PhishFortress
    Features

    Phishing Simulation

    Test employee awareness with realistic phishing campaigns

    Security Training

    Interactive modules to educate your team

    Threat Detection

    AI-powered detection of sophisticated phishing attempts

    Incident Response

    Automated workflows to contain and remediate threats

    Solutions

    Financial Services

    Protect sensitive financial data and customer trust

    Healthcare

    Secure patient data and medical systems

    Government

    Defend critical infrastructure and sensitive data

    Education

    Protect student data and research

    Enterprise

    Comprehensive protection for large organizations

    Pricing
    Resources

    Blog

    Latest insights on phishing and security

    Documentation

    Detailed guides and API references

    Webinars

    Educational sessions with security experts

    Case Studies

    Success stories from our customers

    About
    Sign inSign up free
    PhishFortress

    Protecting organizations from sophisticated phishing attacks with AI-powered detection, simulation, and response capabilities.

    Product

    • Features
    • Pricing
    • Security
    • Enterprise
    • Customer Stories

    Resources

    • Documentation
    • Guides
    • API Reference
    • Blog
    • Community

    Company

    • About Us
    • Careers
    • Contact
    • Partners

    © 2026 PhishFortress. All rights reserved.

    Privacy PolicyTerms of ServiceCookie PolicyData Processing Agreement

    API Authentication

    Learn how to authenticate with the PhishFortress API using API keys and OAuth 2.0

    Authentication Overview

    PhishFortress API supports two authentication methods: API Keys for server-to-server communication and OAuth 2.0 for user-facing applications. All API requests must be authenticated to ensure security and proper access control.

    Security Best Practices
    Always use HTTPS when making API requests. Never expose API keys in client-side code or public repositories.

    API Key Authentication

    API keys are the recommended method for server-to-server integrations and automated scripts.

    Generating an API Key

    1. Log in to your PhishFortress dashboard
    2. Navigate to Settings → API Keys
    3. Click "Generate New API Key"
    4. Provide a descriptive name for the key
    5. Select the appropriate permissions/scopes
    6. Copy and securely store the generated key
    Important
    API keys are only displayed once during generation. Store them securely as they cannot be retrieved later.

    OAuth 2.0 Authentication

    OAuth 2.0 is recommended for user-facing applications that need to access PhishFortress on behalf of users.

    OAuth 2.0 Flow
    Authorization Code Grant flow for web applications
    1. Authorization Request: Redirect user to PhishFortress authorization server
    2. User Consent: User logs in and grants permissions to your application
    3. Authorization Code: PhishFortress redirects back with authorization code
    4. Token Exchange: Exchange authorization code for access token
    5. API Access: Use access token to make authenticated API requests

    OAuth Endpoints

    Authorization: https://auth.phishfortress.com/oauth/authorize
    Token: https://auth.phishfortress.com/oauth/token
    Application Registration
    Register your application to get OAuth credentials
    1. Go to Settings → OAuth Applications in your PhishFortress dashboard
    2. Click "Create New Application"
    3. Provide application name and description
    4. Set redirect URIs for your application
    5. Select required scopes/permissions
    6. Save and note the Client ID and Client Secret
    Redirect URIs
    Redirect URIs must use HTTPS in production. For development, localhost URLs are permitted.

    Code Examples

    Here are examples of how to authenticate with the PhishFortress API in different programming languages.

    JavaScript/Node.js

    const axios = require('axios');

const apiKey = 'your_api_key_here';
const baseURL = 'https://api.phishfortress.com/v1';

const client = axios.create({
  baseURL,
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  }
});

// Example: Get all campaigns
async function getCampaigns() {
  try {
    const response = await client.get('/campaigns');
    console.log(response.data);
  } catch (error) {
    console.error('Error:', error.response.data);
  }
}

    Error Handling

    The PhishFortress API uses standard HTTP status codes to indicate the success or failure of requests.

    Status CodeDescriptionCommon Causes
    200OKRequest successful
    401UnauthorizedInvalid or missing API key
    403ForbiddenInsufficient permissions
    404Not FoundResource doesn't exist
    429Too Many RequestsRate limit exceeded
    500Internal Server ErrorServer-side issue
    Error Response Format
    {
  "error": {
    "code": "INVALID_API_KEY",
    "message": "The provided API key is invalid or has expired",
    "details": {
      "timestamp": "2024-01-15T10:30:00Z",
      "request_id": "req_abc123"
    }
  }
}

    Testing Your Authentication

    Use this simple endpoint to verify that your authentication is working correctly.

    Authentication Test Endpoint

    Test Request

    GET https://api.phishfortress.com/v1/auth/verify

    Expected Response

    {
  "authenticated": true,
  "user": {
    "id": "user_123",
    "email": "admin@company.com",
    "organization": "Acme Corp"
  },
  "permissions": ["campaigns:read", "campaigns:write", "users:read"]
}
    Campaigns API