Incidents
Deprecation Notice
The statusVerbose field will be deprecated on 30th April 2026. Please use the status field instead, which returns the same computed verbose status values. See Status Values for details.
The incidents endpoint returns an optionally paginated list of incidents related to the client.
Pagination
This endpoint uses cursor-based pagination to efficiently navigate through large result sets. Use the limit parameter to control page size and the cursor parameter to fetch subsequent pages.
- If the response includes a
paging.nextvalue, more results are available - Pass the
paging.nextvalue as thecursorparameter in your next request to fetch the next page - When
paging.nextisnullor absent, you have reached the end of the results
See PagingStructure for the response format.
Total Count
To know how many incidents match your query overall (not just the current page), pass includeTotal=true. The response's paging object then includes a total field with the total number of matching incidents across all pages. The total honours the same filters (clientId, incidentType, fromDate, toDate, status) and is unaffected by cursor or limit.
curl -X GET -G 'https://capi.phishfort.com/v1/incidents' \
-H 'x-api-key: YOUR_API_KEY' \
-d 'includeTotal=true' \
-d 'limit=100'
{
"message": "success",
"data": [ ... ],
"paging": {
"next": "1AbcDefGhI2jKlMnO345",
"limit": 100,
"count": 100,
"total": 1523
}
}
Note
includeTotal is not supported in combination with the deprecated statusVerbose filter — use the status filter instead. Requesting both returns a 400 error.
Endpoint
GET /v1/incidents
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
clientId |
string |
No | Filter incidents by sub-client ID. Only for clients with managed sub-clients. |
toDate |
string |
No | Filter incidents created before this date. ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ). |
fromDate |
string |
No | Filter incidents created after this date. ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ). |
status |
string |
No | Filter by incident status. See Status Values for accepted values. |
limit |
integer |
No | Maximum number of incidents to return per page. Defaults to 5000 if not specified. |
cursor |
string |
No | Cursor for pagination. Use the paging.next value from the previous response to fetch the next page. |
includeTotal |
boolean |
No | When true, the response's paging object includes a total field with the total number of incidents matching the query across all pages. Defaults to false. Not supported together with statusVerbose. |
Request Example
const params = new URLSearchParams({
clientId: "your_client_id",
fromDate: "2022-01-01T12:00",
toDate: "2022-03-08T12:00",
limit: "100",
});
const response = await fetch(
`https://capi.phishfort.com/v1/incidents?${params}`,
{
headers: {
accept: "application/json",
"x-api-key": "YOUR_API_KEY",
},
}
);
const data = await response.json();
console.log(data);
Response Example
The data field is an array of IncidentStructure's. When pagination is used, the response includes a paging object (see PagingStructure).
{
"message": "success",
"data": [
{
"id": "054zKkjCnR1I3B3U812z",
"clientId": "0Xp5voyA4y5xYNoufOVC",
"safeDomain": "exampleclient.com",
"subject": "uniformprivate.cc",
"incidentType": "domain",
"domain": "uniformprivate.cc",
"url": "https://uniformprivate.cc/chevrolet/",
"source": "PHISHFORT_DETECTED",
"timestamp": "2021-11-08T20:36:43.765Z",
"lastHistoryUpdateTimestamp": "2021-12-06T15:10:01.299Z",
"burnStartedTimestamp": "2021-12-06T10:34:43.883Z",
"takedownTimestamp": "2021-12-06T15:10:01.299Z",
"reportedBy": "analyst@phishfort.com",
"threatTaxonomy": {
"name": "Brand - Website - Impersonation",
"description": "Unauthorized representation of another person, brand, or entity. Includes fake profiles, cloned websites, or identity theft used to deceive victims."
},
"status": "takedown_success",
"incidentClass": "phishing"
}
],
"paging": {
"cursor": "054zKkjCnR1I3B3U812z",
"next": "1AbcDefGhI2jKlMnO345",
"limit": 100
}
}