API Configuration¶
Overview¶
| Service | Requirement | What it enables |
|---|---|---|
| VirusTotal | Required | IP, URL and file reputation |
| GitHub | Recommended | Repository analysis (rate limit 5000 req/hr) |
| GitLab | Recommended | GitLab repository analysis |
| AbuseIPDB | Optional | IP abuse score |
| Shodan | Optional | Open ports and services |
| URLHaus | Optional | URLs used to distribute malware |
| MalwareBazaar | Optional | Threat identification by hash |
| Ollama | Optional | Automated summaries with local AI |
How to obtain the keys¶
VirusTotal (required)¶
- Create an account at virustotal.com
- Go to your profile and copy the API Key
- Free plan: 500 requests/day
GitHub¶
- Go to github.com/settings/tokens
- Generate a token with public read permission
- Increases the rate limit from 60 to 5000 req/hr
GitLab¶
- Go to Settings > Access Tokens on GitLab
- Create a token with
read_apiscope
AbuseIPDB¶
- Register at abuseipdb.com
- Go to API > Create Key
- Free plan: 1000 checks/day
Shodan¶
- Create an account at shodan.io
- The API Key is on the dashboard
- Free plan available
URLHaus¶
- Register at urlhaus.abuse.ch
- The API is free and has no rate limit
MalwareBazaar¶
- Free API at bazaar.abuse.ch
- No authentication required for hash lookups
Configuring the keys¶
- Click Settings in the top right corner
- Navigate to the API Keys tab
- Paste each key in the corresponding field
- Keys are saved automatically
Secure storage¶
Keys are stored in the operating system's keyring:
| System | Backend |
|---|---|
| Windows | Credential Locker |
| macOS | Keychain |
| Linux | Secret Service (GNOME Keyring, KWallet) |
Keys are never saved in text files or environment variables.
Cache¶
ThreatDeflect uses SQLite cache to avoid repeated API queries. The cache is stored in the .threatdeflect_cache/ subfolder in the executable's directory.
This preserves your request quota and speeds up recurring analyses.
To clear the cache in the GUI, use the Clear button in the IOCs tab.