Web Risk API

Name: Web Risk API API
Brand: Web Risk API
Availability: InStock

✓ Official Vendor SpecSecurityThreat Detectionoauth28 EndpointsREST

For Agents

Check URLs against Google's threat lists for phishing, malware, and unwanted software, and submit suspicious URLs for review. Designed for moderation, link-shortening, and email security pipelines.

Quickstart

Get started with Web Risk API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"check a url for phishing or malware"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Web Risk API API.

Check a URL for phishing, malware, or unwanted-software classifications using uris:search

Compute privacy-preserving hash prefix diffs against threat lists with threatLists:computeDiff

Verify candidate hash prefixes locally and confirm full hashes via hashes:search

Submit a suspicious URL to Google for review through the submissions endpoint

GET STARTED

Start building with Web Risk API API

Explore with Jentic

View OpenAPI Document

Use for: Check whether a URL is on Google's phishing list, Look up a domain in the malware threat list, Submit a phishing URL for review by Google, Retrieve full hashes that match a hash prefix from the local cache

Not supported: Does not handle vulnerability scanning of your own apps, bot detection, content moderation of text or images, or DNS filtering — use for URL threat lookups against Google's hosted threat lists only.

The Google Web Risk API lets client applications check URLs against Google's continuously updated lists of unsafe web resources, including phishing pages, malware sites, and unwanted software. It exposes both a hash-based lookup that preserves user privacy and a direct URI search for low-volume use, alongside an evaluate endpoint that returns risk scores for borderline URLs. Web Risk is a paid commercial successor to the public Safe Browsing API and is intended for products that need higher quotas, an SLA, and the ability to submit URLs for review.

Use Cases

Patterns agents use Web Risk API API for, with concrete tasks.

★ Link safety check before redirect

URL shorteners, email gateways, and chat platforms call uris:search before resolving a user-supplied link to block known phishing and malware destinations. The endpoint accepts a URL and a list of threat types and returns matched threats. Because Web Risk is paid and quota-managed, it suits high-traffic products that have outgrown the free Safe Browsing API.

Call GET /v1/uris:search with the URL https://example.com/login and threatTypes=MALWARE,SOCIAL_ENGINEERING and report whether any threat is returned.

Privacy-preserving local threat database

Browsers and security clients sync a local copy of Google's threat lists by calling threatLists:computeDiff and only requesting full hashes from hashes:search when a candidate prefix matches. This pattern keeps actual user URLs on the client and sends only truncated hashes upstream. Web Risk's diff format is identical in shape to Safe Browsing v4 so existing client logic ports cleanly.

Call GET /v1/threatLists:computeDiff with threatType=MALWARE and a stored versionToken, then update the local hash prefix database with the returned additions and removals.

Submitting newly discovered phishing URLs

Security teams that detect phishing pages targeting their brand submit those URLs to Google through POST /v1/{+parent}/submissions so that the entry can be added to threat lists and protect the wider Chrome and Android ecosystem. Submissions are processed as long-running operations; the operations endpoints track status. This is a useful integration for fraud and trust-and-safety workflows.

POST a submission with uri=https://fake-bank.example.com to /v1/projects/{project}/submissions and poll the returned operation until done is true.

Agent-driven URL screening through Jentic

Moderation and customer-support agents call Web Risk through Jentic to vet links before sending them to users or following them autonomously. The agent queries Jentic for check a url for phishing, loads the uris:search schema, and executes with the URL pulled from the conversation. Credential isolation in Jentic means OAuth tokens for the underlying Google project never enter the model's context.

Through Jentic, call GET /v1/uris:search with a URL extracted from a user message and threatTypes=MALWARE,SOCIAL_ENGINEERING,UNWANTED_SOFTWARE, then refuse to forward the link if any threat is returned.

Key Endpoints

8 endpoints — the google web risk api lets client applications check urls against google's continuously updated lists of unsafe web resources, including phishing pages, malware sites, and unwanted software.

METHOD

PATH

DESCRIPTION

GET

/v1/uris:search

Check a URL against threat lists

GET

/v1/hashes:search

Resolve hash prefixes to full hashes

GET

/v1/threatLists:computeDiff

Compute a diff of a threat list

POST

/v1/{+parent}/submissions

Submit a URL for review

GET

/v1/{+name}/operations

List long-running operations

POST

/v1/{+name}:cancel

Cancel a long-running operation

GET

/v1/uris:search

Check a URL against threat lists

GET

/v1/hashes:search

Resolve hash prefixes to full hashes

GET

/v1/threatLists:computeDiff

Compute a diff of a threat list

POST

/v1/{+parent}/submissions

Submit a URL for review

GET

/v1/{+name}/operations

List long-running operations

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

OAuth 2.0 client credentials for the Google Cloud project hosting Web Risk are stored encrypted in the Jentic vault. Agents receive scoped, short-lived access tokens; the underlying refresh token never enters the model context.

Intent-based discovery

Agents search Jentic with intents like check a url for phishing or report a malware url and Jentic returns the uris:search or submissions operation with its full input schema, ready to execute.

Time to first call

Direct integration with Web Risk: 1-2 days for OAuth setup, hash-list sync logic, and operation polling. Through Jentic: under 30 minutes for a uris:search lookup.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Safe Browsing API

Free, lower-quota sibling that exposes the same threat lists without an SLA

Choose Safe Browsing for hobby projects or low-traffic moderation. Choose Web Risk when you need higher QPS, an SLA, or the ability to submit URLs.

Complementary

reCAPTCHA Enterprise API

Detect abusive traffic and bots before a URL is even followed

Pair reCAPTCHA Enterprise at the entry point with Web Risk on outbound link checks for a layered trust-and-safety pipeline.

Complementary

Web Security Scanner API

Scans your own App Engine and Compute apps for vulnerabilities

Use Web Security Scanner to harden first-party apps and Web Risk to vet third-party URLs your users encounter.

FAQs

Specific to using Web Risk API API through Jentic.

What authentication does the Web Risk API use?

Web Risk uses OAuth 2.0 (the Oauth2 and Oauth2c security schemes in the spec) scoped to https://www.googleapis.com/auth/cloud-platform. Through Jentic the OAuth credentials are stored in the encrypted vault and exchanged for short-lived access tokens at execution time.

How is Web Risk different from the free Safe Browsing API?

Web Risk is the paid commercial product with higher quotas, an SLA, and support for URL submissions through POST /v1/{+parent}/submissions. Safe Browsing v4 is free but rate limited and does not include the submission endpoint. The hash diff and lookup logic is otherwise compatible.

What are the rate limits for the Web Risk API?

Web Risk quotas are configured per Google Cloud project in the Cloud Console under APIs and Services and depend on your billing plan. Google publishes the contractual QPS in the Web Risk pricing documentation; for hash-based lookups the local cache built from threatLists:computeDiff handles the bulk of traffic so live calls stay well under quota.

How do I check a URL for phishing through Jentic?

Search Jentic for check a url for phishing, load the schema for GET /v1/uris:search, and execute it with the uri parameter and threatTypes including SOCIAL_ENGINEERING and MALWARE. Jentic returns the matched threats array; an empty response means the URL is not currently on a list.

Can I submit phishing URLs that target my brand?

Yes. POST /v1/{+parent}/submissions accepts a URI and creates a long-running operation. Track it through the operations endpoints (GET /v1/{+name}/operations or POST /v1/{+name}:cancel) until the operation completes. Approved submissions are added to Google's threat lists and propagate to Chrome and Android.