IP Lookup
Lookups
IP Lookup
Look up intelligence about an IP address — geolocation, VPN/proxy/Tor detection (with named provider), ASN, company, timezone, abuse reports, malware analysis, scanner classification, open ports & CVEs (Shodan InternetDB + Censys), crt.sh certificate transparency, PeeringDB operator/IXP context, proxy/fraud second opinions, extra threat-intel feeds, passive DNS history, reputation over time, routing/allocation history, TLS/JARM fingerprints, honeypot and C2 detection.
POST
IP Lookup
Authentication
Requires an API key in theAuthorization header.
Request
The IP address to look up (IPv4 or IPv6).
Example request
Response
The IP address that was looked up.
The PTR (reverse DNS) record for the IP, if one exists.
Security/threat detection flags.
Autonomous System Number details.
Company or organization that owns the IP range.
Geolocation data.
Timezone information.
Threat intelligence data.
Malware analysis results.
Network allocation / WHOIS data from RDAP (free, no API key).
Open ports and exposed services from Shodan InternetDB and Censys (Censys requires a key).
Spam/abuse blocklist (DNSBL) membership.
Detected cloud hosting provider.
BGP routing data from RIPEstat (free, no API key).
History of domains that have resolved to this IP.
The IP’s reputation tracked over time — a timeline rather than a single snapshot. Grows on each lookup.
Allocation and BGP-announcement history — who has originated the IP over time, with hijack detection.
Active TLS/certificate fingerprint from a live probe of port 443. Use the JARM hash and certificate SHA-256 to pivot to related infrastructure.
Command-and-control / botnet detection.
Honeypot / decoy detection.
Certificate transparency records that reference the IP, from crt.sh (free, no API key).
Operator and Internet Exchange (IXP) context from PeeringDB (free, no API key).
Proxy/fraud “second opinions” — independent verdicts from multiple providers (proxycheck.io is keyless; IPQualityScore, Spur, Scamalytics, and IPHub require keys).
Extra threat-intelligence feeds (require keys): AlienVault OTX and Pulsedive.
Example response
200 OK
Notes
- This endpoint is free — no credits are deducted.
- Supports both IPv4 and IPv6 addresses.
- Results are cached — repeat lookups within the cache window are instant.
- If a provider is unavailable, the response still includes data from the remaining providers.
- Several sources are free / no API key (Shodan InternetDB, crt.sh, PeeringDB, GreyNoise community, proxycheck.io free tier). Others are enriched only when their API key is configured server-side (Censys, IPQualityScore, Spur, Scamalytics, IPHub, AlienVault OTX, Pulsedive) — fields like
fraud,threat_feeds,certificates, andpeeringare omitted when no provider returns data. - Rate limited to 60 requests per minute.