abuse.ch URLhaus API

Name: abuse.ch URLhaus API API
Brand: abuse.ch URLhaus API
Availability: InStock

★ Only Publicly Available SpecSecurityThreat DetectionapiKey2 EndpointsREST

For Agents

Submit newly observed malware URLs and download URLhaus's recent malicious-URL database via two abuse.ch endpoints authenticated by an Auth-Key.

Quickstart

Get started with abuse.ch URLhaus API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"submit a malicious URL to URLhaus"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with abuse.ch URLhaus API API.

Submit a malware-distribution URL to URLhaus with threat tags and reporter metadata

Download the recent URLhaus CSV dump for offline IOC matching

Feed URLhaus URLs into a SIEM or DNS sinkhole for blocking

Tag submissions with malware family (emotet, qakbot, dridex) for categorisation

GET STARTED

Start building with abuse.ch URLhaus API API

Explore with Jentic

View OpenAPI Spec

Jentic publishes the only available OpenAPI specification for abuse.ch URLhaus API, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for abuse.ch URLhaus API, keeping it validated and agent-ready. URLhaus is abuse.ch's project for sharing malicious URLs used for malware distribution. The API exposes two operations: a POST endpoint for submitting newly observed malware URLs with tags and threat metadata, and a recent-CSV export endpoint for downloading the database. Authentication is via an Auth-Key tied to a free abuse.ch account, and the dataset is widely used as a threat-intel feed by SOCs, mail filters, and DNS sinkholing services.

Use Cases

Patterns agents use abuse.ch URLhaus API API for, with concrete tasks.

★ Automated malware-URL submission

When a SOC team identifies a fresh malware-distribution URL during incident response, an automation submits it to URLhaus via POST /api/ with tags and a threat label. This contributes to the community feed and gets the URL into downstream blocklists faster than a manual web-form submission.

POST /api/ with url=<malicious-url>, threat=malware_download, tags=emotet to share the new IOC with URLhaus

Daily IOC import for SIEM

A scheduled job pulls the recent-CSV export at /api/v2/files/exports/{authKey}/recent.csv and imports the rows into a SIEM as URL IOCs. Because URLhaus refreshes the recent feed continuously, hourly polling gives near-real-time coverage of newly seen malware URLs.

GET /api/v2/files/exports/{authKey}/recent.csv every hour, diff against the last import, and push new URLs to the SIEM as URL IOCs

DNS-level blocking

Pull the URLhaus recent CSV, extract hostnames, and load them into an internal DNS sinkhole or PiHole-style filter. Provides community-driven coverage of malware command-and-control domains alongside vendor feeds.

GET /api/v2/files/exports/{authKey}/recent.csv, extract host column, and append to the DNS sinkhole zone file

AI agent IOC submission via Jentic

An agent that has just confirmed a URL hosts a malware payload uses Jentic to submit the URL to URLhaus, with tags drawn from its triage notes. The Auth-Key is held by Jentic, so the agent never sees the raw credential.

POST /api/ with url, threat=malware_download, and tags from the agent's triage findings

Key Endpoints

2 endpoints — jentic publishes the only available openapi specification for abuse.

METHOD

PATH

DESCRIPTION

POST

/api/

Submit a malware-distribution URL with tags and threat metadata

GET

/api/v2/files/exports/{authKey}/recent.csv

Download the recent malware-URL database dump

POST

/api/

Submit a malware-distribution URL with tags and threat metadata

GET

/api/v2/files/exports/{authKey}/recent.csv

Download the recent malware-URL database dump

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

The abuse.ch Auth-Key is stored encrypted in the Jentic vault and injected at execution time — as a header for POST /api/ and as a path segment for the CSV export. Agents receive scoped access tokens — raw keys never enter the agent's context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'submit malicious url', 'download urlhaus feed') and Jentic returns the matching URLhaus operation with its input schema, so the agent calls POST /api/ or the recent-CSV endpoint without reading docs.

Time to first call

Direct integration: 3-4 hours for auth, CSV parsing, and submission validation. Through Jentic: under 30 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

MalwareBazaar

abuse.ch repository for malware sample lookup, retrieval, and submission

Use URLhaus to identify the URL distributing malware, then pivot into MalwareBazaar to fetch the actual sample dropped by that URL.

Complementary

AbuseIPDB

Community database of IPs reported for abuse and malicious activity

Use AbuseIPDB to score the IP an URLhaus URL resolves to and combine the two signals before blocking.

Complementary

Shodan

Search engine for internet-exposed services and infrastructure

Use Shodan to inspect the host serving a URLhaus URL — services running, certificates, and historical exposure.

FAQs

Specific to using abuse.ch URLhaus API API through Jentic.

Why is there no official OpenAPI spec for abuse.ch URLhaus API?

abuse.ch documents URLhaus in HTML at urlhaus.abuse.ch/api/ but does not publish a structured OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call abuse.ch URLhaus API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the abuse.ch URLhaus API use?

An Auth-Key tied to a free abuse.ch account. POST /api/ accepts the key as a header, and the recent-CSV export carries the Auth-Key as a path segment. Through Jentic the Auth-Key is held encrypted in the vault and injected at execution.

Can I download the URLhaus database?

Yes. GET /api/v2/files/exports/{authKey}/recent.csv returns a CSV of recently submitted malware URLs. URLhaus also offers full-database exports via the website; for production blocklists, poll the recent feed hourly to stay current.

What are the rate limits for the abuse.ch URLhaus API?

abuse.ch applies fair-use limits per Auth-Key, typically a few hundred submissions and a few thousand reads per day. Heavy users should batch submissions and cache recent-CSV pulls; refer to your abuse.ch dashboard for current quotas.

How do I submit a malicious URL through Jentic?

Search Jentic for 'submit malicious url to urlhaus', load POST /api/ on urlhaus.abuse.ch, then execute with url, threat, and tags. Install with pip install jentic and use await client.search, load, execute.

Is the URLhaus API free?

Yes. Free abuse.ch accounts can submit URLs and download the recent feed for non-commercial use. Heavy automated consumers should attribute abuse.ch and respect the fair-use policy.