Malicious URL Scanner API Documentation

URL Scanner API for Malicious URLs

IPQualityScore's Malicious URL Scanner API scans links in real-time to detect suspicious URLs. Accurately identify phishing links, malware URLs and viruses, parked domains, and suspicious URLs with real-time risk scores.

Scan URLs for malware to detect poor reputation domains, suspicious links, and phishing URLs with a real-time API that can be integrated directly into your site, SOAR, or other third party software. Accurately check URLs for malware without false-positives or missed hit rates. Take URL intelligence a step further with parking domain detection and support to identify domains used for email spam. Easily enhance your SIEM/SOAR platform intelligence with our URL Threat Scanning API.

Malicious URL Scanner Use Cases
  • Phishing URL Detection — Detect malicious URLs used for phishing campaigns and misleading advertising.
  • Malicious URL Scanning — Identify URLs used for malware and viruses with live threat intelligence feeds that detect zero-day phishing links and suspicious behavior.
  • Parked Domain Detection — Detect parked domains and easily classify parked domains via API such as ParkingCrew, Sedo, Bodis, Skenzo, ParkLogic, Rook Media, Voodoo, and recognition for all types of parked domains.
  • Filter Email Spammer Domains — Sift through suspicious emails with detection for domains confirmed as sending email SPAM. Further validate SPAM with real-time email threat scoring.
  • Abusive Domains - Block emails from disposable email services and throwaway accounts. Pair with IP reputation checks for deeper insight.

Malicious URL Checker API

Detect malicious sites with live URL scanning via on-demand API requests. Simply call our API from your SOAR, backend, or other third party service to retrieve accurate risk scores. Detect scam sites, phishing, malware, and low reputation domains used for fraudulent behavior. Parked domain detection is also supported. The API only requires a valid URL and will perform over 20 data points in return to summarize the risk level associated with the URL or domain.

Phishing Detection API

Stop phishing with real-time protection against malicious URLs. Detect zero-day phishing links and newly setup domains, even before other services have had a chance to analyze the URL. Machine learning phishing detection ensures any threat will be accurately classified. Use the "phishing" boolean data point and "risk_score" to identify confirmed phishing links.

Parked Domain Detection API

Quickly check parked domains and placeholder websites, common patterns for malicious websites and links. Lookup parked domains in real-time to verify if the domain name is currently pointed to a popular parked domain service such as Sedo, ParkingCrew, and many others. Machine learning models also detect private parking domain networks and custom landing pages.

Private Key
Please login or create a free account to access your API Key.

NOTE: Do not share this key with anyone. It's like a password and can be used to make queries using our API.

Request URLs

The URLs below can be used to fetch the result using cURL or another utility in most languages. Please see the usage example at the bottom of the page. Simply replace "URL_HERE" with the URL to scan.


JSON Example Requests
API Lookup with URL Encoded Link
The API can accept a domain or full URL link - please URL encode the link.

JSON Success Response Example

NOTE: For a description of each field listed above please consult the response documentation below.

XML Success Response Example

NOTE: For a description of each field listed above please consult the response documentation below.

JSON Error Response Examples

Example errors that you may encounter when accessing our API due to an exhausted credit balance or an invalid URL.

Additional Request Parameters

Custom tracking variables (such as "userID", "transactionID") established in your account settings can be passed with each API request. This allows our reporting tools to filter by specific users, products, campaigns, transactions, etc. so that you can easily match up records with your own system to identify fraudulent activity.

Field Description Possible Values
strictness How strict should we scan this URL? Stricter checks may provide a higher false-positive rate. We recommend defaulting to level "0", the lowest strictness setting, and increasing to "1" or "2" depending on your levels of abuse. integer, 0 - 2
fast When enabled, the API will provide quicker response times using lighter checks and analysis. This setting defaults to false. boolean, string (true or false)

Additional Request Options

Due to the nature of platform requirements or frameworks it may be necessary to request IPQS API endpoints without passing the API key in the URL. As an alternative, IPQS allows the API key to be passed via GET, POST, or Headers. These requests use the following endpoints:

Method Value Example
Header IPQS-KEY (Additional parameters passed as either GET or POST) IPQS-KEY: YOUR_API_KEY_HERE

Response Field Definitions
Quick Notes
  • Risk Scores >= 75 - suspicious - usually due to patterns associated with malicious links.
  • Suspicious URLs marked with Suspicious = "true" will indicate domains with a high chance for being involved in abusive behavior.
  • Risk Scores >= 85 - high risk - strong confidence the URL is malicious.
  • Risk Scores = 100 AND Phishing = "true" OR Malware = "true" - indicates confirmed malware or phishing activity in the past 24-48 hours.
Further Details on URL Scanning API Results

The Malicious URL Scanner API returns many data points so your business logic can make the best decisions for your audience. Analyzing the overall Risk Score is usually the best way to determine the overall confidence level. When this value is 100, there is 100% confirmed activity of phishing or malware. Suspicious URLs can be identified with the "suspicious" data point, or by analyzing Risk Scores <= 80. Any URLs above this threshold with scores > 80 are suspicious and likely to be a low reputation URL or domain.

Risk Scores >=85 have been classified by our deep machine learning as suspected of phishing, malware activity, or similar type of abuse. Risk Scores = 100 will provide confirmation the URL is accurately classified as a malicious link.

We recommend blocking or flagging a URL as malicious using a combination of the "risk_score", "phishing", "malware", "suspicious", "parking", and "spamming" variables.

Field Description Possible Values
unsafe Is this domain suspected of being unsafe due to phishing, malware, spamming, or abusive behavior? View the confidence level by analyzing the "risk_score". boolean
domain Domain name of the final destination URL of the scanned link, after following all redirects. boolean
ip_address The IP address corresponding to the server of the domain name. string
server The server banner of the domain's IP address. For example: "nginx/1.16.0". Value will be "N/A" if unavailable. string
content_type MIME type of URL's content. For example "text/html; charset=UTF-8". Value will be "N/A" if unavailable. string
risk_score The IPQS risk score which estimates the confidence level for malicious URL detection. Risk Scores 85+ are high risk, while Risk Scores = 100 are confirmed as accurate. integer, 0 - 100
status_code HTTP Status Code of the URL's response. This value should be "200" for a valid website. Value is "0" if URL is unreachable. integer
page_size Total number of bytes to download the URL's content. Value is "0" if URL is unreachable. integer
domain_rank Estimated popularity rank of website globally. Value is "0" if the domain is unranked or has low traffic. integer
dns_valid The domain of the URL has valid DNS records. boolean
suspicious Is this URL suspected of being malicious or used for phishing or abuse? Use in conjunction with the "risk_score" as a confidence level. boolean
phishing Is this URL associated with malicious phishing behavior? boolean
malware Is this URL associated with malware or viruses? boolean
parking Is the domain of this URL currently parked with a for sale notice? boolean
spamming Is the domain of this URL associated with email SPAM or abusive email addresses? boolean
adult Is this URL or domain hosting dating or adult content? boolean
Field Description Possible Values
human A human description of when this domain was registered. (Ex: 3 months ago) string or null
timestamp The unix time since epoch when this domain was first registered. (Ex: 1568061634) integer
iso The time this domain was registered in ISO8601 format (Ex: 2019-09-09T16:40:34-04:00) string
message A generic status message, either success or some form of an error notice. string
success Was the request successful? boolean
errors Array of errors which occurred while attempting to process this request. array of strings
API Example Code