The Zoxrim API gives you programmatic access to the same threat intelligence engine that powers the desktop and mobile apps. Use it to integrate URL scanning, email analysis, and threat lookups into your own tools, workflows, and applications.
API access is available on Pro and Enterprise plans.
Obtaining Your API Key
- Sign in to your Zoxrim account and open Settings
- Navigate to Settings > API & Integrations
- Click Generate API Key
- Copy the key immediately — it is shown only once. If you lose it, generate a new one from the same screen
Treat your API key like a password. Do not commit it to source control or include it in client-side code. Use environment variables or a secrets manager.
Authentication
All API requests must include the X-API-Key header:
X-API-Key: your_api_key_here
The base URL for all endpoints is:
https://api.zoxrim.com/api/v1
All requests and responses use JSON. Set the Content-Type: application/json header on POST requests.
Endpoints
GET /extension/check
A lightweight, low-latency threat check optimized for browser extensions and real-time integrations. Returns a verdict without triggering a full deep scan.
Request
curl -X GET \
"https://api.zoxrim.com/api/v1/extension/check?url=https://example.com" \
-H "X-API-Key: your_api_key_here"
Query Parameters
| Parameter | Type | Required | Description |
|-----------|--------|----------|-------------------------------------|
| url | string | Yes | The URL to check (URL-encoded) |
Response
{
"url": "https://example.com",
"score": 4,
"verdict": "safe",
"cached": true,
"checked_at": "2026-05-23T14:32:00Z"
}
verdict is one of safe, suspicious, or dangerous. cached indicates whether the result came from Zoxrim's real-time cache (results are cached for up to 10 minutes).
POST /scanner/analyze
Triggers a full threat scan across all 15+ intelligence sources. Returns comprehensive findings including per-source verdicts, domain infrastructure data, and an AI-generated explanation.
Request
curl -X POST \
"https://api.zoxrim.com/api/v1/scanner/analyze" \
-H "X-API-Key: your_api_key_here" \
-H "Content-Type: application/json" \
-d '{"url": "https://suspicious-site.example.com"}'
Request Body
{
"url": "https://suspicious-site.example.com"
}
Response
{
"scan_id": "scn_01jwx9k3m2pqr4st",
"url": "https://suspicious-site.example.com",
"score": 78,
"verdict": "dangerous",
"sources": {
"google_safe_browsing": "flagged",
"urlhaus": "flagged",
"phishtank": "clean",
"virustotal": { "flagged": 12, "total": 90 },
"abuseipdb": { "confidence": 87 },
"alienvault_otx": "flagged",
"shodan": "clean"
},
"domain": {
"registered": "2026-05-01",
"registrar": "NameCheap",
"age_days": 22,
"ssl_issuer": "Let's Encrypt",
"ssl_valid": true
},
"ai_explanation": "This URL was flagged by Google Safe Browsing and URLHaus as an active phishing page. The domain is 22 days old, which is consistent with short-lived phishing infrastructure. AbuseIPDB reports the hosting IP with an 87% abuse confidence score. Do not visit this URL.",
"scanned_at": "2026-05-23T14:33:45Z"
}
Full scans typically complete in 2–4 seconds.
POST /email/analyze
Analyzes an email for phishing, impersonation, suspicious links, and social engineering. Accepts sender, subject, and body content.
Request
curl -X POST \
"https://api.zoxrim.com/api/v1/email/analyze" \
-H "X-API-Key: your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"from": "[email protected]",
"subject": "Your account has been limited — verify immediately",
"body": "Dear customer, we have detected unusual activity. Click here to verify: http://paypal-verify-now.ru/account"
}'
Request Body
{
"from": "[email protected]",
"subject": "Your account has been limited — verify immediately",
"body": "Dear customer, we have detected unusual activity..."
}
All three fields are required. The body field accepts plain text (HTML is stripped server-side).
Response
{
"verdict": "phishing",
"score": 94,
"indicators": [
"Domain lookalike: paypa1-secure.net impersonates paypal.com",
"Urgency language detected in subject line",
"Link in body resolves to flagged phishing domain",
"Sender domain fails SPF check"
],
"links_found": [
{
"url": "http://paypal-verify-now.ru/account",
"score": 91,
"verdict": "dangerous"
}
],
"ai_explanation": "This email displays multiple high-confidence phishing indicators. The sender domain uses a lookalike of paypal.com (numeral 1 substituted for lowercase L). The embedded link resolves to a .ru domain that is listed in PhishTank as an active credential harvesting page. Do not click any links in this email.",
"analyzed_at": "2026-05-23T14:34:10Z"
}
Rate Limits
API requests are rate-limited per API key on a rolling 24-hour window:
| Plan | Limit | |------------|----------------| | Free | Not available | | Starter | 50 requests / day | | Pro | 1,000 requests / day | | Enterprise | Custom |
When you exceed the limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when your quota resets.
Error Codes
| Status | Meaning |
|--------|----------------------------------------------|
| 400 | Bad request — missing or malformed parameters |
| 401 | Unauthorized — invalid or missing API key |
| 403 | Forbidden — your plan does not include API access |
| 422 | Unprocessable — URL or content could not be parsed |
| 429 | Rate limit exceeded |
| 500 | Internal server error — contact support if persistent |
All error responses include a JSON body with a message field explaining the error.