API Documentation

Read-only endpoints on api.phishstats.info are public, but daily quotas depend on how you authenticate. Anonymous traffic (no key) is limited to 50 requests/day per IP. Registered and paid tiers require a psk_* API key sent on every request.

1. Sign in and create an API key (free accounts get 1 key; Premium 2; Enterprise 3).
2. Copy the full key when shown. It is displayed only once.
3. Send the key as a header on every programmatic call (see example below).

curl -H 'X-API-Key: psk_YOUR_KEY' \
  'https://api.phishstats.info/api/phishing?_sort=-id&_p=0&_size=100'

Alternative: Authorization: Bearer psk_… or query ?apikey=psk_… (header preferred). Subscribing to Premium or Enterprise does not upgrade anonymous IP traffic. You must send your key. Do not use _apikey=; that prefix is xmysql filter syntax.

Limits depend on your plan. Anonymous API access is capped at 50 requests per day per IP. Registered free users get 150 API requests per day with an API key, plus per-minute burst limits. Premium and Enterprise plans offer higher daily quotas. See our Pricing page for details. All daily quotas reset at UTC midnight.

PhishStats has offered free API access since 2018. Tiered limits fund infrastructure while keeping research access free. Register for a key before upgrading if you need more than 50 requests/day.

Authenticate with X-API-Key: psk_… or Authorization: Bearer psk_…. Create keys at Settings → API keys after signing in. Prefer webhook monitoring over polling. See Monitoring alerts.

Query-string auth is supported as ?apikey=psk_… (no underscore). Do not use _apikey=. That prefix is xmysql filter syntax, not API authentication. Premium and paid tiers only apply when a valid psk_* key is sent; unauthenticated requests stay on the anonymous 50/day IP limit.

When you exceed burst or daily limits, the API returns HTTP 429 Too Many Requests. Responses include a human-readable error field and structured metadata to help clients back off or upgrade.

HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
  "error": "Anonymous daily limit reached (50/day). Register free at phishstats.info for 150 API requests/day with an API key. Quota resets at UTC midnight.",
  "limit_type": "anonymous_daily",
  "limit": 50,
  "register_url": "https://phishstats.info/settings/api-keys",
  "upgrade_url": "https://phishstats.info/pricing",
  "monitoring_url": "https://phishstats.info/settings/monitoring",
  "docs_url": "https://phishstats.info/api-docs",
  "quota_resets_at": "2026-06-19T00:00:00.000Z"
}

HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
  "message": "API rate limit exceeded (20/min). Spread requests across time, or upgrade at https://phishstats.info/pricing."
}

HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
  "error": "Daily API quota reached (150/day). Quota resets at UTC midnight. Upgrade at https://phishstats.info/pricing for higher limits, or use webhook monitoring at https://phishstats.info/settings/monitoring instead of polling.",
  "limit_type": "daily",
  "limit": 150,
  "register_url": "https://phishstats.info/settings/api-keys",
  "upgrade_url": "https://phishstats.info/pricing",
  "monitoring_url": "https://phishstats.info/settings/monitoring",
  "docs_url": "https://phishstats.info/api-docs",
  "quota_resets_at": "2026-06-19T00:00:00.000Z"
}

Client recommendation: honor Retry-After, cache results, avoid polling more often than our 90-minute data refresh cycle, and use monitoring webhooks for term-based alerts instead of repeated API queries.