Phishivox
← All Documentation

API Reference

Complete reference for the Phishivox REST API. All endpoints use JSON and require authentication unless noted otherwise.

Authentication

All API requests require a Bearer token in the Authorization header. Obtain a token by authenticating via POST /api/v1/auth/login.

Login

POST
/api/v1/auth/login

Authenticate with email and password. Returns a JWT access token.

curl -X POST https://api.phishivox.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@company.com", "password": "your-password"}'

# Response:
{
  "access_token": "eyJhbGciOi...",
  "token_type": "bearer"
}

Using the token

Include the token in all subsequent requests:

curl https://api.phishivox.com/api/v1/scan/history \
  -H "Authorization: Bearer eyJhbGciOi..."

Enterprise API keys

Enterprise customers can generate long-lived API keys for service account access from Gateway Settings. API keys use the same Bearer token format.

Scan Endpoints

Scan email from JSON payload

POST
/api/v1/scan

Analyze an email by providing sender, subject, body, and optional headers.

curl -X POST https://api.phishivox.com/api/v1/scan \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "from_address": "sender@example.com",
    "from_display_name": "Example Sender",
    "subject": "Verify your account",
    "body_text": "Click here to verify...",
    "headers": {
      "Authentication-Results": "spf=pass; dkim=pass; dmarc=pass"
    },
    "use_ai": true
  }'

Upload .eml file

POST
/api/v1/scan/upload

Upload and scan a .eml file. Headers and body are parsed server-side.

curl -X POST https://api.phishivox.com/api/v1/scan/upload \
  -H "Authorization: Bearer TOKEN" \
  -F "file=@suspicious-email.eml" \
  -F "use_ai=true"

Scan from connected mailbox

POST
/api/v1/scan/mailbox

Scan an email from your connected Gmail or M365 account by message ID.

Get scan result

GET
/api/v1/scan/{scan_id}

Retrieve the full scan result including all layer scores and findings.

Rescan

POST
/api/v1/scan/{scan_id}/rescan

Re-run detection on a previously scanned email. Pass {use_ai: true/false} in the body to choose between AI and non-AI scan.

Batch mailbox scan

POST
/api/v1/scan/mailbox/batch

Scan up to 100 emails from a connected mailbox in one request. Emails are fetched in parallel.

Bulk scan (Enterprise)

POST
/api/v1/scan/bulk

Scan up to 50 pre-parsed emails in one request. Enterprise tier only. Returns array of results.

Scan history

GET
/api/v1/scan/history

Paginated scan history with verdict filter. Respects tier retention (7d free, 90d pro, 365d enterprise). Params: limit, offset, verdict.

Scan stats

GET
/api/v1/scan/stats

Monthly scan statistics broken down by verdict.

Quota

GET
/api/v1/scan/quota

Current scan and AI quota usage for the authenticated user.

Response format

All scan endpoints return the same result structure:

{
  "id": "uuid",
  "verdict": "safe | spam | suspicious | phishing",
  "score": 0.0 - 1.0,
  "confidence": 0.0 - 1.0,
  "sender_trust": 0.0 - 1.0,
  "reasons": ["Finding 1", "Finding 2"],
  "layer_scores": {
    "rules": 0.0,
    "url": 0.0,
    "headers": 0.0,
    "attachments": 0.0,
    "ml": 0.0,
    "ai": 0.0
  },
  "ai_brands": [],
  "ai_findings": [],
  "ai_recommendations": []
}

Mailbox Endpoints

Connect, browse, and manage email provider integrations.

Gmail

GET
/api/v1/mailbox/gmail/connect

Start Gmail OAuth flow. Returns the authorization URL.

GET
/api/v1/mailbox/gmail/folders

List Gmail labels/folders with message counts.

GET
/api/v1/mailbox/gmail/emails

List emails in a folder. Supports pagination (page_token) and search (q parameter).

POST
/api/v1/mailbox/gmail/disconnect

Revoke Gmail access and remove stored tokens.

Microsoft 365

GET
/api/v1/mailbox/m365/connect

Start M365 OAuth flow. Returns the authorization URL.

GET
/api/v1/mailbox/m365/folders

List M365 mail folders with message counts.

GET
/api/v1/mailbox/m365/emails

List emails in a folder. Supports pagination (top/skip) and search (search parameter).

POST
/api/v1/mailbox/m365/disconnect

Remove M365 access tokens.

Status

GET
/api/v1/mailbox/status

Connection status for all providers.

Gateway Endpoints

Enterprise gateway management. Requires org admin role.

Connections

GET
/api/v1/gateway/connections

List active gateway connections for the organization.

POST
/api/v1/gateway/connections/m365

Start M365 admin consent OAuth flow for gateway integration.

DELETE
/api/v1/gateway/connections/{id}

Disconnect a gateway connection.

PATCH
/api/v1/gateway/connections/{id}/settings

Update gateway settings (quarantine threshold, URL rewriting scope, etc.).

Events

GET
/api/v1/gateway/events

Paginated list of all emails processed by the gateway.

GET
/api/v1/gateway/events/{id}

Detailed view of a single email event including scan results.

Quarantine

GET
/api/v1/gateway/quarantine

List quarantined emails with filters (date, recipient, verdict).

POST
/api/v1/gateway/quarantine/{id}/release

Release a quarantined email back to the recipient's inbox.

POST
/api/v1/gateway/quarantine/{id}/delete

Permanently delete a quarantined email.

Click audit

GET
/api/v1/gateway/clicks

URL click audit log for the organization.

GET
/api/v1/gateway/clicks/{id}

Detailed click event including justification text.

Dashboard

GET
/api/v1/gateway/dashboard

Organization-wide email security metrics and trends.

URL Proxy (Public)

GET
/shield/r/{token}

URL proxy endpoint. Redirects safe URLs, shows warning for suspicious, blocks malicious. No authentication required.

POST
/shield/r/{token}/proceed

Submit justification and proceed to the destination URL.

Simulation Endpoints

Enterprise only

Simulation endpoints require Enterprise tier and org_admin role.

Templates

GET
/api/v1/simulation/templates

List all simulation templates (built-in + custom for your org).

POST
/api/v1/simulation/templates

Create a custom phishing simulation template.

DELETE
/api/v1/simulation/templates/{id}

Delete a custom template (built-in templates cannot be deleted).

Campaigns

POST
/api/v1/simulation/campaigns

Create a new simulation campaign with template and recipient list.

GET
/api/v1/simulation/campaigns

List all simulation campaigns for your organization.

GET
/api/v1/simulation/campaigns/{id}

Campaign detail with real-time stats (sent, opened, clicked).

POST
/api/v1/simulation/campaigns/{id}/test

Send a test simulation email to one address before launching.

POST
/api/v1/simulation/campaigns/{id}/launch

Launch campaign -- sends simulation emails to all recipients.

POST
/api/v1/simulation/campaigns/{id}/cancel

Cancel a running or scheduled campaign.

GET
/api/v1/simulation/campaigns/{id}/recipients

List all recipients with send/open/click status and timestamps.

GET
/api/v1/simulation/campaigns/{id}/export

CSV export of recipients who clicked, for training assignment.

Click Tracking (Public)

GET
/sim/t/{token}

Track link click and redirect to educational landing page. No authentication.

GET
/sim/t/{token}/pixel.png

1x1 transparent pixel for open tracking. No authentication.

API Keys

Enterprise only

API keys are available for Enterprise tier users only. Max 10 active keys per user.

API keys allow programmatic access without JWT tokens. Pass the key in the X-API-Key header instead of Authorization: Bearer.

POST
/api/v1/api-keys

Generate a new API key. The raw key is returned only once.

GET
/api/v1/api-keys

List all API keys (shows prefix, name, last used, scopes -- not the full key).

DELETE
/api/v1/api-keys/{id}

Revoke an API key.

PATCH
/api/v1/api-keys/{id}

Update API key name or scopes.

Webhooks

Inbound (from email providers)

POST
/webhooks/m365/notifications

Microsoft Graph change notification receiver. Validated by client state token.

Graph notifications are validated by verifying the clientState token included in the subscription. Invalid notifications are rejected with HTTP 403.

Outbound (SIEM/SOAR integration)

Enterprise customers can configure outbound webhooks to push security events to Splunk, Microsoft Sentinel, or any SOAR platform.

Event types

  • email.scanned — Fired for every email processed by the gateway
  • email.quarantined — Fired when an email is moved to quarantine
  • email.released — Fired when an admin releases a quarantined email
  • url.clicked — Fired for every URL click through the proxy
  • url.blocked — Fired when a malicious URL is blocked
  • url.warned — Fired when a warning page is shown

Payload format

{
  "event": "email.quarantined",
  "timestamp": "2026-04-10T14:30:00Z",
  "org_id": "uuid",
  "data": {
    "email_event_id": "uuid",
    "recipient": "user@company.com",
    "sender": "phisher@fake-domain.xyz",
    "subject": "Verify your account immediately",
    "verdict": "phishing",
    "score": 0.87,
    "action": "quarantined"
  }
}

Rate Limits & Quotas

TierScans/MonthAI Scans/MonthAPI Rate Limit
Community10560 req/min
Professional2,00020060 req/min
Enterprise10,000+10,000+300 req/min

Rate limits are per-IP. Exceeding the rate limit returns HTTP 429 with aRetry-After header. Scan quotas reset on the 1st of every month.

Error Codes

CodeMeaningCommon Cause
400Bad RequestMissing required fields, invalid JSON
401UnauthorizedMissing or expired token
403ForbiddenScan quota exceeded, email not verified, account suspended
404Not FoundInvalid scan ID, resource doesn't exist
429Rate LimitedToo many requests. Check Retry-After header
502Bad GatewayEmail provider API error (Gmail/M365)