ESC
🛡️

Spam Score

Heuristic spam scoring for form submissions and user-generated content.

POST 1 credit /v1/auth/spam-score 
curl -X POST "https://auth.toolkitapi.io/v1/auth/spam-score" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "John Doe",
    "email": "[email protected]",
    "body": "Hi, I am interested in your services. Please contact me.",
    "honeypot": "",
    "elapsed_seconds": 45.2
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/spam-score",
    json={
    "name": "John Doe",
    "email": "[email protected]",
    "body": "Hi, I am interested in your services. Please contact me.",
    "honeypot": "",
    "elapsed_seconds": 45.2
  },
)
print(resp.json())
const resp = await fetch("https://auth.toolkitapi.io/v1/auth/spam-score", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "name": "John Doe",
    "email": "[email protected]",
    "body": "Hi, I am interested in your services. Please contact me.",
    "honeypot": "",
    "elapsed_seconds": 45.2
  }),
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK 
{
  "score": 0.018,
  "verdict": "ham",
  "signals": [],
  "total_weight": 0.0
}

Try It Live

Live Demo

Description

Heuristic spam scoring for form submissions and user-generated content.

How to Use

1

1. Include the form field values in the request: `body` (required), plus optional fields like `name`, `email`, `subject`, `honeypot`, `ip_address`, and `elapsed_seconds`.

2

2. Add a hidden `honeypot` field to your form (bots fill it, humans don't) and pass its value.

3

3. Track the time between page load and form submission, and pass it as `elapsed_seconds`.

4

4. Send a POST request and use the `score` and `verdict` to decide whether to accept, flag, or reject the submission.

About This Tool

The Spam Score endpoint analyzes form submissions using heuristic rules to determine spam probability. It returns a score between 0.0 (definitely legitimate) and 1.0 (definitely spam), along with a human-readable verdict and the individual signals that contributed to the score.

The heuristic engine checks for honeypot fields, submission timing (bots submit forms almost instantly), known spam trigger phrases, excessive URLs, email mismatches, ALL CAPS abuse, excessive punctuation, suspicious short content, URLs in name fields, and high non-ASCII content ratios.

This provides a lightweight spam filtering layer that doesn't require external services, CAPTCHA, or machine learning models — making it ideal for contact forms, comment sections, and other user-generated content.

Why Use This Tool

Frequently Asked Questions

What are the verdict thresholds?
Score below 0.3 = `ham` (legitimate), 0.3–0.7 = `suspicious` (review manually), above 0.7 = `spam` (safe to reject or quarantine).
How does the honeypot detection work?
Add a hidden input field to your form (hidden via CSS, not `type="hidden"`). Legitimate users won't see or fill it, but automated bots typically fill all fields. A non-empty honeypot value is the strongest spam signal (weight: 5.0).
What elapsed_seconds value indicates a bot?
Submissions under 3 seconds are flagged as suspiciously fast. Most humans take at least 10–30 seconds to fill out a contact form. Track this client-side with JavaScript.
Can I use this as my only spam protection?
It works well as a primary filter for low-to-medium traffic sites. For high-traffic or targeted attack scenarios, combine it with rate limiting, CAPTCHA, and IP reputation services for defense in depth.
What spam phrases are detected?
The engine checks for common spam triggers including "buy now", "click here", "free money", "limited time", "casino", "cryptocurrency", "wire transfer", and about 20 other known patterns.

Start using Spam Score now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs