Is-this-real? as an API & MCP.
JSON in, JSON out - shaped like the Safe Browsing you already call. Plus an MCP server so your AI agent can answer the same question. Stable contracts, no lawyer for the contract.
# Token aus Dashboard holen
export SCAMPILOT_TOKEN="sk_live_…"
# Nachricht analysieren
curl https://scampilot.de/api/v1/scan \
-H "Authorization: Bearer $SCAMPILOT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"content": "Ihr Konto wird in 24 Std…",
"locale": "de"
}'
# Strukturierte Antwort
{
"verdict": "danger",
"confidence": 94,
"summary_plain": "Phishing-Versuch …",
"actions": [...],
"signals": [...],
"model_used": "gpt-5-mini"
}Pick the one that fits.
Whether backend service, AI agent, browser user, or chat bot - one pipeline, four adapters.
REST API
RecommendedBearer token, per-user-bucket rate limit, JSON body, auto-generated OpenAPI 3.1 spec.
MCP server
For AI agentsModel Context Protocol - your Claude, Cursor, or Continue.dev sees Scampilot as a tool. HTTP transport.
Browser extension
Chrome MV3Right-click on selected text, a link, or an image → check in the side panel. Answer without leaving the page, including QR-code detection on the page.
Telegram bot
Webhook-basedBuilding your own bot? Go via the REST API. Or link your users to @scampilot_bot with a /link code.
One endpoint, one verdict.
Bearer token with abilities, OpenAPI 3.1, per-user bucket rate limit. We version via URL, not headers. The verdict enum is fixed at three values.
Request
POST /api/v1/scan HTTP/1.1
Authorization: Bearer sk_live_…
Content-Type: application/json
X-Request-ID: 9f2c1b3a-…
{
"kind": "email",
"content": "From: support@spk-verify.io…",
"locale": "de",
"hints": {
"source_app": "my-extension"
}
}Response
HTTP/1.1 200 OK
X-Request-ID: 9f2c1b3a-…
X-RateLimit-Remaining: 117
{
"id": "rpt_8f2a1c…",
"verdict": "danger",
"confidence": 94,
"summary_plain": "Phishing-Versuch …",
"actions": [
{ "icon": "❌", "text": "Klicke auf keinen Link." }
],
"signals": [
{
"key": "credential_request",
"severity": "high",
"evidence": "„bestätigen Sie umgehend Ihr Passwort"
}
],
"model_used": "gpt-5-mini",
"input_tokens": 1842,
"output_tokens": 412
}Phishing protection for your AI agent.
One of the first consumer-protection MCP servers. Tools for Claude, Cursor & co. - over HTTP. The agent decides on its own when to check a link.
Claude Desktop config
{
"mcpServers": {
"scampilot": {
"transport": "http",
"url": "https://scampilot.de/mcp/scampilot",
"headers": {
"Authorization": "Bearer sk_live_…"
}
}
}
}Predictable. Never surprising.
| Authentication | Bearer token with per-token abilities (scan:create, reports:read). |
| Rate limit | 10 requests per day per user bucket. Multiple tokens share the bucket. |
| Payload | Max 64 KB per request. PDF / DOCX attachments via multipart, OCR before analysis. |
| Webhooks | Async for long analyses. Secret is a path suffix - rotatable. |
Spec live - always current.
The spec is generated from PHP annotations. No drift between docs and code. Clients can be generated in any language.
Built to be relied on.
Promises that live in the docs - not just on this marketing page.
OpenAPI 3.1
Live spec at /docs/api, generated from PHP annotations. No drift between docs and code - generate your own client in any language.
Stable versions
Versioned via the URL, not headers. The verdict enum is fixed at three values, signal keys are stable slugs. Deprecations are announced.
DPA without drama
EU hosting (Frankfurt & Falkenstein), a named subprocessor list, no model training on your content, no data resale.
X-Request-ID
Every request gets one. If you send one, we echo it. Logs, telemetry events, response headers - all correlated.
Structured errors
No stack traces in the body. {type, title, status, detail} per Problem Details (RFC 7807).
Heuristic fallback
If the AI provider is down, the heuristic answers. model_used = "heuristic-fallback". The client notices.
Token accounting
Per report: input_tokens, output_tokens, model_used. Costs per request precisely attributable.
24h URL cache
Google Safe Browsing and PhishTank are aggressively cached. You don't pay for identical URL checks.
Evidence fields
Every signal points to the exact spot in the input. You can show the end user the why.
Pay only for what you check.
Personal use stays free. For production volume we bill per checked message - no seat licences, no minimums.
Beta anchor price. REST + MCP, the same engine as the app. Volume tiers on request.
Request access
Frequently asked questions
How do I call the Scampilot API?
JSON in, JSON out, authenticated with bearer tokens. There is an OpenAPI 3.1 spec; the API shares the daily quota with the web interface.
Is there an MCP server for AI agents?
Yes. The Model Context Protocol server offers tools such as scan_text, scan_url, scan_email, scan_qr and scan_links for agents like Claude - over HTTP or stdio.
What rate limits apply?
Anonymous calls are capped at 3 checks per day, registered at 10; for higher volumes there is the business tier.
