Skip to content

Incidents

Deprecation Notice

The statusVerbose field will be deprecated on 30th April 2026. Please use the status field instead, which returns the same computed verbose status values. See Status Values for details.

The incidents endpoint returns an optionally paginated list of incidents related to the client.

Pagination

This endpoint uses cursor-based pagination to efficiently navigate through large result sets. Use the limit parameter to control page size and the cursor parameter to fetch subsequent pages.

  • If the response includes a paging.next value, more results are available
  • Pass the paging.next value as the cursor parameter in your next request to fetch the next page
  • When paging.next is null or absent, you have reached the end of the results

See PagingStructure for the response format.

Total Count

To know how many incidents match your query overall (not just the current page), pass includeTotal=true. The response's paging object then includes a total field with the total number of matching incidents across all pages. The total honours the same filters (clientId, incidentType, fromDate, toDate, status) and is unaffected by cursor or limit.

curl -X GET -G 'https://capi.phishfort.com/v1/incidents' \
  -H 'x-api-key: YOUR_API_KEY' \
  -d 'includeTotal=true' \
  -d 'limit=100'
{
    "message": "success",
    "data": [ ... ],
    "paging": {
        "next": "1AbcDefGhI2jKlMnO345",
        "limit": 100,
        "count": 100,
        "total": 1523
    }
}

Note

includeTotal is not supported in combination with the deprecated statusVerbose filter — use the status filter instead. Requesting both returns a 400 error.

Endpoint

GET /v1/incidents

Parameters

Parameter Type Required Description
clientId string No Filter incidents by sub-client ID. Only for clients with managed sub-clients.
toDate string No Filter incidents created before this date. ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ).
fromDate string No Filter incidents created after this date. ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ).
status string No Filter by incident status. See Status Values for accepted values.
limit integer No Maximum number of incidents to return per page. Defaults to 5000 if not specified.
cursor string No Cursor for pagination. Use the paging.next value from the previous response to fetch the next page.
includeTotal boolean No When true, the response's paging object includes a total field with the total number of incidents matching the query across all pages. Defaults to false. Not supported together with statusVerbose.

Request Example

curl -X GET -G 'https://capi.phishfort.com/v1/incidents' \
  -H 'accept: application/json' \
  -H 'x-api-key: YOUR_API_KEY' \
  -d 'clientId=your_client_id' \
  -d 'fromDate=2022-01-01T12:00' \
  -d 'toDate=2022-03-08T12:00' \
  -d 'limit=100'
import requests

response = requests.get(
    "https://capi.phishfort.com/v1/incidents",
    headers={
        "accept": "application/json",
        "x-api-key": "YOUR_API_KEY",
    },
    params={
        "clientId": "your_client_id",
        "fromDate": "2022-01-01T12:00",
        "toDate": "2022-03-08T12:00",
        "limit": 100,
    },
)
print(response.json())
const params = new URLSearchParams({
  clientId: "your_client_id",
  fromDate: "2022-01-01T12:00",
  toDate: "2022-03-08T12:00",
  limit: "100",
});

const response = await fetch(
  `https://capi.phishfort.com/v1/incidents?${params}`,
  {
    headers: {
      accept: "application/json",
      "x-api-key": "YOUR_API_KEY",
    },
  }
);
const data = await response.json();
console.log(data);

Response Example

The data field is an array of IncidentStructure's. When pagination is used, the response includes a paging object (see PagingStructure).

{
    "message": "success",
    "data": [
        {
            "id": "054zKkjCnR1I3B3U812z",
            "clientId": "0Xp5voyA4y5xYNoufOVC",
            "safeDomain": "exampleclient.com",
            "subject": "uniformprivate.cc",
            "incidentType": "domain",
            "domain": "uniformprivate.cc",
            "url": "https://uniformprivate.cc/chevrolet/",
            "source": "PHISHFORT_DETECTED",
            "timestamp": "2021-11-08T20:36:43.765Z",
            "lastHistoryUpdateTimestamp": "2021-12-06T15:10:01.299Z",
            "burnStartedTimestamp": "2021-12-06T10:34:43.883Z",
            "takedownTimestamp": "2021-12-06T15:10:01.299Z",
            "reportedBy": "analyst@phishfort.com",
            "threatTaxonomy": {
                "name": "Brand - Website - Impersonation",
                "description": "Unauthorized representation of another person, brand, or entity. Includes fake profiles, cloned websites, or identity theft used to deceive victims."
            },
            "status": "takedown_success",
            "incidentClass": "phishing"
        }
    ],
    "paging": {
        "cursor": "054zKkjCnR1I3B3U812z",
        "next": "1AbcDefGhI2jKlMnO345",
        "limit": 100
    }
}

Fetching the Next Page

To fetch the next page of results, use the paging.next value as the cursor parameter in your next request:

curl -X GET -G 'https://capi.phishfort.com/v1/incidents' \
  -H 'x-api-key: YOUR_API_KEY' \
  -d 'cursor=1AbcDefGhI2jKlMnO345' \
  -d 'limit=100'