Welcome
Introduction to the isMalicious API
Welcome to the isMalicious API documentation. This API provides programmatic access to our comprehensive threat intelligence database, enabling you to check domains, IPs, emails, and URLs for malicious activity.
Base URL: https://api.ismalicious.com (all paths below are relative to this host — not ismalicious.com/api/...).
Documentation: Interactive reference · OpenAPI JSON · Playground
Key Features:
•Real-time threat intelligence checks (IPs, domains, URLs, file hashes)
•Ransomware intelligence, CVE catalog search, and threat-intel utilities (ASN, reverse IP, history)
•Email: lightweight check on this host; full email risk analysis is on the web app (see Email)
•Reputation scoring from 50+ sources
•Geolocation and WHOIS data
•Vulnerability scanning
•Downloadable blocklists
Getting Started:
1.Create an account at ismalicious.com/auth/register
2.Generate API keys from your dashboard
3.Make your first API call
Need Help?
Authentication
How to authenticate API requests
Routes are split into public (no key) and protected (authentication required).
Protected routes (typical integration): Send either
•X-API-KEY: <base64(apiKey:apiSecret)>, or
•a valid dashboard session cookie (browser / same-site requests).
If neither is present, the API returns 401 with "message": "Provide an x-api-key header or a valid session cookie".
Public routes (no `X-API-KEY`): include GET /health, GET /openapi.json, GET /stats, GET /blocklist/stats, GET /blocklist/download/{filename}, GET /analytics, GET /cve/stats/epss, GET /cve/stats/timeseries, POST /contact, POST /feedback, POST /newsletter, POST /license, GET /email-sequences/unsubscribe (and related), plus POST /auth/resend-verification. Cron, webhooks, and internal routes use separate tokens — not customer API keys.
Getting your API keys
1.Log in and open Account Settings
2.Create an API key pair (apiKey + apiSecret)
Header
X-API-KEY: <base64_encoded_credentials>Base64-encode apiKey:apiSecret (single colon, no spaces).
const credentials = btoa(`${apiKey}:${apiSecret}`);import base64
credentials = base64.b64encode(f"{api_key}:{api_secret}".encode()).decode()Special: licensed source list — POST /sources also requires header X-License-Key: <your_license_key> (active row in license_keys). You still pass X-API-KEY (or session) to satisfy the gateway.
Security: Never ship secrets to browsers; use env vars; rotate keys; optional IP allowlists on custom plans.
Public endpoints
No API key required — health, OpenAPI, aggregate stats, analytics slices, and CVE statistics.
/healthHealth check
Liveness probe for load balancers and monitoring. Returns a small JSON payload when the API process is up.
Example Request
curl -sS "https://api.ismalicious.com/health"Responses
{
"status": "operational",
"timestamp": "2026-03-29T12:00:00.000Z",
"services": {
"api": "operational",
"database": "operational",
"redis": "operational"
}
}/openapi.jsonOpenAPI 3 specification
Machine-readable API description (may lag slightly behind this page; routes are defined in `apps/rust-api`).
Example Request
curl -sS "https://api.ismalicious.com/openapi.json" | head -c 400Responses
{ ... }/statsPublic threat statistics
High-level counts and trends from cached metrics (threat overview, categories, recent activity).
Example Request
curl -sS "https://api.ismalicious.com/stats"Responses
{
"totalThreats": 0,
"byType": {
"domains": 0,
"ips": 0
},
"recentActivity": {
"last24h": 0,
"last7d": 0,
"growthRate": 0
}
}/analyticsAnalytics metric slices
Reads sub-documents from the `metrics:threats` Redis JSON. Optional `metric` query selects one slice (same names as the Next.js `/api/analytics` route).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
metric | string | No | e.g. threatOverview, categoryBreakdown, topSources, threatDistribution, threatTimeline, geoThreatMap, vulnerabilityPatterns |
Example Request
curl -sS "https://api.ismalicious.com/analytics?metric=threatOverview"Responses
{"threatOverview": { ... }}/cve/stats/epssCVE EPSS distribution & summary
EPSS bucket distribution, top CVEs, and summary counts from `CveCatalog`. Query params filter results.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Top CVEs limit (default 20, max 100) (default: 20) |
minEpss | number | No | Minimum EPSS score 0–1 (default: 0) |
kev | string | No | Set to `true` to restrict to KEV entries |
exploit | string | No | Filter by SSVC exploitation value (e.g. active) |
Example Request
curl -sS "https://api.ismalicious.com/cve/stats/epss?limit=10&minEpss=0.5"Responses
{"distribution": [], "top": [], "summary": {}}/cve/stats/timeseriesCVE activity time series
Time-bucketed counts by severity, KEV, and active exploit flags from `CveCatalog.lastModifiedAt`.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
days | integer | No | Lookback window (default 30; max depends on bucket) (default: 30) |
bucket | string | No | `day` (default), `week`, or `month` (default: day) |
Example Request
curl -sS "https://api.ismalicious.com/cve/stats/timeseries?days=14&bucket=day"Responses
[{"day": "2026-01-01", "critical": 0, "high": 0, "medium": 0, "low": 0, "kev": 0, "active_exploit": 0}]Check Endpoints
Threat intelligence check endpoints
/checkFull Threat Analysis
Comprehensive threat intelligence check. Supply **one** target via `query` **or** legacy aliases `ip`, `domain`, or `hash` (same semantics as `query`). Supports IPv4/IPv6, domain, URL, or file hash (MD5/SHA1/SHA256 hex). Response size depends on `enrichment`: `basic`, `standard` (default), or `full`. **If no target is provided**, the API still returns `200` with a minimal body (`malicious: false`, `apiVersion`, `enrichmentLevel`) — prefer validating client-side. For smaller, stable JSON use sub-endpoints (`/check/reputation`, etc.). **Verdict semantics:** `malicious` reflects high-confidence scanner-style signals (e.g. VirusTotal malicious/suspicious thresholds), while `blocklistHits` / `blocklistListed` report aggregate feed matches that may include privacy or ads lists. **OTX:** With `standard` or `full` enrichment, the response may include `otx` — normalized [AlienVault OTX](https://otx.alienvault.com/) data: community pulses (and optional `reputationScore` from indicator `general`). For **IPs**, `full` adds **LevelBlue Labs** `labsReputation` and a capped **passive DNS** summary. For **domains**, `full` adds passive DNS. For **URLs** (primary query is `http(s)://...`), OTX uses the URL indicator. For **file hashes**, `standard`/`full` may include pulse context from `file/.../general`; `full` may add a capped `fileAnalysis` excerpt. Uses the public OTX API; optional `OTX_API_KEY` improves rate limits. Omitted on `basic` or when OTX fails.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | No | Primary target: IP, domain, URL, or hash |
ip | string | No | Alias of `query` when the value is an IP |
domain | string | No | Alias of `query` for a hostname / domain |
hash | string | No | Alias of `query` for MD5/SHA1/SHA256 hex |
enrichment | string | No | Level of data enrichment: basic, standard, or full (default: standard) |
intelowl | string | No | When set to the string `true`, the pipeline may include IntelOwl-related enrichment (server-side; requires IntelOwl to be configured) (default: false) |
trackReports | boolean | No | Save this check to your reports history (default: false) |
Example Request
curl -X GET "https://api.ismalicious.com/check?query=8.8.8.8&enrichment=standard" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"malicious": false,
"blocklistHits": 0,
"blocklistListed": false,
"reputation": {
"malicious": 0,
"suspicious": 0,
"harmless": 85,
"undetected": 15
},
"riskScore": {
"score": 5,
"level": "safe",
"factors": []
},
"confidence": {
"score": 95,
"level": "high"
},
"classification": {
"primary": "safe",
"secondary": []
},
"geo": {
"country": "United States",
"countryCode": "US",
"city": "Mountain View",
"isp": "Google LLC"
},
"otx": {
"source": "alienvault_otx",
"fetchedAt": "2026-03-30T12:00:00.000Z",
"pulseCount": 2,
"moreCount": 0,
"reputationScore": 0,
"labsReputation": {
"source": "alienvault_otx_labs",
"fetchedAt": "2026-03-30T12:00:00.000Z",
"score": 2,
"countryName": "United States",
"malwareSampleCount": 0,
"urlCount": 1
},
"passiveDns": {
"source": "alienvault_otx_passive_dns",
"fetchedAt": "2026-03-30T12:00:00.000Z",
"totalRecords": 1,
"moreCount": 0,
"records": [
{
"hostname": "example.com",
"address": "203.0.113.10",
"recordType": "A",
"firstSeen": "2025-01-01",
"lastSeen": "2026-03-01"
}
]
},
"pulses": [
{
"id": "58f15111d3bb0b0b8ac54662",
"name": "Example pulse",
"description": "Community IOC context (truncated in API).",
"tags": [
"malware",
"ssh"
],
"tlp": "green",
"modified": "2026-03-25T19:07:52.831000",
"references": [
"https://example.com/ref"
],
"authorUsername": "researcher",
"subscriberCount": 120,
"pulseUrl": "https://otx.alienvault.com/pulse/58f15111d3bb0b0b8ac54662"
}
]
},
"apiVersion": "v2",
"enrichmentLevel": "full"
}/check/reputationCheck Reputation
Get reputation data from aggregated threat intelligence sources including VirusTotal integration.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | IP address or domain |
Example Request
curl -X GET "https://api.ismalicious.com/check/reputation?query=example.com" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"reputation": {
"malicious": 0,
"suspicious": 2,
"harmless": 80,
"undetected": 18
}
}/check/locationCheck Geolocation
Get geographic location data including country, city, region, ISP, and coordinates.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | IP address or domain |
Example Request
curl -X GET "https://api.ismalicious.com/check/location?query=1.1.1.1" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"geo": {
"country": "Australia",
"countryCode": "AU",
"city": "Sydney",
"region": "New South Wales",
"lat": -33.8688,
"lon": 151.2093,
"isp": "Cloudflare Inc"
}
}/check/whoisCheck WHOIS
Get WHOIS registration data including registrant, registrar, and dates.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | IP address or domain |
Example Request
curl -X GET "https://api.ismalicious.com/check/whois?query=example.com" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"whois": {
"registrar": "GoDaddy.com, LLC",
"registrant": "REDACTED FOR PRIVACY",
"createdDate": "1997-09-15T04:00:00.000Z",
"updatedDate": "2023-08-14T07:00:00.000Z",
"expiresDate": "2028-09-14T04:00:00.000Z",
"nameServers": [
"ns1.example.com",
"ns2.example.com"
]
}
}/check/certificatesCheck Certificates
Get SSL/TLS certificate information including issuer, validity, and chain.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | Domain or IP address |
Example Request
curl -X GET "https://api.ismalicious.com/check/certificates?query=google.com" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"certificates": {
"issuer": "Let's Encrypt Authority X3",
"subject": "example.com",
"validFrom": "2024-01-01T00:00:00.000Z",
"validTo": "2024-03-31T23:59:59.000Z",
"serialNumber": "03:A1:B2:C3:D4:E5:F6",
"fingerprint": "SHA256:ABC123..."
}
}/check/vulnerabilitiesCheck Vulnerabilities
Get known vulnerabilities associated with an IP address from CVE databases.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | IP address |
Example Request
curl -X GET "https://api.ismalicious.com/check/vulnerabilities?query=192.168.1.1" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"vulnerabilities": {
"total": 3,
"critical": 1,
"high": 1,
"medium": 1,
"low": 0,
"cves": [
{
"id": "CVE-2024-1234",
"severity": "CRITICAL",
"score": 9.8,
"description": "Remote code execution vulnerability"
}
]
}
}/check/intelowlIntelOwl observable analysis
Proxies an observable to IntelOwl (`/api/analyze_observable`) when `INTELOWL_URL` and `INTELOWL_API_KEY` are configured. Results are cached in Redis (~1h). Use `HEAD` to probe without body. Set `cache_only=true` to return only cached data (404 if missing).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | IP, domain, URL, or hash to analyze |
type | string | No | Observable classification: `ip`, `domain`, `url`, or `hash` — inferred from `query` when omitted |
cache_only | string | No | If `true`, skip live IntelOwl and only return cache (default: false) |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/check/intelowl?query=8.8.8.8&type=ip"Responses
{"status": "accepted", ...}/check/intelowlIntelOwl route probe (HEAD)
Same route as GET; use HEAD for connectivity checks without a response body.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | Observable to check |
Example Request
curl -sSI -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/check/intelowl?query=1.1.1.1"Responses
/check/ransomwareRansomware intelligence (summary or entity)
Without `query`, or with `type=stats`, returns aggregated ransomware stats from cache (`ransomware:stats`) or computed from recent victims. With `query`, returns a lightweight stub for entity-oriented checks (full deep-dive uses dashboard / `GET /ransomware/*` routes). Optional `include_ttps`, `include_iocs`, `limit` are parsed for forward compatibility.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | No | Entity or keyword; omit (or use type=stats) for global stats |
type | string | No | Set to `stats` to force statistics response |
include_ttps | string | No | Reserved / forward-compatible |
include_iocs | string | No | Reserved / forward-compatible |
limit | string | No | Reserved / forward-compatible |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/check/ransomware?type=stats"Responses
{
"query": "stats",
"queryType": "stats",
"stats": {
"totalVictims": 0,
"activeGroups": 0,
"attacksThisMonth": 0,
"attacksThisYear": 0
}
}/check/tenantMicrosoft 365 tenant (domain)
Returns `azureTenant` data from Redis for a **domain** (not supported for raw IPs).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Yes | Domain or URL host to look up |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/check/tenant?query=example.com"Responses
{
"tenant": null,
"message": "Domain is not associated with a Microsoft 365 tenant"
}/check/emailEmail check (Rust API — lightweight)
On **api.ismalicious.com** this route returns a **small JSON stub** (validated email, domain parts, placeholder risk summary) for pipeline compatibility. For **full** email risk analysis (breaches, SPF/DKIM/DMARC, reputation, typosquatting, etc.), call the Next.js route on the main site with the same auth pattern your app uses for dashboard API calls: `GET https://ismalicious.com/api/check/email?email=user@example.com` (Implementation: `apps/web/app/api/check/email/route.ts`.)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address to analyze |
enrichment | string | No | Echoed in response as enrichmentLevel (default: standard) |
Example Request
curl -X GET "https://api.ismalicious.com/check/email?email=user@example.com&enrichment=standard" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"email": "user@example.com",
"domain": "example.com",
"localPart": "user",
"riskScore": {
"score": 50,
"level": "medium",
"summary": "Email risk evaluation via Rust API"
},
"apiVersion": "v1",
"enrichmentLevel": "standard"
}Bulk check
Batch-check multiple domains, IPs, and URLs in one request. Plan limits apply (see **GET** `/bulk/check`).
/bulk/checkBulk limits
Returns plan label, `maxEntitiesPerRequest` for your subscription, and `allPlans` limits map. The JSON may include `endpoint` as `/api/bulk/check` (legacy string); the real URL is `https://api.ismalicious.com/bulk/check`. **POST** the same path with a JSON body to run a batch.
Example Request
curl -X GET "https://api.ismalicious.com/bulk/check" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"endpoint": "/api/bulk/check",
"method": "POST",
"description": "Check multiple entities (domains, IPs, URLs) in a single request",
"authentication": "Required - API key or session",
"limits": {
"currentPlan": "BASIC_MONTHLY",
"maxEntitiesPerRequest": 50,
"allPlans": {
"FREE": 10,
"BASIC_MONTHLY": 50,
"PRO_MONTHLY": 100
}
}
}/bulk/checkRun bulk check
Request body: `entities` (required array of strings), optional `enrichment`.
Request Body
{
"entities": [
"example.com",
"8.8.8.8",
"https://example.org/path"
],
"enrichment": "full"
}Example Request
curl -X POST "https://api.ismalicious.com/bulk/check" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-H "Content-Type: application/json" \
-d '{"entities":["example.com","8.8.8.8"],"enrichment":"full"}'Responses
{
"success": true,
"total": 2,
"processed": 2,
"results": [
{
"entity": "example.com",
"type": "domain",
"isMalicious": false,
"confidence": 0.12,
"sources": 3,
"categories": []
},
{
"entity": "8.8.8.8",
"type": "ip",
"isMalicious": false,
"confidence": 0.05,
"sources": 1,
"categories": []
}
],
"processingTimeMs": 210
}CVE catalog
Authenticated Redis-backed CVE search and recent list (`/cve` counts against monthly quota like `/check`).
/cveSearch or list CVEs
Without `query`, reads `cve:recent` (trimmed to `limit`). With `query`, reads `cve:search:{query}` from Redis. Returns `{ "results": [...] }` (or a single value wrapped in `results`).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | No | Search string; omit for recent CVEs |
limit | integer | No | Max items (default 20, max 100) (default: 20) |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/cve?query=log4j&limit=10"Responses
{"results": []}/cve/recentRecent CVEs
Returns the `cve:recent` Redis document as a JSON array (or object), truncated to `limit`.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Max items (default 20, max 100) (default: 20) |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/cve/recent?limit=5"Responses
[]Threat intel utilities
ASN and IP intelligence helpers (authenticated).
/threat-intel/asnASN lookup
Pass `ip` for full ASN/org data via ipwho.is, or `asn` (e.g. `AS15169` or `15169`) for a minimal ASN record.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip | string | No | IPv4/IPv6 address |
asn | string | No | ASN number or `AS####` string |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/threat-intel/asn?ip=8.8.8.8"Responses
{"ip": "8.8.8.8", "asn": "AS15169", ...}/threat-intel/reverse-ipReverse IP
Domains hosted on an IPv4 address via HackerTarget (one domain per line).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip | string | Yes | IPv4 address |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/threat-intel/reverse-ip?ip=8.8.8.8"Responses
{"ip": "8.8.8.8", "domains": ["..."], "total_domains": 0}/threat-intel/historyReputation history
Historical reputation timeline for a domain or IP (`entity`), optional `days` window.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
entity | string | Yes | Domain or IP |
days | integer | No | Lookback days (implementation-specific default) |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/threat-intel/history?entity=example.com&days=30"Responses
{}Ransomware intelligence
Ransomware.live-backed feeds and analytics (authenticated). Data is cached in Redis when possible.
/ransomware/feedRecent victims feed
`limit` (default 30, max 100). Optional `press=true` adjusts filtering (see server).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Victims to return (default: 30) |
press | string | No | Optional flag consumed by handler |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/feed?limit=20"Responses
{"victims": []}/ransomware/statsGlobal ransomware stats
Reads `ransomware:stats` from Redis.
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" "https://api.ismalicious.com/ransomware/stats"Responses
{}/ransomware/sector-riskSector risk
Without `sector`, returns all sectors. With `sector`, returns drill-down for that vertical. Optional `press` flag.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
sector | string | No | Industry sector name |
press | string | No | Optional modifier |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/sector-risk?sector=Healthcare"Responses
{"sectors": []}/ransomware/sector-risk/historySector risk history
Daily sector-risk snapshots from Redis (`ransomware:sector-risk:snapshots`). `days` defaults to 30 (max 120). Optional `sector` filters to one vertical.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
days | integer | No | Lookback window in days (default: 30) |
sector | string | No | Optional sector name (lowercased server-side) |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/sector-risk/history?sector=Technology"Responses
{}/ransomware/sector-victimsSector victims drill-down
Requires `sector`. Enriches victims, risk level, top groups.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
sector | string | Yes | Sector name |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/sector-victims?sector=Healthcare"Responses
{"sector": "healthcare", "riskLevel": "low", ...}/ransomware/pressPress / newsfeed
`limit` (default 50, max 100). Optional `groups` — comma-separated group names to filter.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Entries to return (default: 50) |
groups | string | No | Comma-separated ransomware group names |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/press?limit=10"Responses
{"entries": [], "total": 0}/ransomware/group-profileGroup profile
Requires `group` — full threat-actor aggregate (TTPs, victims, etc.).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
group | string | Yes | Ransomware group name |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/ransomware/group-profile?group=lockbit"Responses
{}Sources
Threat-source statistics and licensed full export (authenticated + license key for POST).
/sources/statisticsSource statistics
Returns `source:statistics` from Redis (`success`, `data`, `timestamp`). 404 if cache empty.
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/sources/statistics"Responses
{"success": true, "data": {}, "timestamp": "2026-01-01T00:00:00Z"}/sourcesFull sources list (licensed)
Requires `X-License-Key` with an **active** key from `license_keys`, plus `X-API-KEY` or session. Returns cached `sources:all` JSON or embedded `sources.json` fallback.
Example Request
curl -sS -X POST "https://api.ismalicious.com/sources" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-H "X-License-Key: YOUR_LICENSE_KEY"Responses
[]Search
Redis SCAN search for keys matching a substring (authenticated). Keywords are passed as a **query** parameter on `POST /search` (no JSON body).
/searchSearch Keywords
`POST /search?keywords=<term>` — scans Redis keys with pattern `*{keywords}*` (glob `*` stripped from input). Caps at 500 hits / 50 iterations. Returns raw Redis key strings in `hits`.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
keywords | string | Yes | Query parameter (e.g. 'paypal') |
Example Request
curl -X POST "https://api.ismalicious.com/search?keywords=paypal" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS"Responses
{
"keywords": "paypal",
"hits": [
"paypa1-secure.com",
"paypal-login-verify.net",
"secure-paypal-update.org"
],
"total_hits": 127
}STIX / TAXII 2.1
TAXII 2.1 discovery, API roots, and STIX bundles. **Mirrored** under `/taxii` and `/taxii2` (same handlers). Requires `X-API-KEY` or session; Pro plan for collections (see server enforcement).
/taxiiTAXII discovery (root)
Returns `default` and `api_roots` pointing to `/taxii/api-root` (same for `/taxii2`).
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-H "Accept: application/taxii+json;version=2.1" \
"https://api.ismalicious.com/taxii"Responses
{"title":"isMalicious","api_roots":["/taxii/api-root"]}/taxii/api-rootAPI root
Lists available collections (`collections` array) for this API root.
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-H "Accept: application/taxii+json;version=2.1" \
"https://api.ismalicious.com/taxii/api-root"Responses
{"collections": []}/taxii/api-root/collectionsList collections
Same collection list as embedded in API root (dedicated path).
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/taxii/api-root/collections"Responses
{"collections": []}/taxii/api-root/collections/{collectionId}Collection metadata
Metadata for a single collection id (e.g. `malicious-domains`).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
collectionId | string | Yes | Collection UUID or slug |
Example Request
curl -sS -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/taxii/api-root/collections/malicious-domains"Responses
{}/taxii/api-root/collections/{collectionId}/objectsCollection objects (STIX 2.1 bundle)
Returns a STIX 2.1 **bundle** (identity + indicators) from Redis-backed threat data. **Authentication:** `X-API-KEY` (Base64 `apiKey:apiSecret`) — Pro subscription required. **Query parameters:** | Parameter | Description | |-----------|-------------| | `limit` | Max bundle size hint (default 50, max 101). The response includes one identity object; indicators are capped at approximately `limit − 1`. | | `added_after` | ISO 8601 / RFC 3339. Include only indicators whose intel time (`firstSeen` / `lastSeen` in Redis) is **on or after** this instant. | | `added_before` | ISO 8601 / RFC 3339. Include only indicators whose intel time is **on or before** this instant. Use with `added_after` for a time window. | | `next` | Opaque pagination token from the previous response header `X-TAXII-Next`. Repeat the same `added_after` / `added_before` when paging. | **Performance:** Each request examines at most a **fixed number of Redis keys** (currently 20,000). If your filters match rarely (e.g. a narrow time window), a page may return **fewer** than `limit` indicators even when `X-TAXII-Has-More` is true — call again with `next` until the feed is exhausted. **Date filters:** If `added_after` or `added_before` is set, entities **without** a parseable `firstSeen` / `lastSeen` in Redis are **excluded** (they cannot be placed in a time window). Indicators without intel timestamps still appear in the bundle when **no** date query parameters are used; their STIX `created` / `valid_from` use a sentinel timestamp `1970-01-01T00:00:00.000Z`. **Response headers:** | Header | Meaning | |--------|---------| | `Content-Type` | `application/stix+json;version=2.1` | | `X-TAXII-Has-More` | `true` if more data exists — pass `X-TAXII-Next` as the `next` query parameter. | | `X-TAXII-Next` | Opaque token (URL-safe Base64 JSON) for the next page. | | `X-TAXII-Date-Added-First` / `Last` | First and last indicator `created` in this page (for convenience). | **Note:** `match[type]` / `match[id]` query params are accepted for forward compatibility but are not yet applied server-side.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
collectionId | string | Yes | e.g. malicious-domains, malicious-ips, malicious-urls, ransomware-iocs, phishing-indicators |
Example Request
curl -sS -H "X-API-KEY: $CREDENTIALS" -H "Accept: application/taxii+json;version=2.1" \
"https://api.ismalicious.com/taxii/api-root/collections/malicious-domains/objects?limit=100&added_after=2026-03-01T00:00:00.000Z&added_before=2026-03-03T23:59:59.999Z"Responses
{
"type": "bundle",
"id": "bundle--…",
"objects": [
{
"type": "identity",
"spec_version": "2.1"
},
{
"type": "indicator",
"spec_version": "2.1"
}
]
}Blocklists
Download threat intelligence blocklists
/blocklist/statsGet Blocklist Stats
Get entry counts and last updated timestamps for all available blocklists. No authentication required.
Example Request
curl -X GET "https://api.ismalicious.com/blocklist/stats"Responses
{
"blocklist-ips-critical.txt": {
"count": 15420,
"lastUpdated": "2024-12-28T07:00:00.000Z"
},
"blocklist-domains-phishing.txt": {
"count": 89234,
"lastUpdated": "2024-12-28T07:00:00.000Z"
},
"blocklist-domains-malware.txt": {
"count": 45123,
"lastUpdated": "2024-12-28T07:00:00.000Z"
}
}/blocklist/download/{filename}Download Blocklist
Download a specific blocklist file. **Plan Access:** - FREE: 10% sample (lite version) - BASIC+: Full blocklist **Available Blocklists:** - `blocklist-ips-critical.txt` - Critical severity IPs - `blocklist-ips-all.txt` - All malicious IPs - `blocklist-ips-c2.txt` - C2 server IPs - `blocklist-ips-botnet.txt` - Botnet IPs - `blocklist-domains-phishing.txt` - Phishing domains - `blocklist-domains-malware.txt` - Malware domains - `blocklist-domains-ransomware.txt` - Ransomware domains - `blocklist-domains-all.txt` - All malicious domains
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
filename | string | Yes | Blocklist filename |
Example Request
curl -X GET "https://api.ismalicious.com/blocklist/download/blocklist-domains-phishing.txt" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-o blocklist-domains-phishing.txtResponses
malicious-domain1.com
malicious-domain2.com
malicious-domain3.com
...Submit Sources
Submit new threat intelligence sources
/submitSubmit Sources
Submit new threat intelligence sources to the community database. **Categories:** malware, phishing, spam, scam, fraud, botnet, ransomware, c2
Request Body
{
"sources": [
{
"name": "Example Threat Feed",
"type": "ip",
"url": "https://example.com/threats-ips.txt",
"category": "malware"
},
{
"name": "Phishing Domains Feed",
"type": "domain",
"url": "https://example.com/phishing-domains.txt",
"category": "phishing"
}
]
}Example Request
curl -X POST "https://api.ismalicious.com/submit" \
-H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
-H "Content-Type: application/json" \
-d '{
"sources": [{
"name": "My Threat Feed",
"type": "domain",
"url": "https://example.com/feed.txt",
"category": "phishing"
}]
}'Responses
{
"message": "Submitted successfully, thanks sharing new sources with us!"
}Streaming (SSE)
Progressive check results over Server-Sent Events
Endpoints: GET https://api.ismalicious.com/check/stream?query=<target> or GET https://api.ismalicious.com/stream?query=<target>
Auth: Same as other protected routes (X-API-KEY with Base64 apiKey:apiSecret, or session cookie).
Requirements: query is required. Streaming is for IP/domain-style targets (not file hashes).
Event format: Each SSE data line is JSON:
{ "type": "reputation", "data": { } }Phases include reputation, basic, insights, optional dns (domains), enrichment, then done. The enrichment payload may include otx (AlienVault OTX): pulses and, with full enrichment, labs reputation and passive DNS for IP/domain targets when OTX succeeds (public API; optional OTX_API_KEY for rate limits).
Example:
curl -N -H "X-API-KEY: YOUR_BASE64_CREDENTIALS" \
"https://api.ismalicious.com/check/stream?query=example.com"Dashboard & platform API
Additional routes on the same host power the web app (session cookie) and accept `X-API-KEY` where `require_any_auth` is applied.
These are implemented in apps/rust-api/src/main.rs (session + API key tier). Full request/response schemas are best read from openapi.json when present, or from source.
Reports — GET/POST /reports, GET/DELETE /reports/{id}, GET /reports/export, POST /reports/save, POST /reports/entity-export
Monitoring — GET/POST /monitoring, GET /monitoring/metrics, POST /monitoring/toggle-notify, POST /monitoring/unwatch
CVE Watch — /cve-watch/perimeters (CRUD, CPEs, sync), /cve-watch/findings, PATCH /cve-watch/findings/{id}, /cve-watch/cpe-search, /cve-watch/vendor-search, /cve-watch/global-threats, billing aliases under /cve-watch/billing
Alerts — GET /alerts, GET /alerts/metrics, PATCH /alerts/{id}
User / webhooks — GET /user/analytics, GET/POST /user/webhooks, GET/PATCH/DELETE /user/webhooks/{id}
Billing & subscription — POST /billing/checkout, POST /billing/portal, /subscription/*, Stripe POST /webhook/stripe (called by Stripe, not customers)
Onboarding — /onboarding/status, /onboarding/save-step, /onboarding/complete, /onboarding/complete-wizard
GPT / SBOM / AI — GET /gpt/check, GET /gpt/search, GET /gpt/email, GET /gpt/ransomware; GET/POST /sbom; POST /ai-analysis
MMDB — GET /mmdb/info, GET /mmdb/download
Metrics (auth) — GET /metrics/subscription, GET /metrics/threats, GET /cve/stats/top-products (PG or Redis; meta.source), GET /cve/vendors (paginated, search, sort), GET /cve/products (paginated, vendor filter, search, sort). Populate PG via sync-opencve-catalog; Redis fallback via opencve-global-top-products.
Admin / email / CVE dashboard JSON — /admin/*, /emails/*, /cve/dashboard/* (operators; Infinity / dashboards; separate credentials)
Public utilities — POST /contact, POST /feedback, POST /newsletter, POST /license, GET|POST /cache, GET /debug/headers, GET /internal/whois (internal header auth), cron routes with bearer tokens.
Rate Limits
API rate limiting information
API rate limits vary by subscription plan. Each plan combines a burst limit (short rolling window) and a monthly quota on reputation checks.
Rate Limit Headers:
Each response includes headers indicating your current usage:
•X-RateLimit-Limit - Maximum requests allowed
•X-RateLimit-Remaining - Requests remaining
•X-RateLimit-Reset - Unix timestamp when limit resets
When Rate Limited:
If you exceed your rate limit, you'll receive a 429 Too Many Requests response. Wait until the reset time or upgrade your plan.
Best Practices:
•Cache responses when possible
•Use batch endpoints for bulk operations
•Implement exponential backoff for retries
•Monitor your usage via the dashboard
Error Codes
API error response formats
All API errors return a consistent JSON format:
{
"error": "Error Type",
"message": "Detailed error message"
}HTTP Status Codes:
Common Errors:
400 Bad Request
{
"error": "Bad Request",
"message": "Missing required parameter: query"
}401 Unauthorized
{
"error": "Unauthorized",
"message": "Invalid API key"
}429 Rate Limited
{
"error": "Rate Limited",
"message": "You have exceeded your rate limit. Please try again later."
}Ready to Get Started?
Get your free API key and start protecting your infrastructure today.