Introduction
Last updated
Last updated
Gophish was built from the ground-up with a JSON API that makes it easy for developers and sysadmins to automate simulated phishing campaigns.
These docs describe how to use the Gophish API. We hope you enjoy these docs, and please don't hesitate to file an issue if you see anything missing.
Is Python your language of choice? If so, we have a fully-supported Python API client that makes working with the Gophish API a piece of cake!
There are many reasons to use the Gophish API. The most common use case is to gather report information for a given campaign, so that you can build custom reports in software you're most familiar with, such as Excel or Numbers.
However, automating the creation of campaigns and campaign attributes such as templates, landing pages, and more provides the ability to create a fully automated phishing simulation program. This would allow campaigns to be run throughout the year automatically. This also allows the Gophish administrator to be included in the campaigns, since they wouldn't know exactly which day it would start!
All API requests require the use of a generated API key. You can find your API key, or generate a new one, by navigating to the /settings endpoint, or clicking the “Settings” sidebar item.
To authenticate an API request, you should provide your API key in the Authorization
header.
Alternatively, you may append the api_key=[API_KEY]
as a GET parameter to authorize yourself to the API. But note that this is likely to leave traces in things like your history, if accessing the API through a browser.
Many API endpoints return the JSON representation of the resources created or edited. However, if an invalid request is submitted, or some other error occurs, Gophish returns a JSON response in the following format:
The message
attribute contains a message commonly used to indicate errors or, in the case of deleting a resource, success that the resource was properly deleted.
The success
attribute describes if the transaction was successful or not.
The data
attribute contains any other metadata associated with the response. This will be an escaped string containing JSON data.
Gophish returns the following status codes in its API:
Parameter
Type
Description
api_key
string
Required. Your Gophish API key
Status Code
Description
200
OK
201
CREATED
400
BAD REQUEST
404
NOT FOUND
500
INTERNAL SERVER ERROR