Hosted in Montreal, Canada

URL Safety API

Check any link programmatically

PIPEDA compliant. Canadian-hosted. 99.9% uptime. Stop phishing, malware, and redirect attacks before your users click.

Get Free API Key → View OpenAPI Spec

Scan volume on Mobily

0
URLs scanned (30d)
39
Links protected
200+
Clicks safeguarded
17
Canadian teams

Simple, honest pricing

All tiers include PIPEDA-compliant hosting, Redis-cached responses, and 90-day scan logs. Prices in CAD.

Free

For trying the API

$0 / forever

no credit card

Sign Up Free
  • 100 scans / month
  • 10 requests / minute
  • < 500 ms p95
  • Community support
Recommended

Starter

For developers & indie SaaS

$39 CAD / month

billed monthly

Get Started
  • 10,000 scans / month
  • 60 requests / minute
  • < 250 ms p95
  • Email support
  • Batch scan (up to 10 URLs)
Popular for teams

Pro

For growing SaaS & email tools

$129 CAD / month

billed monthly

Get Started
  • 100,000 scans / month
  • 300 requests / minute
  • < 150 ms p95
  • Priority support
  • Batch scan (up to 100)

Enterprise

For high-volume + SLA

$399 CAD / month

custom plans available

Talk to Sales
  • 1,000,000 scans / month
  • 1,000 requests / minute
  • < 100 ms p95
  • 99.9% uptime SLA
  • Batch scan (up to 1,000)

All prices in Canadian dollars. Taxes extra where applicable. Annual billing available — save ~17%.

Why link scanning matters

Short answer: the links your users click aren't yours — they're the internet's.

The problem

Any product that accepts user-submitted URLs inherits a liability. A single phishing link posted to a bio page, a support chat, or an email newsletter can damage your brand, burn your sending domain's reputation, or ship a customer's credentials to an attacker. Most teams discover this the day they find out.

PhishingCredential-harvesting lookalikes of banks, SaaS login pages, and internal tools.
MalwareDrive-by downloads, exploit kits, and compromised legitimate sites.
Homograph & typosquatsUnicode lookalikes (mоbily.ca) and one-letter-off domains that bypass human review.

The solution

The Mobily URL Safety API is a single POST endpoint that answers one question: is this URL safe? Under the hood, it combines Google Safe Browsing's threat database (the same list Chrome and Firefox use) with heuristic checks for homograph attacks, suspicious top-level domains, and open redirectors. Results are cached in Redis for an hour, so repeat lookups for the same URL return in under 5 milliseconds without re-hitting the upstream provider.

The differentiator

Unlike most safety-scanning providers, every scan log stays in Canada. Data is written to our Montreal infrastructure, URLs are hashed before storage where possible, and scan logs are auto-purged after 90 days. PIPEDA deletion and export endpoints are available on every tier — not just enterprise. That matters when your product serves healthcare, legal, or government clients in Canada, when your customers expect data residency, or when your own compliance auditor asks where link-scanning traffic terminates.

🇨🇦
Montreal-hosted
90d
Log retention
<5ms
Cached response

The pricing promise

Pricing is flat: the free tier handles 100 scans per month for internal tooling or evaluation, and the paid tiers scale cleanly from 10,000 to 1,000,000 monthly scans. No overage surprises, no per-endpoint billing, no feature gates on critical pieces like batch scanning or deletion APIs.

No overage surprises No per-endpoint billing Deletion & export on every tier
Get Your Free API Key →

100 scans / month · no credit card

Integrate in 30 seconds

Single POST. JSON in, JSON out.

# Request
curl -X POST https://mobily.ca/api/v2/url-safety/scan \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'

# Response
{
  "success": true,
  "data": {
    "url": "https://example.com",
    "is_safe": true,
    "threat_type": null,
    "confidence": 0.99,
    "scan_time_ms": 87,
    "cached": false,
    "scans_remaining": 9847,
    "plan": "starter"
  }
}
<?php
$ch = curl_init('https://mobily.ca/api/v2/url-safety/scan');
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_HTTPHEADER => [
        'X-API-Key: ' . $_ENV['MOBILY_API_KEY'],
        'Content-Type: application/json',
    ],
    CURLOPT_POSTFIELDS => json_encode(['url' => 'https://example.com']),
    CURLOPT_RETURNTRANSFER => true,
]);
$result = json_decode(curl_exec($ch), true);
if ($result['data']['is_safe']) echo "Safe\n";

const res = await fetch('https://mobily.ca/api/v2/url-safety/scan', {
  method: 'POST',
  headers: {
    'X-API-Key': process.env.MOBILY_API_KEY,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ url: 'https://example.com' })
});
const { data } = await res.json();
console.log(data.is_safe ? 'Safe' : 'Threat: ' + data.threat_type);

import os, requests

r = requests.post(
    'https://mobily.ca/api/v2/url-safety/scan',
    headers={
        'X-API-Key': os.environ['MOBILY_API_KEY'],
        'Content-Type': 'application/json',
    },
    json={'url': 'https://example.com'},
    timeout=10,
)
data = r.json()['data']
print('Safe' if data['is_safe'] else data['threat_type'])

Why Mobily URL Safety

Canadian privacy law meets enterprise-grade link scanning.

Google Safe Browsing

Checks Google's 5 billion+ threat database — the same list Chrome, Firefox, and Safari use.

PIPEDA compliant

All data stored in Montreal. 90-day scan-log retention. Right to deletion + portability built-in.

Redis cached

Repeat lookups answer in < 5 ms. 1-hour verdict cache.

Real-time logs

Every scan visible in your dashboard — 90 days of usage, threats, response times.

Batch scanning

Scan up to 1,000 URLs in a single call on Enterprise. Perfect for bulk import.

OpenAPI spec

Drop our OpenAPI 3.0 spec into Postman, Insomnia, or any codegen tool.

Built for these use cases

Any product that accepts user-submitted URLs benefits.

SaaS platforms

Pre-scan every inbound link in webhooks, form submissions, bio pages, and user profiles.

Email tools

Shield subscribers before they click — scan every outbound link in transactional and marketing emails.

Browser extensions

Low-latency link verdicts for on-click checks; Enterprise tier clears 100 ms p95.

Frequently asked

Still have questions? Contact us.

We combine Google Safe Browsing (Chrome / Firefox / Safari) with heuristic homograph and suspicious-TLD detection. Typically > 98% on known threats. No scanner is 100%.
Requests over the cap return HTTP 429. No surprise overage billing. Upgrade from the dashboard — new limit effective immediately.
Montreal, Canada. Scan logs live 90 days, then are purged automatically. URLs are never shared with third parties except Google Safe Browsing (only the URL is queried; no user identifiers).
Yes — POST /scan/batch accepts up to 10 URLs on Starter, 100 on Pro, 1,000 on Enterprise. Each URL counts against your monthly quota.
Enterprise ($399 CAD/mo) carries a 99.9% uptime SLA with service credits. Lower tiers run on the same infrastructure without a contractual guarantee.
Yes — PIPEDA right to erasure (DELETE /data) and data portability (GET /export) endpoints are always available.
Yes. Our standard PIPEDA-compliant DPA is published at /legal/dpa and is deemed accepted on the Starter plan and above. A counter-signed copy is available on request through the contact form. The public sub-processor list at /legal/sub-processors names every vendor that touches customer data, including Google Safe Browsing.

Start scanning links in 5 minutes

Free forever tier · no credit card · upgrade only when you outgrow it

Get your free API key →

By signing up you agree to our Terms of Service and Privacy Policy. Starter & higher tiers are covered by our Data Processing Addendum — see the sub-processor list for every vendor that can touch your data.

The Mobily™ URL Safety API is a service provided by TechSynergy Corp., an Ontario corporation.

1