Skip to main content
POST
/
api
/
agent
/
ip
IP Lookup
curl --request POST \
  --url https://encrata.com/api/agent/ip \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "ip": "<string>"
}
'
{
  "ip_address": "<string>",
  "reverse_dns": "<string>",
  "security": {
    "is_vpn": true,
    "is_proxy": true,
    "is_tor": true,
    "is_hosting": true,
    "is_relay": true,
    "is_mobile": true,
    "is_abuse": true,
    "is_static": true,
    "connection_type": "<string>",
    "provider_name": "<string>",
    "provider_type": "<string>"
  },
  "asn": {
    "asn": 123,
    "name": "<string>",
    "domain": "<string>",
    "type": "<string>"
  },
  "company": {
    "name": "<string>",
    "domain": "<string>",
    "type": "<string>"
  },
  "location": {
    "city": "<string>",
    "region": "<string>",
    "country": "<string>",
    "country_code": "<string>",
    "postal_code": "<string>",
    "continent": "<string>",
    "longitude": 123,
    "latitude": 123
  },
  "timezone": {
    "name": "<string>",
    "abbreviation": "<string>",
    "utc_offset": 123
  },
  "threat": {
    "abuse_score": 123,
    "total_reports": 123,
    "last_reported_at": "<string>",
    "usage_type": "<string>",
    "is_tor": true,
    "is_whitelisted": true,
    "distinct_users": 123,
    "is_scanner": true,
    "is_known_service": true,
    "classification": "<string>",
    "scanner_name": "<string>",
    "last_seen": "<string>"
  },
  "malware": {
    "malicious_count": 123,
    "suspicious_count": 123,
    "harmless_count": 123,
    "undetected_count": 123,
    "reputation": 123,
    "network": "<string>"
  },
  "network": {
    "cidr": "<string>",
    "range_start": "<string>",
    "range_end": "<string>",
    "name": "<string>",
    "rir": "<string>",
    "registrant_org": "<string>",
    "abuse_email": "<string>",
    "abuse_phone": "<string>",
    "allocated_at": "<string>",
    "country": "<string>"
  },
  "ports": {
    "ports": [
      123
    ],
    "services": [
      {}
    ],
    "software": [
      "<string>"
    ],
    "vulns": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "hostnames": [
      "<string>"
    ]
  },
  "blocklist": {
    "listed": true,
    "lists": [
      "<string>"
    ],
    "checked": 123
  },
  "cloud": {
    "is_cloud": true,
    "provider": "<string>"
  },
  "bgp": {
    "prefix": "<string>",
    "announced": true,
    "upstreams": [
      "<string>"
    ],
    "peers": [
      "<string>"
    ]
  },
  "passive_dns": {
    "records": [
      {}
    ],
    "total_count": 123
  },
  "reputation_history": {
    "snapshots": [
      {}
    ],
    "trend": "<string>"
  },
  "routing_history": {
    "entries": [
      {}
    ],
    "origin_changes": 123,
    "possible_hijack": true
  },
  "tls": {
    "probed": true,
    "has_tls": true,
    "jarm": "<string>",
    "ja3s": "<string>",
    "tls_version": "<string>",
    "cipher_suite": "<string>",
    "certificate": {}
  },
  "c2": {
    "is_c2": true,
    "malware": "<string>",
    "botnet": "<string>",
    "first_seen": "<string>",
    "last_seen": "<string>",
    "confidence": "<string>",
    "source": "<string>"
  },
  "honeypot": {
    "is_honeypot": true,
    "confidence": "<string>",
    "reason": "<string>"
  },
  "certificates": {
    "total": 123,
    "domains": [
      "<string>"
    ],
    "recent": [
      {}
    ]
  },
  "peering": {
    "asn": 123,
    "org_name": "<string>",
    "network_name": "<string>",
    "info_type": "<string>",
    "traffic": "<string>",
    "website": "<string>",
    "ixps": [
      "<string>"
    ],
    "ix_count": 123
  },
  "fraud": {
    "scores": [
      {}
    ]
  },
  "threat_feeds": {
    "feeds": [
      {}
    ]
  }
}

Authentication

Requires an API key in the Authorization header.
Authorization: Bearer YOUR_API_KEY

Request

ip
string
required
The IP address to look up (IPv4 or IPv6).

Example request

curl -X POST "https://encrata.com/api/agent/ip" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"ip": "8.8.8.8"}'

Response

ip_address
string
The IP address that was looked up.
reverse_dns
string
The PTR (reverse DNS) record for the IP, if one exists.
security
object
Security/threat detection flags.
asn
object
Autonomous System Number details.
company
object
Company or organization that owns the IP range.
location
object
Geolocation data.
timezone
object
Timezone information.
threat
object
Threat intelligence data.
malware
object
Malware analysis results.
network
object
Network allocation / WHOIS data from RDAP (free, no API key).
ports
object
Open ports and exposed services from Shodan InternetDB and Censys (Censys requires a key).
blocklist
object
Spam/abuse blocklist (DNSBL) membership.
cloud
object
Detected cloud hosting provider.
bgp
object
BGP routing data from RIPEstat (free, no API key).
passive_dns
object
History of domains that have resolved to this IP.
reputation_history
object
The IP’s reputation tracked over time — a timeline rather than a single snapshot. Grows on each lookup.
routing_history
object
Allocation and BGP-announcement history — who has originated the IP over time, with hijack detection.
tls
object
Active TLS/certificate fingerprint from a live probe of port 443. Use the JARM hash and certificate SHA-256 to pivot to related infrastructure.
c2
object
Command-and-control / botnet detection.
honeypot
object
Honeypot / decoy detection.
certificates
object
Certificate transparency records that reference the IP, from crt.sh (free, no API key).
peering
object
Operator and Internet Exchange (IXP) context from PeeringDB (free, no API key).
fraud
object
Proxy/fraud “second opinions” — independent verdicts from multiple providers (proxycheck.io is keyless; IPQualityScore, Spur, Scamalytics, and IPHub require keys).
threat_feeds
object
Extra threat-intelligence feeds (require keys): AlienVault OTX and Pulsedive.

Example response

200 OK
{
  "ip_address": "8.8.8.8",
  "reverse_dns": "dns.google",
  "security": {
    "is_vpn": false,
    "is_proxy": false,
    "is_tor": false,
    "is_hosting": true,
    "is_relay": false,
    "is_mobile": false,
    "is_abuse": false,
    "is_static": true,
    "connection_type": "hosting"
  },
  "asn": {
    "asn": 15169,
    "name": "GOOGLE",
    "domain": "google.com",
    "type": "hosting"
  },
  "company": {
    "name": "Google LLC",
    "domain": "google.com",
    "type": "hosting"
  },
  "location": {
    "city": "Mountain View",
    "region": "California",
    "country": "United States",
    "country_code": "US",
    "postal_code": "94043",
    "continent": "North America",
    "longitude": -122.0775,
    "latitude": 37.4056
  },
  "timezone": {
    "name": "America/Los_Angeles",
    "abbreviation": "PDT",
    "utc_offset": -7
  },
  "threat": {
    "abuse_score": 0,
    "total_reports": 87,
    "last_reported_at": "2026-05-10T14:22:00+00:00",
    "usage_type": "Data Center/Web Hosting/Transit",
    "is_tor": false,
    "is_whitelisted": true,
    "distinct_users": 42,
    "is_scanner": false,
    "is_known_service": true,
    "classification": "benign",
    "scanner_name": "Google DNS",
    "last_seen": "2026-05-11"
  },
  "malware": {
    "malicious_count": 0,
    "suspicious_count": 0,
    "harmless_count": 74,
    "undetected_count": 12,
    "reputation": 30,
    "network": "8.8.8.0/24"
  },
  "network": {
    "cidr": "8.8.8.0/24",
    "range_start": "8.8.8.0",
    "range_end": "8.8.8.255",
    "name": "GOGL",
    "rir": "ARIN",
    "registrant_org": "Google LLC",
    "abuse_email": "network-abuse@google.com",
    "allocated_at": "2014-03-14",
    "country": "US"
  },
  "ports": {
    "ports": [53, 443],
    "software": ["cpe:/a:google:dns"],
    "vulns": [],
    "tags": ["cdn"],
    "hostnames": ["dns.google"]
  },
  "blocklist": {
    "listed": false,
    "lists": [],
    "checked": 5
  },
  "cloud": {
    "is_cloud": true,
    "provider": "Google Cloud"
  },
  "bgp": {
    "prefix": "8.8.8.0/24",
    "announced": true,
    "upstreams": ["15169"],
    "peers": ["1299", "3356"]
  },
  "passive_dns": {
    "records": [
      { "domain": "dns.google", "record_type": "A", "first_seen": "2018-04-02", "last_seen": "2026-06-24", "source": "pdns" }
    ],
    "total_count": 1
  },
  "reputation_history": {
    "snapshots": [
      { "date": "2026-06-20", "abuse_score": 0, "malicious_count": 0, "listed": false, "is_c2": false, "classification": "benign", "threat_level": "clean" }
    ],
    "trend": "stable"
  },
  "routing_history": {
    "entries": [
      { "asn": 15169, "holder": "GOOGLE", "prefix": "8.8.8.0/24", "start_time": "2014-03-14", "end_time": "" }
    ],
    "origin_changes": 0,
    "possible_hijack": false
  },
  "tls": {
    "probed": true,
    "has_tls": true,
    "jarm": "27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92252d",
    "tls_version": "TLS 1.3",
    "cipher_suite": "TLS_AES_256_GCM_SHA384",
    "certificate": {
      "subject_cn": "dns.google",
      "issuer_cn": "WR2",
      "sans": ["dns.google", "*.dns.google.com"],
      "not_after": "2026-08-18",
      "sha256": "a1b2c3...",
      "self_signed": false,
      "expired": false
    }
  },
  "c2": { "is_c2": false },
  "honeypot": { "is_honeypot": false },
  "certificates": {
    "total": 3,
    "domains": ["dns.google", "*.dns.google.com"],
    "recent": [
      { "common_name": "dns.google", "issuer": "WR2", "not_before": "2026-05-20", "not_after": "2026-08-18" }
    ]
  },
  "peering": {
    "asn": 15169,
    "org_name": "Google LLC",
    "network_name": "Google",
    "info_type": "Content",
    "traffic": "100+ Tbps",
    "website": "https://about.google",
    "ixps": ["DE-CIX Frankfurt", "AMS-IX", "LINX LON1"],
    "ix_count": 3
  },
  "fraud": {
    "scores": [
      { "source": "proxycheck.io", "score": 0, "risk": "low", "is_proxy": false, "is_vpn": false, "is_tor": false, "type": "Business" }
    ]
  },
  "threat_feeds": {
    "feeds": [
      { "source": "alienvault_otx", "malicious": false, "risk": "none", "pulses": 0 }
    ]
  }
}

Notes

  • This endpoint is free — no credits are deducted.
  • Supports both IPv4 and IPv6 addresses.
  • Results are cached — repeat lookups within the cache window are instant.
  • If a provider is unavailable, the response still includes data from the remaining providers.
  • Several sources are free / no API key (Shodan InternetDB, crt.sh, PeeringDB, GreyNoise community, proxycheck.io free tier). Others are enriched only when their API key is configured server-side (Censys, IPQualityScore, Spur, Scamalytics, IPHub, AlienVault OTX, Pulsedive) — fields like fraud, threat_feeds, certificates, and peering are omitted when no provider returns data.
  • Rate limited to 60 requests per minute.