Skip to content
/Malicious

urlscan.io APIs (1.0.0)

Introduction

API endpoints for urlscan.io and urlscan Pro. Most of these API endpoints require authentication.

The fastest way to start working with our APIs is by using one of the many existing commercial or open-source integrations.

Download OpenAPI description
urlscan-openapi.json
urlscan-openapi.yaml
Overview
urlscan Support
support@urlscan.io
Languages
Servers
https://urlscan.io

Generic

API endpoints related to the platform or the user account.

Operations

Scanning

These APIs allow URLs to be scanned and the results of the scans to be retrieved.

Operations

Live Scanning

urlscan Pro - Live Scanning allows users to scan websites from different geographical locations and using different device settings.

See additional info about this proprietary feature on urlscan Pro.

Operations

Saved Searches

urlscan Pro - Saved Searches are rules that are executed inline against new incoming scans and hostnames.

Operations

Subscriptions

urlscan Pro - Subscriptions allow notifications for Saved Searches.

Operations

Hostnames

urlscan Pro - Historical information on hostnames and domains

Operations

Brands

urlscan Pro - Information about tracked brands

Operations

Files

urlscan Pro - Downloaded files

Operations

Incidents

urlscan Pro - Incidents track observables, like hostnames and domains, and automatically scan and alert on changes.

Operations

Malicious

urlscan Pro - Look up how often an observable (IP, hostname, domain, or URL) has been seen in malicious scan results, along with first and last seen timestamps.

Operations

Malicious observable lookup

Request

urlscan Pro - Look up how often an observable has been seen in malicious scan results, along with first and last seen timestamps.

The type parameter selects what kind of observable to query:

  • ip — Match scans by the IP address of the page server (e.g. 192.0.2.1).
  • hostname — Match scans by the exact page hostname (e.g. www.example.com). Use this when you are interested in a specific host.
  • domain — Match scans by the apex (registered) domain (e.g. example.com). This covers all subdomains under that domain, so a lookup for example.com will include scans for www.example.com, blog.example.com, etc. Use this for a broader view across an entire domain.
  • url — Match scans by the exact page URL. The value must be URL-encoded (e.g. https%3A%2F%2Fexample.com%2F).
Security
apikeyAuth(Required scopes:
read
write
)
Path
typestringrequired

The type of observable to look up.

Enum"ip""hostname""domain""url"
valuestringrequired

The observable value. Format depends on type:

  • ip: an IP address (e.g. 192.0.2.1)
  • hostname: a fully qualified hostname (e.g. www.example.com)
  • domain: an apex/registered domain (e.g. example.com)
  • url: a URL-encoded URL (e.g. https%3A%2F%2Fexample.com%2Fpath)
curl -i -X GET \
  'https://urlscan.io/api/v1/malicious/{type}/{value}' \
  -H 'api-key: YOUR_API_KEY_HERE'

Responses

Successful response

Bodyapplication/json
observablestring

The observable that was looked up.

typestring

The type of observable.

Enum"ip""hostname""domain""url"
countinteger

Number of times this observable has been seen in malicious scan results.

firstSeenstring or null(date-time)

Timestamp when this observable was first seen in malicious scan results.

lastSeenstring or null(date-time)

Timestamp when this observable was last seen in malicious scan results.

Response
application/json
{
  "observable": "string",
  "type": "ip",
  "count": 0,
  "firstSeen": "2019-08-24T14:15:22Z",
  "lastSeen": "2019-08-24T14:15:22Z"
}

Channels

Operations

Data Dumps

Operations