestamp
Example
curl "https://fightphishing.com/api/v1/blacklist?format=json&limit=5"/api/check-urlCheck if a URL or domain is on the blacklist. Never fetches the URL — database lookup only. status is one of: found, suspicious, not_found, or shared_infrastructure (a legitimate platform scammers abuse — the page matters, not the domain; sharedInfrastructure:true and a note are also returned).
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
url | string | required | URL or domain to check |
Example
curl "https://fightphishing.com/api/check-url?url=example-phish.com"/api/searchSearch across phishing URLs, news articles, and scam reports.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
q | string | required | Search query |
category | string | all | Filter: all, urls, news, or scams |
page | number | 1 | Page number |
limit | number | 20 | Results per page (max 50) |
Example
curl "https://fightphishing.com/api/search?q=paypal&category=urls"/api/rss/:feedRSS 2.0 feeds for each dashboard. Feed names: professional, elder, general, blacklist.
Example
curl "https://fightphishing.com/api/rss/professional"/api/subscribeRegister a webhook URL to receive high-threat notifications every 15 minutes.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
webhook_url | string | required | Discord/Slack webhook URL (body JSON) |
feed_type | string | required | professional, elder, general, blacklist, or all (body JSON) |
Example
curl -X POST "https://fightphishing.com/api/subscribe" \
-H "Content-Type: application/json" \
-d '{"webhook_url":"https://hooks.slack.com/...","feed_type":"all"}'/api/check-emailAnalyze an email for phishing indicators. Checks sender domain against blacklist, verifies MX records, scans body for urgency/payment/PII red flags, and checks embedded URLs against threat intelligence.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
emailFrom | string | optional | Sender email address |
claimedCompany | string | optional | Company the email claims to be from |
urls | string[] | optional | URLs found in the email (max 10) |
emailBody | string | optional | Email body text for content analysis |
Example
curl -X POST "https://fightphishing.com/api/check-email" \
-H "Content-Type: application/json" \
-d '{"emailFrom":"support@suspicious.com","claimedCompany":"PayPal","emailBody":"Verify your account immediately"}'/api/check-phoneCheck a US phone number against known scam numbers and suspicious international area codes. Returns scam type, area code risk, and external reporting links.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
phone | string | required | US phone number (10 digits, with or without formatting) |
Example
curl "https://fightphishing.com/api/check-phone?phone=8005551234"/api/v1/check/bulkLook up many indicators in one request. Body accepts urls / domains / hashes arrays (≤500 total per request). Local-only lookups for speed — no external API calls.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
urls | string[] | — | Body field — URLs to look up |
domains | string[] | — | Body field — bare domains |
hashes | string[] | — | Body field — sha256 / md5 / sha1 hashes (mixed allowed) |
Response Headers
Rate limited: 10 req/min/IP
Example
curl -X POST "https://fightphishing.com/api/v1/check/bulk" \
-H "Content-Type: application/json" \
-d '{"urls":["https://example.com","https://login-paypal.xyz"]}'/api/v1/export/stixReturns a STIX 2.1 bundle of indicator + intrusion-set + malware + relationship objects. Use ?campaign=<brand> and ?since=<iso> to filter; ?limit=N caps the indicator count (default 1000, max 10000).
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
campaign | string | — | Filter to indicators tied to a brand |
since | string | — | ISO 8601 timestamp — only newer indicators |
limit | number | 1000 | Cap on indicator count (1..10000) |
Response Headers
Content-Type: application/stix+json;version=2.1
Example
curl "https://fightphishing.com/api/v1/export/stix?campaign=PayPal&limit=500"/api/taxii/2.1/TAXII 2.1 discovery document. Most SOC tools (OpenCTI, MISP, Anomali, Splunk) can ingest from this root with zero custom integration.
Response Headers
Content-Type: application/taxii+json;version=2.1
Example
curl "https://fightphishing.com/api/taxii/2.1/"/api/taxii/2.1/collections/TAXII 2.1 collection listing. Three public collections: domain-blacklist, phishing-urls, campaigns.
Response Headers
Content-Type: application/taxii+json;version=2.1
Example
curl "https://fightphishing.com/api/taxii/2.1/collections/"/api/taxii/2.1/collections/:id/objects/TAXII 2.1 objects endpoint. Returns a STIX bundle for the named collection. Supports ?added_after=<iso> per spec.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
added_after | string | — | ISO 8601 — STIX spec param |
limit | number | 1000 | Cap (1..10000) |
Response Headers
Content-Type: application/stix+json;version=2.1
Example
curl "https://fightphishing.com/api/taxii/2.1/collections/domain-blacklist/objects/?limit=200"/api/v1/watchlistRegister a brand-impersonation watch entry. The webhook notifier consults the watchlist after each 15-min pass and POSTs a focused payload to the entry's webhook_url for any matching IOC.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
domain | string | — | Substring or Levenshtein-near match against IOC domains |
brandKeyword | string | — | Substring against IOC target_brand or domain |
webhookUrl | string | — | Optional https:// destination |
ownerId | string | — | Free-form correlation id (kept private) |
Response Headers
Rate limited: 20 req/min/IP
Example
curl -X POST "https://fightphishing.com/api/v1/watchlist" \
-H "Content-Type: application/json" \
-d '{"brandKeyword":"paypal","domain":"","webhookUrl":"https://example.com/hook"}'/api/v1/enrich/:domainEnrich a domain with DNS A-record, Team Cymru ASN (free DNS-based), crt.sh recent certificates, and same-brand peer-domain pivots from our own DB. Cached 24h.
Example
curl "https://fightphishing.com/api/v1/enrich/example.com"