If you are currently developing a web application and would like to integrate Akismet’s world-class spam protection, you’ve come to the right place. If you are not an application developer and need an API key to activate an existing Akismet plugin or integration, please register here instead.
You can either start from scratch or get up and running quickly with an existing class or library created by other developers.
People have implemented Akismet for many other systems and platforms; here are the ones we know about:
If you choose to write your own integration, there are a few things that you’ll want to keep in mind:
Development API keys
If you’d like access to a development API key, please join our developer program. Even if you are using an available library but want to test our service before committing to a subscription, we can get you up and running.
Structuring your API calls
All calls to Akismet are POST requests much like a web form would send. The request variables should be constructed like a query string: key=value and multiple variables separated by ampersands. Don’t forget to URL encode the values.
There are three different types of calls to Akismet:
Testing your API calls
Akismet works by examining all the available information combined. It is not enough to provide just the content of a message; you need to provide as many independent pieces of information as you can in each call. So before you can test Akismet’s accuracy, you need to make sure you’re sending complete and correct information.
To simulate a positive (spam) result, make a comment-check API call with the comment_author set to viagra-test-123 or comment_author_email set to akismet-guaranteed-spam@example.com. Populate all other required fields with typical values. The Akismet API will always return a true response to a valid request with one of those values. If you receive anything else, something is wrong in your client, data, or communications.
To simulate a negative (not spam) result, make a comment-check API call with the user_role set to administrator and all other required fields populated with typical values. The Akismet API will always return a false response. Any other response indicates a data or communication problem.
Also, make sure your client will handle an unexpected response. Don’t assume that the comment-check API will always return either true or false. An invalid request may result in an error response; additional information will usually be available in HTTP headers. And of course, a connectivity problem may result in no response at all. It’s important not to misinterpret an invalid response as meaning spam or ham.
For automated testing, include the parameter is_test=1 in your tests. That will tell Akismet not to change its behaviour based on those API calls – they will have no training effect. That means your tests will be somewhat repeatable, in the sense that one test won’t influence subsequent calls.
Setting your user agent
If possible, your user agent string should always use the following format:
The Akismet WordPress plugin’s user agent string would look like:
Key verification authenticates your key before calling the comment-check, submit-spam, or submit-ham methods for the first time. This is the first call that you should make to Akismet and is especially useful if you will have multiple users with their own Akismet subscriptions using your application.
Note that you do not need to call this method before every call to comment-check, submit-spam, or submit-ham; you should only make this request to confirm that an API key is valid before storing it locally.
This method is called via a POST request to the following URL:
// Call to verify key function
akismet_verify_key('123YourAPIKey', 'http://www.yourgroovydomain.com/');
// Authenticates your Akismet API key
function akismet_verify_key( $key, $blog ) {
$blog = urlencode($blog);
$request = 'key='. $key .'&blog='. $blog;
$host = $http_host = 'rest.akismet.com';
$path = '/1.1/verify-key';
$port = 443;
$akismet_ua = "WordPress/4.4.1 | Akismet/3.1.7";
$content_length = strlen( $request );
$http_request = "POST $path HTTP/1.0\r\n";
$http_request .= "Host: $host\r\n";
$http_request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http_request .= "Content-Length: {$content_length}\r\n";
$http_request .= "User-Agent: {$akismet_ua}\r\n";
$http_request .= "\r\n";
$http_request .= $request;
$response = '';
if( false != ( $fs = @fsockopen( 'ssl://' . $http_host, $port, $errno, $errstr, 10 ) ) ) {
fwrite( $fs, $http_request );
while ( !feof( $fs ) )
$response .= fgets( $fs, 1160 ); // One TCP-IP packet
fclose( $fs );
$response = explode( "\r\n\r\n", $response, 2 );
}
if ( 'valid' == $response[1] )
return true;
else
return false;
}
The call returns valid if the key is valid.
Array
(
[0] => HTTP/1.1 200 OK
Server: nginx
Date: Mon, 24 Feb 2014 16:31:55 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Content-length: 5
[1] => valid
)
If the verify-key call returns “invalid”, it usually includes an extra HTTP header with some debug information about what exactly was invalid about the call.
Array
(
[0] => HTTP/1.1 200 OK
Server: nginx
Date: Mon, 24 Feb 2014 16:34:54 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
X-akismet-debug-help: We were unable to parse your blog URI
Content-length: 7
[1] => invalid
)
If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.
This call is for submitting comments that weren’t marked as spam but should have been.
It is very important that the values you submit with this call match those of your comment-check calls as closely as possible. In order to learn from its mistakes, Akismet needs to match your missed spam and false positive reports to the original comment-check API calls made when the content was first posted. While it is normal for less information to be available for submit-spam and submit-ham calls (most comment systems and forums will not store all metadata), you should ensure that the values that you do send match those of the original content.
This method is called with the following URL:
This call takes the same arguments as the comment check call.
A string that describes the type of content being sent. Examples:
comment: A blog comment.forum-post: A top-level forum post.reply: A reply to a top-level forum post.blog-post: A blog post.contact-form: A contact form or feedback form submission.signup: A new user account.message: A message sent between just a few users.
Other server environmental variables
In PHP, there is an array of environmental variables called $_SERVER that contains information about the Web server itself as well as a key/value for every HTTP header sent with the request. This data is highly useful to Akismet. How the submitted content interacts with the server can be very telling, so please include as much of it as possible.
$data = array(
'blog' => 'http://yourgroovydomain.com',
'user_ip' => '127.0.0.1',
'user_agent' => 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6',
'referrer' => 'http://www.google.com',
'permalink' => 'http://yourgroovydomain.com/blog/post=1',
'comment_type' => 'comment',
'comment_author' => 'admin',
'comment_author_email' => 'test@example.com',
'comment_author_url' => 'http://spam.example.net',
'comment_content' => 'It means a lot that you would take the time to review our software.Thanks again.'
);
akismet_submit_spam( '123YourAPIKey', $data );
function akismet_submit_spam( $api_key, $data ) {
$request = 'api_key=' . urlencode( $api_key ) .
'&blog=' . urlencode($data['blog']) .
'&user_ip=' . urlencode($data['user_ip']) .
'&user_agent=' . urlencode($data['user_agent']) .
'&referrer=' . urlencode($data['referrer']) .
'&permalink=' . urlencode($data['permalink']) .
'&comment_type=' . urlencode($data['comment_type']) .
'&comment_author=' . urlencode($data['comment_author']) .
'&comment_author_email=' . urlencode($data['comment_author_email']) .
'&comment_author_url=' . urlencode($data['comment_author_url']) .
'&comment_content=' . urlencode($data['comment_content']);
$host = $http_host = 'rest.akismet.com';
$path = '/1.1/submit-spam';
$port = 443;
$akismet_ua = "WordPress/4.4.1 | Akismet/3.1.7";
$content_length = strlen( $request );
$http_request = "POST $path HTTP/1.0\r\n";
$http_request .= "Host: $host\r\n";
$http_request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http_request .= "Content-Length: {$content_length}\r\n";
$http_request .= "User-Agent: {$akismet_ua}\r\n";
$http_request .= "\r\n";
$http_request .= $request;
$response = '';
if ( false != ( $fs = @fsockopen( 'ssl://' . $http_host, $port, $errno, $errstr, 10 ) ) ) {
fwrite( $fs, $http_request );
while ( !feof( $fs ) )
$response .= fgets( $fs, 1160 ); // One TCP-IP packet
fclose( $fs );
$response = explode( "\r\n\r\n", $response, 2 );
}
if ( 'Thanks for making the web a better place.' == $response[1] ) {
return true;
} else {
return false;
}
}
This call returns a single response:
Array
(
[0] => HTTP/1.1 200 OK
Server: nginx
Date: Mon, 24 Feb 2014 20:41:15 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-length: 41
[1] => Thanks for making the web a better place.
)
If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.
This call is intended for the submission of false positives - items that were incorrectly classified as spam by Akismet. It takes identical arguments as comment check and submit spam.
Remember that, as explained in our submit-spam documentation, you should ensure that any values you’re passing here match up with the original and corresponding comment-check call.
This method is called with the following URL:
This call takes the same arguments as the comment check call.
A string that describes the type of content being sent. Examples:
comment: A blog comment.forum-post: A top-level forum post.reply: A reply to a top-level forum post.blog-post: A blog post.contact-form: A contact form or feedback form submission.signup: A new user account.message: A message sent between just a few users.
Other server environmental variables
In PHP, there is an array of environmental variables called $_SERVER that contains information about the Web server itself as well as a key/value for every HTTP header sent with the request. This data is highly useful to Akismet. How the submitted content interacts with the server can be very telling, so please include as much of it as possible.
$data = array(
'blog' => 'http://yourgroovydomain.com',
'user_ip' => '127.0.0.1',
'user_agent' => 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6',
'referrer' => 'http://www.google.com',
'permalink' => 'http://yourgroovydomain.com/blog/post=1',
'comment_type' => 'comment',
'comment_author' => 'admin',
'comment_author_email' => 'test@example.com',
'comment_author_url' => 'http://spam.example.net',
'comment_content' => 'It means a lot that you would take the time to review our software.Thanks again.'
);
akismet_submit_ham( '123YourAPIKey', $data );
function akismet_submit_ham( $api_key, $data ) {
$request = 'api_key=' . urlencode( $api_key ) .
'&blog=' . urlencode($data['blog']) .
'&user_ip=' . urlencode($data['user_ip']) .
'&user_agent=' . urlencode($data['user_agent']) .
'&referrer=' . urlencode($data['referrer']) .
'&permalink=' . urlencode($data['permalink']) .
'&comment_type=' . urlencode($data['comment_type']) .
'&comment_author=' . urlencode($data['comment_author']) .
'&comment_author_email=' . urlencode($data['comment_author_email']) .
'&comment_author_url=' . urlencode($data['comment_author_url']) .
'&comment_content=' . urlencode($data['comment_content']);
$host = $http_host = 'rest.akismet.com';
$path = '/1.1/submit-ham';
$port = 443;
$akismet_ua = "WordPress/4.4.1 | Akismet/3.1.7";
$content_length = strlen( $request );
$http_request = "POST $path HTTP/1.0\r\n";
$http_request .= "Host: $host\r\n";
$http_request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http_request .= "Content-Length: {$content_length}\r\n";
$http_request .= "User-Agent: {$akismet_ua}\r\n";
$http_request .= "\r\n";
$http_request .= $request;
$response = '';
if ( false != ( $fs = @fsockopen( 'ssl://' . $http_host, $port, $errno, $errstr, 10 ) ) ) {
fwrite( $fs, $http_request );
while ( !feof( $fs ) )
$response .= fgets( $fs, 1160 ); // One TCP-IP packet
fclose( $fs );
$response = explode( "\r\n\r\n", $response, 2 );
}
if ( 'Thanks for making the web a better place.' == $response[1] ) {
return true;
} else {
return false;
}
}
This call returns a single response:
Array
(
[0] => HTTP/1.1 200 OK
Server: nginx
Date: Mon, 24 Feb 2014 20:41:15 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-length: 41
[1] => Thanks for making the web a better place.
)
If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.
An endpoint to keep track of the sites that are using your Akismet API key.
All paramaters can be passed via the GET or POST methods.
2022-09). Defaults to the current month. json (default): Return results as JavaScript Object Notation values.csv: Return results as comma separated values.total (default): Total number of API calls (spam + ham).spam: Order by the number of spam caught.ham: Order by the number of non-spam let through.missed_spam: Order by the number of reported missed spam.false_positives: Order by the number of reported false positives.
$data = file_get_contents( 'https://rest.akismet.com/1.2/key-sites?api_key=123YourAPIKey&month=2022-09&format=csv' );
var_dump( $data );
{
"2022-09":[
{
"site":"site6735.domain.tld",
"api_calls":"2072",
"spam":"2069",
"ham":"3",
"missed_spam":"0",
"false_positives":"4",
"is_revoked":false
},{
"site":"site4748.domain.tld",
"api_calls":"1633",
"spam":"3",
"ham":"1630",
"missed_spam":"0",
"false_positives":"0",
"is_revoked":true
}
]
}
Active sites for 123YourAPIKey during 2022-09.
Site,Total API Calls,Spam,Ham,Missed Spam,False Positives,Is Revoked
site6735.domain.tld,14446,33,13,0,9,false
site3026.domain.tld,8677,101,6,0,0,false
site3737.domain.tld,4230,65,5,2,0,true
site5653.domain.tld,2921,30,1,2,6,false
true for spam in the queried month. false for spam in the queried month. If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.
An endpoint to keep track of your Akismet API usage for the current month.
All paramaters can be passed via the GET or POST methods.
$data = file_get_contents( 'https://rest.akismet.com/1.2/usage-limit?api_key=123YourAPIKey' );
var_dump( $data );
{
"limit":350000,
"usage":7463,
"percentage":"2.13",
"throttled":false
}
350000: The limit, when applicable.none: If your plan is unlimited.If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.
An API response may include an error code in the X-akismet-alert-code header. It is always accompanied by a X-akismet-alert-msg header containing a message describing the error that can be shown to the end user, but the list below includes all of the currently active error codes for reference.
10001: Your site is using an expired Yahoo! Small Business API key.10003: You must upgrade your Personal subscription to continue using Akismet.10005: Your Akismet API key may be in use by someone else.10006: Your subscription has been suspended due to improper use.10007: Your Akismet API key is being used on more sites than is allowed.10008: Your Akismet API key is being used on more sites than is allowed.10009: Your subscription has been suspended due to overuse.10010: Your subscription has been suspended due to inappropriate use.10011: Your subscription needs to be upgraded due to high usage.10402: Your API key was suspended for non-payment.10403: The owner of your API key has revoked your site's access to the key.10404: Your site was not found in the list of sites allowed to use the API key you used.30001: Your Personal subscription needs to be upgraded based on your usage.If you’re having trouble getting started, get in touch
Comment check
This is the call you will make the most. It takes a number of arguments and characteristics about the submitted content and then returns a thumbs up or thumbs down. Performance can drop dramatically if you choose to exclude data points. The more data you send Akismet about each comment, the greater the accuracy. We recommend erring on the side of including too much data.
This method is called with the following URL:
All parameters should be sent via the POST method.
Parameters
Your Akismet API key. You can find this on your account dashboard at https://akismet.com/account/
The front page or home URL of the instance making the request. For a blog or wiki this would be the front page. Note: Must be a full URI, including http://.
IP address of the comment submitter.
User agent string of the web browser submitting the comment - typically the HTTP_USER_AGENT cgi variable. Not to be confused with the user agent of your Akismet library.
The content of the HTTP_REFERER header should be sent here.
The full permanent URL of the entry the comment was submitted to.
A string that describes the type of content being sent. Examples:
You may send a value not listed above if none of them accurately describe your content. This is further explained here.comment: A blog comment.forum-post: A top-level forum post.reply: A reply to a top-level forum post.blog-post: A blog post.contact-form: A contact form or feedback form submission.signup: A new user account.message: A message sent between just a few users.Name submitted with the comment.
Email address submitted with the comment.
URL submitted with comment. Only send a URL that was manually entered by the user, not an automatically generated URL like the user’s profile URL on your site.
The content that was submitted.
The UTC timestamp of the creation of the comment, in ISO 8601 format. May be omitted for comment-check requests if the comment is sent to the API at the time it is created.
The UTC timestamp of the publication time for the post, page or thread on which the comment was posted.
Indicates the language(s) in use on the blog or site, in ISO 639-1 format, comma-separated. A site with articles in English and French might use “en, fr_ca”.
The character encoding for the form values included in comment_* parameters, such as “UTF-8” or “ISO-8859-1”.
The user role of the user who submitted the comment. This is an optional parameter. If you set it to “administrator”, Akismet will always return false.
This is an optional parameter. You can use it when submitting test queries to Akismet.
If you are sending content to Akismet to be rechecked, such as a post that has been edited or old pending comments that you’d like to recheck, include the parameter recheck_reason with a string describing why the content is being rechecked. For example, recheck_reason=edit.
If you use a honeypot field in your implementation, include the name of the field in your request as well as the value of that field. For example, if you have a honeypot field that looks like <input type="text" name="hidden_honeypot_field" style="display: none;" />, then you should include two extra parameters in your request: honeypot_field_name=hidden_honeypot_field and hidden_honeypot_field=[the value of the input].
Other server environmental variables
In PHP, there is an array of environmental variables called $_SERVER that contains information about the Web server itself as well as a key/value for every HTTP header sent with the request. This data is highly useful to Akismet. How the submitted content interacts with the server can be very telling, so please include as much of it as possible.
PHP Example
$data = array( 'blog' => 'http://yourgroovydomain.com', 'user_ip' => '127.0.0.1', 'user_agent' => 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6', 'referrer' => 'http://www.google.com', 'permalink' => 'http://yourgroovydomain.com/blog/post=1', 'comment_type' => 'comment', 'comment_author' => 'admin', 'comment_author_email' => 'test@example.com', 'comment_author_url' => 'http://www.example.com', 'comment_content' => 'It means a lot that you would take the time to review our software.Thanks again.' ); akismet_submit_spam( '123YourAPIKey', $data ); function akismet_submit_spam( $api_key, $data ) { $request = 'api_key=' . urlencode( $api_key ) . '&blog=' . urlencode($data['blog']) . '&user_ip=' . urlencode($data['user_ip']) . '&user_agent=' . urlencode($data['user_agent']) . '&referrer=' . urlencode($data['referrer']) . '&permalink=' . urlencode($data['permalink']) . '&comment_type=' . urlencode($data['comment_type']) . '&comment_author=' . urlencode($data['comment_author']) . '&comment_author_email=' . urlencode($data['comment_author_email']) . '&comment_author_url=' . urlencode($data['comment_author_url']) . '&comment_content=' . urlencode($data['comment_content']); $host = $http_host = 'rest.akismet.com'; $path = '/1.1/submit-spam'; $port = 443; $akismet_ua = "WordPress/4.4.1 | Akismet/3.1.7"; $content_length = strlen( $request ); $http_request = "POST $path HTTP/1.0\r\n"; $http_request .= "Host: $host\r\n"; $http_request .= "Content-Type: application/x-www-form-urlencoded\r\n"; $http_request .= "Content-Length: {$content_length}\r\n"; $http_request .= "User-Agent: {$akismet_ua}\r\n"; $http_request .= "\r\n"; $http_request .= $request; $response = ''; if ( false != ( $fs = @fsockopen( 'ssl://' . $http_host, $port, $errno, $errstr, 10 ) ) ) { fwrite( $fs, $http_request ); while ( !feof( $fs ) ) $response .= fgets( $fs, 1160 ); // One TCP-IP packet fclose( $fs ); $response = explode( "\r\n\r\n", $response, 2 ); } if ( 'Thanks for making the web a better place.' == $response[1] ) { return true; } else { return false; } }This call returns either “true” (if this is spam) or “false” if it’s not.
Spam response example
The call returns “true” if the comment is spam. If you are having trouble triggering a spam response, you can send “viagra-test-123” as the author or “akismet-guaranteed-spam@example.com” as the author email. Either value will always trigger a “true” response.
Array ( [0] => HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Feb 2014 20:17:08 GMT Content-Type: text/plain; charset=utf-8 Connection: close Content-length: 4 [1] => true )A spam response may also include the X-akismet-pro-tip header, like so:
Array ( [0] => HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Feb 2014 20:17:08 GMT Content-Type: text/plain; charset=utf-8 Connection: close X-akismet-pro-tip: discard Content-length: 4 [1] => true )If the X-akismet-pro-tip header is set to discard, then Akismet has determined that the comment is blatant spam, and you can safely discard it without saving it in any spam queue. Read more about this feature in this Akismet blog post.
Ham response example
The call returns “false” if the comment is ham. If you are having trouble triggering a ham response, you can set “user_role” to “administrator” and set the “is_test” parameter to “true”, and it will always trigger a “false” response.
Array ( [0] => HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Feb 2014 20:17:08 GMT Content-Type: text/plain; charset=utf-8 Connection: close Content-length: 4 [1] => false )Error response example
If the call returns neither true nor false, the X-akismet-debug-help header will provide context for any error that has occurred. Note that the X-akismet-debug-help header will not always be sent if a response does not return false or true.
Array ( [0] => HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Feb 2014 16:34:54 GMT Content-Type: text/plain; charset=utf-8 Connection: close X-akismet-debug-help: We were unable to parse your blog URI Content-length: 7 [1] => invalid )Testing your data
It is important to test Akismet with a significant amount of real, live data in order to draw any conclusions on accuracy. Akismet works by comparing content to genuine spam activity happening right now (and this is based on more than just the content itself), so artificially generating spam comments is not a viable approach.
We’re here to help
If you ever get stuck or need help troubleshooting something, please don’t hesitate to contact us.