API Authentication

v1.0

Learn how to authenticate with the PhishFortress API and manage API keys

Overview

PhishFortress provides a RESTful API that allows you to programmatically interact with the platform. All API requests must be authenticated using one of the supported authentication methods.

Base URL

All API endpoints are relative to https://api.phishfortress.com/v1

Authentication Methods

PhishFortress supports two authentication methods:

API Key Authentication

API keys provide a simple way to authenticate with the PhishFortress API. Each API key is associated with a specific user account and has defined permissions.

HTTP Header

X-API-Key: your_api_key_here

cURL Example

curl -X GET "https://api.phishfortress.com/v1/campaigns" -H "X-API-Key: your_api_key_here"

Security Warning

Never share your API keys or commit them to version control. Treat API keys like passwords.

API Key Management

You can create and manage API keys through the PhishFortress web interface:

Creating an API Key

Log in to your PhishFortress account
Navigate to Settings > API Keys
Click "Create New API Key"
Enter a descriptive name for the key
Select the permissions you want to grant to this key
Optionally, set an expiration date
Click "Generate API Key"
Copy and securely store your API key (it will only be shown once)

Revoking an API Key

Log in to your PhishFortress account
Navigate to Settings > API Keys
Find the API key you want to revoke
Click the "Revoke" button
Confirm the action

Note: Once revoked, an API key cannot be restored. You will need to create a new key if needed.

API Permissions

API keys can be granted specific permissions to limit their access to certain resources:

Permission	Description	Endpoints
campaigns:read	View campaign information	`GET /campaigns` `GET /campaigns/{id}`
campaigns:write	Create and modify campaigns	`POST /campaigns` `PUT /campaigns/{id}` `DELETE /campaigns/{id}`
users:read	View user information	`GET /users` `GET /users/{id}`
users:write	Create and modify users	`POST /users` `PUT /users/{id}` `DELETE /users/{id}`
reports:read	Access report data	`GET /reports` `GET /reports/{id}`
templates:read	View phishing templates	`GET /templates` `GET /templates/{id}`
templates:write	Create and modify templates	`POST /templates` `PUT /templates/{id}` `DELETE /templates/{id}`

Rate Limits

To ensure the stability and performance of the API, PhishFortress implements rate limiting:

Default Rate Limits

Standard Plan: 60 requests per minute
Professional Plan: 120 requests per minute
Enterprise Plan: 300 requests per minute

Rate Limit Headers

The API includes rate limit information in the response headers:

X-RateLimit-Limit: Maximum number of requests allowed per minute
X-RateLimit-Remaining: Number of requests remaining in the current window
X-RateLimit-Reset: Time in seconds until the rate limit resets

Rate Limit Exceeded

When you exceed the rate limit, the API will respond with:

HTTP Status Code: 429 Too Many Requests
Response body containing an error message and retry information

{
  "error": "rate_limit_exceeded",
  "message": "Rate limit exceeded. Please try again later.",
  "retry_after": 30
}

Best Practice

Implement exponential backoff and respect the retry_after value when handling rate limit errors.

Campaigns API