JSON in. JSON out.
Call Scampilot like Google Safe Browsing. One REST route for classics, an MCP server for your Claude agent, a browser extension for your users. Structured answers - no free-text roulette.
# Token aus Dashboard holen
export SCAMPILOT_TOKEN="sk_live_…"
# Nachricht analysieren
curl https://scampilot.de/api/v1/scan \
-H "Authorization: Bearer $SCAMPILOT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"content": "Ihr Konto wird in 24 Std…",
"locale": "de"
}'
# Strukturierte Antwort
{
"verdict": "danger",
"confidence": 94,
"summary_plain": "Phishing-Versuch …",
"actions": [...],
"signals": [...],
"model_used": "gpt-5-mini"
}Pick the one that fits.
Whether backend service, AI agent, browser user, or chat bot - one pipeline, four adapters.
REST API
RecommendedBearer token, per-user-bucket rate limit, JSON body, auto-generated OpenAPI 3.1 spec.
MCP server
For AI agentsModel Context Protocol - your Claude, Cursor, or Continue.dev sees Scampilot as a tool. HTTP or stdio transport.
Browser extension
SoonChrome & Firefox, MV3. Right-click on selected text or a link → check in the popup. Answer without leaving the page. Coming soon - we're working on it.
Telegram bot
Webhook-basedBuilding your own bot? Go via the REST API. Or link your users to @scampilot_bot with a /link code.
Predictable shape. Stable contracts.
We version via URL, not headers. The verdict enum is fixed at three values. Signal keys are stable slugs.
Request
POST /api/v1/scan HTTP/1.1
Authorization: Bearer sk_live_…
Content-Type: application/json
X-Request-ID: 9f2c1b3a-…
{
"kind": "email",
"content": "From: support@spk-verify.io…",
"locale": "de",
"hints": {
"source_app": "my-extension"
}
}Response
HTTP/1.1 200 OK
X-Request-ID: 9f2c1b3a-…
X-RateLimit-Remaining: 117
{
"id": "rpt_8f2a1c…",
"verdict": "danger",
"confidence": 94,
"summary_plain": "Phishing-Versuch …",
"actions": [
{ "icon": "❌", "text": "Klicke auf keinen Link." }
],
"signals": [
{
"key": "credential_request",
"severity": "high",
"evidence": "„bestätigen Sie umgehend Ihr Passwort"
}
],
"model_used": "gpt-5-mini",
"input_tokens": 1842,
"output_tokens": 412
}Your Claude gets a co-pilot.
Model Context Protocol - the open standard for AI tools. Wire Scampilot into your Claude, Cursor, or Continue.dev workflow, and the agent decides on its own when to check a link.
Claude Desktop Config
{
"mcpServers": {
"scampilot": {
"transport": "http",
"url": "https://scampilot.de/mcp/scampilot",
"headers": {
"Authorization": "Bearer sk_live_…"
}
}
}
}Local as stdio
# In deiner App / im Editor: php artisan mcp:start scampilot # → stdin/stdout MCP-Channel
Predictable. Never surprising.
| Authentication | Bearer token with per-token abilities (scan:create, reports:read). |
| Rate limit | 2880 requests per day per user bucket. Multiple tokens share the bucket. |
| Payload | Max 64 KB per request. PDF / DOCX attachments via multipart, OCR before analysis. |
| Webhooks | Async for long analyses. Secret is a path suffix - rotatable. |
Spec live - always current.
The spec is generated from PHP annotations. No drift between docs and code. Clients can be generated in any language.
Promises that live in the docs - not just on this marketing page.
X-Request-ID
Every request gets one. If you send one, we echo it. Logs, telemetry events, response headers - all correlated.
Structured errors
No stack traces in the body. {type, title, status, detail} per Problem Details (RFC 7807).
Heuristic fallback
If the AI provider is down, the heuristic answers. model_used = "heuristic-fallback". The client notices.
Token accounting
Per report: input_tokens, output_tokens, model_used. Costs per request precisely attributable.
24h URL cache
Google Safe Browsing and PhishTank are aggressively cached. You don't pay for identical URL checks.
Evidence fields
Every signal points to the exact spot in the input. You can show the end user the why.