API Documentation

Integrate IP enrichment and threat intelligence into your applications with our free REST API.

Generate a client in any language:

Authentication

All API requests require authentication via an API key. Include your key in the X-API-Key header.

To obtain an API key, register for a free account and visit your profile page.

Rate Limits

All accounts start on the free tier. The default limits are:

Endpoint Limit Scope
API lookups 600 requests per hour Per API key
Web lookups 30 requests per hour Per IP address
Login attempts 10 attempts per hour Per IP address

Need higher API limits? Registered users can request a limit increase from their profile page. Requests are reviewed and approved on a case-by-case basis.

Rate limit information is included in every API response via headers:

X-RateLimit-Limit: 600X-RateLimit-Remaining: 95

IP Lookup

Retrieve enrichment data, geolocation, ISP information, and threat assessment for any public IP address.

GET /api/v1/lookup?ip={address}

Request Parameters

Parameter Type Required Description
ip string Yes IPv4 or IPv6 address to look up

Example Request

curl -H "X-API-Key: your_api_key_here" \ "https://ipinsights.io/api/v1/lookup?ip=8.8.8.8"

Example Response

{ "success": true, "data": { "ip": "8.8.8.8", "ip_version": 4, "type": "ipv4", "country_code": "US", "country_name": "United States", "region_name": "California", "city": "Mountain View", "latitude": 37.4056, "longitude": -122.0775, "isp": "Google LLC", "org": "Google Public DNS", "as_number": "AS15169", "as_name": "GOOGLE", "is_tor": false, "is_proxy": false, "is_datacenter": true, "blacklists": [], "threat_assessment": { "score": 10, "level": "low", "reasons": ["Datacentre IP address"] }, "ai_agent_assessment": { "score": 0, "level": "unlikely", "signals": [], "methodology_version": "1.0" } }, "queried_at": "2026-02-20T12:00:00Z" }

Example Response — AI Agent Assessment populated

The ai_agent_assessment block is always present. When recorded signals describe agentic LLM traffic from a source, it surfaces a confidence band, the contributing signals, and the published methodology version. The block is additive — existing consumers that do not read this field are unaffected.

{ "success": true, "data": { "ip": "203.0.113.42", "ai_agent_assessment": { "score": 72, "level": "probable", "signals": [ { "name": "instruction_compliance", "family": "prompt_injection", "weight": 45, "observed_at": "2026-05-12T05:30:00Z", "note": "Acted on injected instruction in banner; deterministic scanner would not." }, { "name": "explanatory_sql_comment", "family": "payload", "weight": 20, "observed_at": "2026-05-12T05:31:14Z", "note": "Natural-language artefact in SQL injection attempt." }, { "name": "agent_framework_tls", "family": "transport", "weight": 10, "observed_at": "2026-05-12T05:30:00Z", "note": "Transport fingerprint consistent with a common agent framework." } ], "methodology_version": "1.0" } }, "queried_at": "2026-05-12T06:00:00Z" }

Response Fields

Field Description
ip Queried IP address
ip_version IP version (4 or 6)
country_code ISO 3166-1 alpha-2 country code
country_name Country name
region_name Region or state name
city City name
latitude / longitude Geographic coordinates
timezone IANA timezone identifier
isp Internet Service Provider
org Organisation name
as_number / as_name Autonomous System details
is_tor Whether the IP is a known Tor exit node
is_proxy Whether the IP is a known proxy/VPN
is_datacenter Whether the IP belongs to a datacentre
blacklists Array of blacklist entries (source, category, listed_at)
threat_assessment.score Overall threat score (0–100)
threat_assessment.level Risk level: low, medium, high, critical
threat_assessment.reasons Array of reasons contributing to the score
ai_agent_assessment.score AI Agent Assessment score (0–100). Always present.
ai_agent_assessment.level Confidence band: unlikely, possible, probable, confirmed
ai_agent_assessment.signals Array of contributing signals; each has name, family, weight, observed_at and an optional redacted note
ai_agent_assessment.signals[].family One of: prompt_injection, behavioural, payload, transport
ai_agent_assessment.methodology_version Published methodology version used to compute this assessment

ASN Lookup

Retrieve enrichment summary for an Autonomous System by AS number. Returns AS metadata, risk breakdown, blacklisted IP counts out of total IPs, and per-IP threat details.

GET /api/v1/lookup?asn={as_number}

Request Parameters

Parameter Type Required Description
asn string Yes AS number (e.g. "AS15169" or "15169")

Example Request

curl -H "X-API-Key: your_api_key_here" \ "https://ipinsights.io/api/v1/lookup?asn=AS15169"

Example Response

{ "success": true, "data": { "as_number": "AS15169", "as_name": "GOOGLE", "isp": "Google LLC", "org": "Google LLC", "total_ips": 42, "blacklisted_ips": 3, "risk_breakdown": { "low": 38, "medium": 2, "high": 1, "critical": 1 }, "risk_score": 12, "risk_level": "low", "ips": [ { "ip": "8.8.8.8", "threat_score": 10, "level": "low", "is_blacklisted": false, "country_code": "US" } ] }, "queried_at": "2026-02-20T12:00:00Z" }

CIDR Lookup

Retrieve enrichment summary for an IPv4 CIDR block. Returns all known IPs within the range with threat and blacklist data. Prefix length must be between /8 and /32.

GET /api/v1/lookup?cidr={cidr_block}

Request Parameters

Parameter Type Required Description
cidr string Yes IPv4 CIDR block (e.g. "8.8.8.0/24")

Example Request

curl -H "X-API-Key: your_api_key_here" \ "https://ipinsights.io/api/v1/lookup?cidr=8.8.8.0/24"

Example Response

{ "success": true, "data": { "cidr": "8.8.8.0/24", "range_start": "8.8.8.0", "range_end": "8.8.8.255", "total_ips_in_db": 5, "blacklisted_ips": 1, "autonomous_systems": [ { "as_number": "AS15169", "as_name": "GOOGLE" } ], "risk_breakdown": { "low": 4, "medium": 0, "high": 1, "critical": 0 }, "risk_score": 22, "risk_level": "low", "ips": [ { "ip": "8.8.8.8", "threat_score": 10, "level": "low", "is_blacklisted": false, "as_number": "AS15169", "country_code": "US" } ] }, "queried_at": "2026-02-20T12:00:00Z" }

Bulk Lookup

Submit up to 100 IPs in a single call. Each public IP in the batch consumes one request from your hourly quota. RFC 1918 (private) addresses are returned without consuming quota.

POST /api/v1/bulk-lookup

Example Request

curl -X POST -H "X-API-Key: your_api_key_here" \ -H "Content-Type: application/json" \ -d '{"ips":["8.8.8.8","1.1.1.1","9.9.9.9"]}' \ "https://ipinsights.io/api/v1/bulk-lookup"

Teaser (no API key)

Unauthenticated evaluation endpoint with a tight per-source-IP rate limit of 10 requests/hour. Returns a trimmed enrichment payload — enough to evaluate the service, not enough to replace an authenticated integration. Paste a curl command into a chat channel to demo the API without anyone needing an account.

GET /api/v1/teaser?ip={address}

Example Request

curl "https://ipinsights.io/api/v1/teaser?ip=8.8.8.8"

Threat-Intel Feeds (STIX / TAXII / MISP)

The same indicators that power the blocklist are exposed over the wire protocols used by serious TIPs. All three feeds are anonymous and regenerated every 4 hours.

Submit a Report

Contribute observed attackers back to ipinsights.io. Every adopter of one of our integration guides can opt into a small reciprocal upload script, turning their SIEM into a sensor. Submissions are weighted by the submitter's reputation, which evolves over time as reports are corroborated by other intelligence sources.

POST /api/v1/report

Request Body

Field Type Required Description
ip string Yes Public IPv4 or IPv6 address of the observed attacker
categories array | string Yes One to five category tags. May be a JSON array or a comma-separated string.
comment string No Free-text context (≤ 1,024 chars).
source string No Integration identifier — one of wazuh, graylog, splunk, sentinel, crowdsec, fail2ban, suricata, thehive, n8n, home_assistant, manual.

Allowed Categories

ssh_bruteforce, rdp_bruteforce, web_bruteforce, web_attack, sql_injection, xss, port_scan, vulnerability_scan, exploit_attempt, credential_stuffing, phishing, spam, malware, ddos, botnet, c2, tor_abuse, open_proxy_abuse, other.

Example Request

curl -X POST \ -H "X-API-Key: your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "ip": "203.0.113.42", "categories": ["ssh_bruteforce","port_scan"], "comment": "10 failed SSH logins from this IP in 60s", "source": "manual" }' \ "https://ipinsights.io/api/v1/report"

Example Response (HTTP 201)

{ "success": true, "message": "Report received. Thank you for contributing.", "report_id": 18429, "weight": 1.00, "corroborated": false, "reputation": 1.00, "categories": ["ssh_bruteforce","port_scan"], "reported_at": "2026-05-12T06:49:10Z" }

Notes on Data Quality

  • Each report consumes one unit of your hourly /api/v1/lookup quota.
  • Private / reserved IPs (RFC 1918, loopback, etc.) are rejected.
  • Submitting the same IP repeatedly within 15 minutes from the same key is rate-limited at the application layer (HTTP 400).
  • Submissions are weighted by submitter reputation (0.102.00). New reporters start at 1.00; reports corroborated by existing blacklist hits raise the score, reports invalidated by an admin lower it.
  • The unweighted contents of a single report are not sufficient on their own to add an IP to a blocklist — they feed into the aggregate threat assessment alongside our own sensor network and the 23+ threat-intel feeds we already cross-reference.

Error Codes

Code Meaning
201Report created (POST /api/v1/report)
400Invalid request (missing or malformed IP, ASN, or CIDR)
401Missing or invalid API key
422IP address is private or reserved
429Rate limit exceeded
500Internal server error