API Reference

Access phishunt's phishing intelligence programmatically. Free, open, no authentication required.

Introduction

The detection pipeline identifies active suspicious phishing sites in real time by monitoring multiple threat intelligence sources and Certificate Transparency logs. Data is enriched with IP geolocation, TLS certificate information, and detection verdicts.

Detection sources:

Certificate Transparency - real-time monitoring of newly issued TLS certificates
Google Safe Browsing - batch lookup against Google's threat lists
OpenPhish - community phishing feed
PhishTank - verified phishing URLs
TweetFeed - IOCs shared on social media
urlscan.io - live URL scanning verdicts

Pipeline schedule

Process	Frequency	Description
Detection pipeline	Every hour	Scans Certificate Transparency logs and checks threat intel sources for new suspicious phishing domains
Active site re-check	Every 6 hours	Re-visits active sites, captures fresh screenshots, and updates detection verdicts
New registration scan	Daily (00:30 UTC)	Scans newly registered domains for suspicious keyword patterns
Data enrichment	On detection	IP geolocation, ASN, TLS certificate, and hosting organization via ipinfo.io

Authentication

No authentication required. All endpoints are open and free to use. Just send a request - no API keys, no tokens, no sign-up.

Rate limits

API and feed endpoints are rate-limited to 10 requests per second per IP, with a burst allowance of 20. Exceeding this limit returns a 429 response.

Base URL

https://phishunt.io

Get domains

Returns active suspicious phishing domains with enrichment data including IP geolocation, TLS certificate, and detection verdicts from multiple sources.

GET /api/v1/domains

Query parameters

Parameter	Type	Description
`limit`	integer	Number of results to return. Default 100, max 1000.
`offset`	integer	Number of results to skip for pagination. Default 0, max 10000.
`format`	string	Response format: `json`, `csv`, or `txt`. Default json.
`company`	string	Filter by targeted brand (e.g. `amazon`, `paypal`). See targeted brands.
`since`	ISO 8601	Only entries after this date (e.g. `2026-03-01`).

Example request

# Get the latest 50 suspicious phishing domains
curl "https://phishunt.io/api/v1/domains?limit=50"

# Filter by targeted brand
curl "https://phishunt.io/api/v1/domains?company=amazon"

# Get entries since a date in CSV format
curl "https://phishunt.io/api/v1/domains?since=2026-03-01&format=csv"

# Paginate: get results 101-200
curl "https://phishunt.io/api/v1/domains?offset=100&limit=100"

import requests

r = requests.get("https://phishunt.io/api/v1/domains", params={
    "limit": 50,
    "company": "amazon",
})

data = r.json()
print(f"Returned {data['count']} results")

for site in data["results"]:
    print(site["url"], site["company"], site["ip"])

const url = "https://phishunt.io/api/v1/domains?limit=50&company=amazon";
const res = await fetch(url);
const { count, results } = await res.json();

console.log(`Returned ${count} results`);
results.forEach(site => {
    console.log(site.url, site.company, site.ip);
});

Example response

{
  "count": 2,
  "offset": 0,
  "limit": 100,
  "results": [
    {
      "url": "https://amazon.example-phish.com/signin",
      "domain": "amazon.example-phish.com",
      "company": "amazon",
      "date": "2026-03-27T14:30:00+00:00",
      "first_seen": "2026-03-25T09:12:00+00:00",
      "uuid": "54889cb5-146d-484f-8b94-7a0b7385bff7",
      "ip": "198.51.100.42",
      "country": "United States",
      "asn": "64496",
      "org": "Example Hosting Inc.",
      "cert": "Let's Encrypt R3",
      "malicious_google": false,
      "malicious_openphish": true,
      "malicious_phishtank": false,
      "malicious_tweetfeed": false,
      "malicious_urlscan": true
    }
  ]
}

Feeds

Download the complete active suspicious phishing feed. Updated every hour. Full dataset with no filtering - use the domains endpoint for query parameters.

JSON

CSV

TXT

OpenAPI

Feed files return all active entries as a download. The JSON feed is a flat array (no wrapper object). The TXT feed contains one URL per line. Import the OpenAPI spec into Postman or Insomnia.

Response fields

Each object in the results array (or feed entries) contains these fields.

Field	Type	Description
`url`	string	Full URL of the suspicious site
`domain`	string	Domain name including subdomains
`company`	string	Targeted brand slug (e.g. `amazon`, `paypal`)
`date`	datetime	Last check timestamp (ISO 8601)
`first_seen`	datetime	When the site was first detected (ISO 8601)
`uuid`	string	Unique identifier for this entry (UUID v4)
`ip`	string	Resolved IPv4 address
`country`	string	Hosting country name
`asn`	string	Autonomous System Number (e.g. `13335`)
`org`	string	Hosting organization
`cert`	string	TLS certificate issuer
`malicious_google`	boolean	`true` if flagged by Google Safe Browsing
`malicious_openphish`	boolean	`true` if present in OpenPhish feed
`malicious_phishtank`	boolean	`true` if present in PhishTank
`malicious_tweetfeed`	boolean	`true` if present in TweetFeed
`malicious_urlscan`	boolean	`true` if flagged by urlscan.io

Pagination

Use offset and limit to paginate through results. The response includes both values so you can compute the next page.

# Page 1
curl "https://phishunt.io/api/v1/domains?limit=100&offset=0"

# Page 2
curl "https://phishunt.io/api/v1/domains?limit=100&offset=100"

# Page 3
curl "https://phishunt.io/api/v1/domains?limit=100&offset=200"

When count is less than limit, you've reached the last page.

Status codes

Code	Description
200	Success. Response body contains the requested data.
400	Bad request. Invalid parameter value (e.g. malformed `since` date).
429	Rate limited. Back off and retry.

Notes

CORS - All API responses include Access-Control-Allow-Origin: *, so you can call the API from browser applications.

Terms - Data is provided on a best-effort basis. False positives may occur. See Terms of Service.