Examples in

Build with explainable IP intelligence.

Turn directly observed hostile behavior into explainable allow, challenge, and block decisions. Start with ACE v2 for one IP, then add bulk evaluation, customer policy, live telemetry, and security automation as your integration grows.

ACE v1 remains supported and documented for customers with existing integrations. Those APIs continue to provide the familiar risk levels, legacy threat labels, reputation lookups, bulk workflows, and downloadable intelligence that production systems rely on today.

ACE v2 is FraudGuard's current engine and the future of the platform. It is where we are concentrating new detection logic, richer evidence, explainable recommendations, forecasting, and live capabilities such as Attack Stream. New integrations should begin with ACE v2; existing ACE v1 customers can continue operating normally and adopt ACE v2 as they modernize their enforcement workflows.

In this reference, ACE v2 IP Intelligence contains the recommended decision APIs and ACE v2-powered live telemetry. IP intelligence contains ACE v1 compatibility APIs plus specialized lookup and downloadable-data endpoints.

ACE v1 versus ACE v2

Both engines use FraudGuard threat intelligence, but they expose different decision models and are not schema-compatible.

ACE v1 ACE v2
Best for Maintaining existing integrations that use the numbered reputation, bulk, list, or legacy threat endpoints. New real-time enforcement, explainable decisions, bulk evaluation, forecasting, and live ACE telemetry.
Primary output A risk_level from 1–5 and a legacy threat label such as abuse_tracker, honeypot_tracker, or spam_tracker, with enrichment varying by endpoint version. A recommended allow, challenge, or block action supported by risk, confidence, classifications, reason codes, attributes, and infrastructure context.
Evidence model A summarized reputation result with fields such as discover_date, geography, network enrichment, and—on later endpoints—customer list membership. Time-windowed observed activity, attack families and event types, targeted services and ports, signal freshness, behavior patterns, and human-readable evidence.
Integration rule Continue using it when an existing workflow depends on its response schema or a specialized endpoint is not available in ACE v2. Use recommendation.action as the default enforcement input and retain reasons and confidence_factors for explanation and review.

Integration essentials

ACE v2 IP Intelligence

ACE v2 IP Intelligence is FraudGuard's next-generation IP reputation API. It is designed for real-time allow, challenge, and block decisions using verified FraudGuard honeypot observations, attack behavior, infrastructure enrichment, network context, geography, and account-specific customer controls.

Unlike static IP lists, ACE v2 explains why a recommendation was made. A response can show the observed attack families, attack volume over 24-hour, 7-day, and 30-day windows, targeted services, protocols and ports, current infrastructure classification, customer whitelist/blacklist/geoblock matches, confidence factors, and human-readable reasons.

Plan Availability

Plan Availability
Starter Not included
Professional Included
Business Included
Enterprise Included

HTTP Request

POST https://api.fraudguard.io/ace/v2/ip/check

Authentication

Basic Authentication is required for every request.

Headers

Header Required Description
Authorization Yes Basic Authentication using your FraudGuard API username and password.
Content-Type Yes Must be application/json.

Request Body

{
  "ip": "8.216.12.173"
}
Field Required Type Description
ip Yes string A single valid IPv4 address, IPv6 address, or resolvable hostname.

CIDR ranges are not accepted by this endpoint. Submit one normalized IP address or hostname per request.

If you submit a hostname, FraudGuard resolves it to one IP address and runs the normal ACE v2 IP lookup against that resolved IP. If DNS returns multiple IP addresses, one resolved address is used for the lookup. The response ip field contains the resolved IP address, and the response includes a hostname field containing the original submitted hostname.

curl -u "username:password" \
  -H "Content-Type: application/json" \
  -X POST "https://api.fraudguard.io/ace/v2/ip/check" \
  -d '{"ip":"8.216.12.173"}'
require 'json'
require 'net/http'

uri = URI('https://api.fraudguard.io/ace/v2/ip/check')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({ ip: '8.216.12.173' })

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

puts response.body
import requests
from requests.auth import HTTPBasicAuth

response = requests.post(
    'https://api.fraudguard.io/ace/v2/ip/check',
    json={'ip': '8.216.12.173'},
    auth=HTTPBasicAuth('username', 'password'),
    timeout=30
)

print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/check', {
  method: 'POST',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ ip: '8.216.12.173' })
});

console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/check');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => 'username:password',
  CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
  CURLOPT_POSTFIELDS => json_encode(['ip' => '8.216.12.173']),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @{
    ip = '8.216.12.173'
} | ConvertTo-Json

Invoke-WebRequest `
    -Uri 'https://api.fraudguard.io/ace/v2/ip/check' `
    -Headers $Headers `
    -Method Post `
    -ContentType 'application/json' `
    -Body $body

Example Response

{
  "ip": "8.216.12.173",
  "recommendation": {
    "action": "block",
    "evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
    "cache_ttl_seconds": 14400
  },
  "classification": {
    "primary": "web_scanner",
    "secondary": [
      "multi_service_scanner",
      "honeypot_attacker",
      "ai_automation",
      "hosting_provider"
    ]
  },
  "risk": {
    "level": 5,
    "label": "critical",
    "confidence": 85,
    "confidence_factors": [
      "recent_activity",
      "repeated_activity",
      "multi_honeypot_reach",
      "specific_attack_signature",
      "multiple_attack_types",
      "multiple_target_services"
    ]
  },
  "observed_activity": {
    "observed": true,
    "attack_families": [
      "web_probe"
    ],
    "activity": {
      "pattern": "burst",
      "trend": "burst",
      "attack_events_24h": 3,
      "attack_events_7d": 3,
      "attack_events_30d": 3,
      "distinct_attack_types_30d": 2,
      "distinct_target_services_30d": 2,
      "distinct_target_ports_30d": 2,
      "first_seen": "2026-05-26T15:45:54+00:00",
      "last_seen": "2026-05-26T19:31:59+00:00"
    },
    "attacks": [
      {
        "type": "jenkins_login_page_probe",
        "service": "jenkins",
        "protocol": "http",
        "destination_port": 8080,
        "attack_events_24h": 2,
        "attack_events_7d": 2,
        "attack_events_30d": 2,
        "honeypots_reached_24h": 1,
        "honeypots_reached_7d": 1,
        "honeypots_reached_30d": 1,
        "first_seen": "2026-05-26T15:45:54+00:00",
        "last_seen": "2026-05-26T15:45:57+00:00"
      },
      {
        "type": "waf_attack",
        "service": "http",
        "protocol": "http",
        "destination_port": 80,
        "attack_events_24h": 1,
        "attack_events_7d": 1,
        "attack_events_30d": 1,
        "honeypots_reached_24h": 1,
        "honeypots_reached_7d": 1,
        "honeypots_reached_30d": 1,
        "first_seen": "2026-05-26T19:31:59+00:00",
        "last_seen": "2026-05-26T19:31:59+00:00"
      }
    ],
    "last_observed_attack": {
      "event_type": "waf_attack",
      "service": "http",
      "protocol": "http",
      "destination_port": 80,
      "observed_at": "2026-05-26T19:31:59+00:00"
    }
  },
  "attributes": {
    "ai_automation_suspected": {
      "detected": true
    }
  },
  "reasons": [
    {
      "code": "abusive_activity_observed",
      "message": "Abusive activity observed by FraudGuard ACE",
      "severity": "high"
    },
    {
      "code": "scanner_activity_observed",
      "message": "Scanner or probing activity observed",
      "severity": "medium"
    },
    {
      "code": "honeypot_interaction_observed",
      "message": "Interaction observed across FraudGuard honeypot infrastructure",
      "severity": "high"
    },
    {
      "code": "waf_attack_activity_observed",
      "message": "HTTP/WAF attack activity observed",
      "severity": "high"
    },
    {
      "code": "activity_within_7_days",
      "message": "Activity observed within the last 7 days",
      "severity": "high"
    }
  ],
  "customer": {
    "ip_in_whitelist": false,
    "ip_in_blacklist": false,
    "ip_in_geoblock": false
  },
  "infrastructure": {
    "type": "hosting_provider",
    "provider": "Alibaba Cloud",
    "is_tor_exit": false,
    "is_public_proxy": false,
    "is_vpn": false,
    "is_hosting_provider": true,
    "is_residential_proxy": false,
    "is_mobile_network": false,
    "is_satellite_network": false,
    "is_shared_exit": false,
    "is_ai_agent": false,
    "first_seen": "2026-05-18T02:44:12+00:00",
    "last_seen": "2026-05-18T15:07:09+00:00",
    "updated_at": "2026-05-18T15:07:09+00:00"
  },
  "network": {
    "asn": 45102,
    "asn_org": "Alibaba US Technology Co., Ltd.",
    "isp": "Alibaba",
    "organization": "Alibaba",
    "prefix": "8.216.12.0/24",
    "connection_type": "Corporate"
  },
  "geography": {
    "country": "Japan",
    "isocode": "JP",
    "state": "Tokyo",
    "city": "Tokyo",
    "postal_code": "102-0082",
    "timezone": "Asia/Tokyo",
    "latitude": 35.6893,
    "longitude": 139.6899
  },
  "metadata": {
    "request_id": "acev2_example_single_lookup",
    "generated_at": "2026-05-27T00:47:35+00:00",
    "schema_version": "2.0.0",
    "api_version": "2.0.0",
    "engine": "ace_v2"
  }
}

Response Fields

Schema stability and dynamic values: the response schema is stable for this API version, while classification and signal values are intentionally dynamic. FraudGuard may add new detections, services, attack signatures, infrastructure categories, behavior models, confidence factors, reason codes, attributes, attack families, attack types, and infrastructure types over time. Integrations should parse known fields but tolerate new values in classification, confidence_factors, attack_families, attacks[].type, reasons[].code, attributes, and infrastructure.type.

Field Type Description
ip string The IP address evaluated by ACE v2. For direct IP requests, this is the submitted IP. For hostname requests, this is the resolved IP used for lookup.
hostname string Present only when the request ip value was a hostname. Contains the original hostname submitted in the request.
recommendation object High-level enforcement guidance for the IP.
classification object Primary and secondary labels describing the strongest observed behavior or infrastructure context.
risk object Numeric risk level, risk label, confidence score, and confidence factors.
observed_activity object FraudGuard honeypot and WAF observations for the IP.
attributes object Machine-readable signal attributes. Keys are signal names and values currently contain detected: true.
reasons array Human-readable reasons converted into stable reason codes and severities.
customer object Account-specific whitelist, blacklist, and geoblock context for the authenticated customer.
infrastructure object FraudGuard infrastructure enrichment for the IP or matching network range.
network object ASN, ISP, organization, prefix, and connection-type enrichment.
geography object Country, region, city, postal code, timezone, latitude, and longitude enrichment.
metadata object Request metadata. Present on the single-IP endpoint response.

recommendation

Field Type Description
action string Recommended action. One of allow, challenge, or block.
evidence_summary string Human-readable summary of the strongest evidence. This may mention observed event volume, targeted services, honeypot reach, WAF activity, infrastructure context, and most recent observation time.
cache_ttl_seconds integer Suggested cache duration for the verdict.

Recommended action values:

Value Meaning
allow No active ACE v2 threat behavior was observed, or only minimal-risk context was present.
challenge Medium, high, or context-driven risk where additional friction is appropriate. Commonly used for suspicious activity, high-risk scanning that does not meet the block threshold, or proxy/anonymized infrastructure where a softer control is appropriate.
block Critical risk. Used when ACE v2 observes strong malicious behavior such as credential attacks, exploitation, high-volume probing, or repeated honeypot interaction.

Cache guidance: use cache_ttl_seconds as FraudGuard's recommended cache duration for your own cache layer. ACE v2 may return different TTLs based on risk level, signal freshness, observed activity, infrastructure context, and how quickly the underlying evidence may change.

classification

Field Type Description
primary string The highest-priority classification for the IP. Clean IPs return clean.
secondary array Additional supporting classifications. This array may be empty.

Current public classification values include:

Classification Description
clean No active ACE v2 threat signals were observed.
credential_attacker Credential attack, login probing, brute-force, password, or authentication behavior.
exploit_prober Exploit, injection, command execution, shell, downloader, or state-changing probing behavior.
botnet_activity Botnet-associated activity.
spam_abuser Spam, SMTP, mail relay, or spam-campaign behavior.
signup_abuser Signup or account-creation abuse behavior.
checkout_abuser Checkout or transaction-abuse behavior.
scraper Scraping, headless browser, Selenium, or Playwright-style automation.
ai_endpoint_scanner AI, LLM, OpenAI-compatible, Ollama, model discovery, or AI gateway probing.
cloud_infrastructure_scanner Docker, Kubernetes, cloud control plane, or orchestration API scanning.
industrial_control_scanner Industrial control system probing such as Modbus.
database_scanner Database or datastore probing such as Redis, MongoDB, MySQL, PostgreSQL, MSSQL, Elasticsearch, or Memcached.
enterprise_service_scanner Enterprise service probing such as SMB, LDAP, directory services, or Windows networking.
remote_access_scanner SSH, Telnet, FTP, RDP, VNC, remote access, remote desktop, or file-transfer probing.
web_scanner HTTP, web route, WAF, Jenkins, WordPress, GraphQL, CMS, admin, or sensitive-path probing.
voip_scanner SIP, VoIP, PBX, or telephony-service probing.
edge_appliance_scanner Edge appliance or gateway probing.
network_service_scanner DNS, NTP, SNMP, resolver, or network service probing.
messaging_service_scanner MQTT, AMQP, queue broker, or messaging-service probing.
mobile_device_scanner ADB or mobile-device service probing.
open_proxy_scanner Open proxy or proxy-service probing.
game_server_scanner Game server probing.
media_server_scanner Media server probing such as Plex.
multi_service_scanner The IP targeted multiple services or ports.
honeypot_attacker The IP interacted with FraudGuard honeypot infrastructure.
suspicious_activity Risk signals exist but do not map to a more specific public behavior classification.
repeat_offender Recurring or persistent behavior over time.
ai_automation AI automation or automated AI-assisted behavior suspected.
anonymous_network Anonymous/proxy network context or behavior.
residential_proxy Residential proxy infrastructure.
tor_exit Tor exit infrastructure.
vpn_exit VPN infrastructure. This is context only and is not inherently malicious by itself.
public_proxy Public proxy infrastructure.
shared_exit Shared exit infrastructure. This is a derived ACE v2 context signal based on observed traffic and infrastructure patterns, not a standalone maliciousness verdict.
hosting_provider Hosting provider, cloud, VPS, or datacenter infrastructure. This is context only and is not inherently malicious by itself.
mobile_network Mobile network infrastructure. This is context only and is not inherently malicious by itself.
satellite_network Satellite network infrastructure. This is context only and is not inherently malicious by itself.
ai_agent AI agent infrastructure. This is context only and is not inherently malicious by itself.

risk

Field Type Description
level integer Numeric risk level from 1 to 5.
label string Human-readable risk label.
confidence integer Confidence score from 0 to 100.
confidence_factors array Machine-readable factors explaining the confidence score.

Risk levels:

Level Label Typical recommendation
1 minimal allow
2 low challenge
3 medium challenge
4 high block
5 critical block

ACE v2 no longer uses the legacy threat taxonomy from earlier FraudGuard APIs. Use classification, reasons, attributes, and observed_activity for behavioral context, and use the returned recommendation—not the numeric risk alone—as the default enforcement input.

Current public confidence factors include:

Factor Description
no_active_threat_signals No active ACE v2 threat behavior was observed for the IP during the current evaluation.
recent_activity FraudGuard observed activity recently enough to increase confidence in the current verdict.
activity_within_7_days FraudGuard observed activity from the IP within the last 7 days.
activity_within_30_days FraudGuard observed activity from the IP within the last 30 days.
high_event_volume The IP generated enough observed events to make the signal stronger than a small number of isolated probes.
repeated_activity The IP showed repeated activity instead of a single isolated observation.
multi_honeypot_reach The IP reached multiple FraudGuard honeypots, which strengthens confidence that the behavior is intentional and not incidental.
observed_activity_evidence The verdict is supported by direct FraudGuard-observed activity rather than enrichment context alone.
specific_attack_signature The observed behavior matched a specific attack, probe, protocol, or service signature.
multiple_attack_types The IP was associated with more than one attack or event type.
multiple_target_services The IP targeted more than one service, application, or protocol surface.
repeat_behavior_pattern The IP showed a recurring or persistent behavior pattern over time.
high_severity_events One or more observed events mapped to higher-severity behavior such as credential attacks, exploitation, or state-changing probes.
multi_source_corroboration Multiple FraudGuard signal sources contributed to the verdict.
multiple_correlated_signals Several independent signals aligned around the same risk decision.
infrastructure_context Infrastructure enrichment, such as proxy, hosting, Tor, VPN, or shared-exit context, contributed supporting context.
ace_signal_history Historical ACE signal data for the IP or related network context contributed to confidence.

observed_activity

Field Type Description
observed boolean true when FraudGuard observed activity for the IP in honeypot/WAF telemetry.
attack_families array High-level families of observed attack behavior.
activity object Aggregate event counts, trend, pattern, distinct target counts, and first/last seen timestamps.
attacks array Top observed attack/event types with service, protocol, destination port, event counts, honeypot reach, and first/last seen timestamps.
last_observed_attack object/null Most recent observed attack event, or null when no activity was observed.

The observed_activity.activity object contains:

Field Type Description
pattern string Aggregate activity pattern. See the supported values below.
trend string Direction of recent activity. See the supported values below.
attack_events_24h integer Events observed in the last 24 hours.
attack_events_7d integer Events observed in the last 7 days.
attack_events_30d integer Events observed in the last 30 days.
distinct_attack_types_30d integer Distinct attack or event types observed in the last 30 days.
distinct_target_services_30d integer Distinct target services observed in the last 30 days.
distinct_target_ports_30d integer Distinct destination ports observed in the last 30 days.
first_seen string/null First observed timestamp in ISO 8601 format, or null when no activity was observed.
last_seen string/null Most recent observed timestamp in ISO 8601 format, or null when no activity was observed.

Supported activity.pattern values:

Value Meaning
none No observed activity.
single_probe One observed event.
low_volume_probe Low-volume activity against one service.
low_volume_multi_service_probe Low-volume activity against multiple services.
burst Concentrated recent activity.
persistent Long-running activity over a broader window.
recurring Repeated activity that does not meet the burst or persistent definition.

Supported activity.trend values:

Value Meaning
inactive No active behavior in the current evaluation window.
cooling Activity exists but has slowed or aged.
stable Activity remains present without strong rise or cooling.
rising Recent activity is increasing compared with prior observations.
burst Tight burst of activity in a short window.

Current public attack_families include:

Family Description
credential_probe Login, authentication, brute-force, credential-stuffing, or credential submission behavior.
web_probe HTTP, WAF, web route, admin panel, CMS, sensitive-path, or application probing behavior.
database_probe Database or datastore probing such as Redis, MongoDB, MySQL, PostgreSQL, MSSQL, Elasticsearch, or Memcached.
cloud_infrastructure_probe Cloud, container, orchestration, Kubernetes, Docker, or cloud-control-plane probing behavior.
ai_endpoint_probe AI, LLM, OpenAI-compatible API, Ollama, model discovery, or AI gateway probing behavior.
spam_probe SMTP, mail relay, spam infrastructure, or spam-campaign probing behavior.
voip_probe SIP, VoIP, PBX, telephony, or registration probing behavior.
enterprise_service_probe SMB, LDAP, directory service, Windows networking, file share, or enterprise service probing behavior.
industrial_control_probe Industrial control system probing, including Modbus and related operational technology services.
mobile_device_probe Mobile device service probing, including ADB or related mobile administration surfaces.
messaging_service_probe Messaging, queue broker, MQTT, AMQP, or similar service probing behavior.
network_service_probe DNS, NTP, SNMP, resolver, or other general network service probing behavior.
proxy_probe Proxy, open proxy, forwarding, or proxy-service probing behavior.
game_server_probe Game server or game-service probing behavior.
media_server_probe Media server probing behavior, such as Plex or similar media application surfaces.
edge_appliance_probe Edge appliance, gateway, firewall, router, or perimeter device probing behavior.
generic_scan General scanning behavior that does not map cleanly to a more specific public family.

Each object in observed_activity.attacks contains:

Field Type Description
type string Public attack/event type, such as waf_attack, ssh_attack, jenkins_login_page_probe, postgresql_login_attempt, or ai_api_probe.
service string/null Targeted service, such as http, ssh, jenkins, postgresql, redis, smb, or ai_api.
protocol string/null Protocol associated with the observation, such as http, ssh, postgresql, smb, or sip/udp.
destination_port integer/null Destination port targeted by the activity.
attack_events_24h integer Events observed in the last 24 hours.
attack_events_7d integer Events observed in the last 7 days.
attack_events_30d integer Events observed in the last 30 days.
honeypots_reached_24h integer FraudGuard honeypots reached in the last 24 hours.
honeypots_reached_7d integer FraudGuard honeypots reached in the last 7 days.
honeypots_reached_30d integer FraudGuard honeypots reached in the last 30 days.
first_seen string/null First observed timestamp in ISO 8601 format.
last_seen string/null Last observed timestamp in ISO 8601 format.

When present, observed_activity.last_observed_attack contains:

Field Type Description
event_type string Public attack or event type for the most recent observation.
service string/null Targeted service, when available.
protocol string/null Protocol associated with the observation, when available.
destination_port integer/null Destination port targeted by the observation, when available.
observed_at string Observation timestamp in ISO 8601 format.

attributes

attributes is an intentionally dynamic signal map. Keys are public signal names and values currently contain detected: true.

Common example attribute groups include:

Group Example attributes
AI and automation ai_automation_suspected, llm_api_probe, openai_compatible_api_probe, model_discovery_activity, ai_gateway_reconnaissance
Credential activity credential_attack_pattern, credential_field_submitted, credential_stuffing_probe, login_bruteforce_behavior, password_field_interaction, multi_attempt_sequence
Web and admin probing http_attack_surface_mapping, web_route_scan, sensitive_file_probe, jenkins_console_recon, ci_cd_admin_probe, cms_surface_probe
Database and datastore probing database_login_probe, datastore_exposure_probe, redis_command_probe, mongodb_wire_probe, mysql_handshake_scan, postgres_startup_scan, sql_service_recon
Enterprise services smb_negotiation_scan, windows_network_probe, enterprise_file_share_probe, directory_service_probe
Messaging, VoIP, and industrial amqp_handshake_scan, messaging_service_probe, queue_broker_probe, sip_registration_probe, voip_service_probe, modbus_function_probe
Behavior and volume high_volume_honeypot_activity, repeated_probe_pattern, sustained_probe_stream, dense_scan_cluster, scan_retry_pattern, persistent_touch_pattern
Payload and protocol indicators binary_protocol_fingerprint, protocol_handshake_probe, payload_domain_indicator, payload_ip_indicator, payload_url_indicator, shell_or_downloader_artifact

reasons

Each reason contains:

Field Type Description
code string Stable machine-readable reason code.
message string Human-readable reason.
severity string One of info, low, medium, high, or critical.

Current public ACE v2 reason codes include:

Code Severity Message
honeypot_interaction_observed high Interaction observed across FraudGuard honeypot infrastructure
scanner_activity_observed medium Scanner or probing activity observed
abusive_activity_observed high Abusive activity observed by FraudGuard ACE
anonymized_network_behavior_observed medium Anonymized network behavior observed
tor_exit_infrastructure_observed medium Tor exit infrastructure signal observed
public_proxy_infrastructure_observed medium Public proxy infrastructure signal observed
residential_proxy_infrastructure_observed medium Residential proxy infrastructure signal observed
shared_exit_infrastructure_observed medium Shared exit infrastructure signal observed
botnet_activity_observed critical Botnet-associated activity observed
spam_activity_observed medium Spam-related activity observed
vpn_infrastructure_observed low VPN infrastructure signal observed
credential_attack_behavior_observed high Credential attack behavior observed
command_execution_probe_observed critical Command execution or state-changing probe observed
exploit_or_sensitive_probe_observed high Exploit, admin, or sensitive-path probing observed
ai_service_reconnaissance_observed medium AI service reconnaissance observed
waf_attack_activity_observed high HTTP/WAF attack activity observed
activity_within_7_days high Activity observed within the last 7 days
high_event_volume_observed high High-volume attack activity observed
activity_within_30_days medium Activity observed within the last 30 days
multi_source_activity_observed medium Seen across multiple FraudGuard sources
ace_risk_signals_detected medium FraudGuard ACE v2 detected active risk signals for this IP
ace_signal_observed medium FraudGuard ACE signal observed
no_active_ace_v2_signals info No active FraudGuard ACE v2 signals observed

Note: anonymized_network_behavior_observed can come from observed behavior, such as AI/API/proxy-style probing, and is not limited to current infrastructure flags. More specific current infrastructure reasons are emitted separately, such as public_proxy_infrastructure_observed or tor_exit_infrastructure_observed.

customer

The customer object is account-specific and is evaluated for the authenticated API user.

These fields are provided for customers who use FraudGuard custom whitelist, blacklist, or geoblock features. ACE v2 does not use these account-specific customer lists to change recommendation.action, risk, or classification; if your integration depends on whitelist, blacklist, or geoblock enforcement, check these values in your own application logic.

Field Type Description
ip_in_whitelist boolean true when the IP exists in the authenticated customer's whitelist.
ip_in_blacklist boolean true when the IP exists in the authenticated customer's blacklist.
ip_in_geoblock boolean true when the IP's country ISO code matches one of the authenticated customer's geoblocked countries.

infrastructure

Field Type Description
type string Primary infrastructure type. See supported values below.
provider string/null Best available provider name for the infrastructure context.
is_tor_exit boolean Indicates Tor exit infrastructure.
is_public_proxy boolean Indicates public proxy infrastructure.
is_vpn boolean Indicates VPN infrastructure.
is_hosting_provider boolean Indicates hosting, cloud, VPS, or datacenter context.
is_residential_proxy boolean Indicates residential proxy context.
is_mobile_network boolean Indicates mobile network context.
is_satellite_network boolean Indicates satellite network context.
is_shared_exit boolean Indicates shared exit infrastructure.
is_ai_agent boolean Indicates AI agent infrastructure.
first_seen string/null First time FraudGuard observed this infrastructure signal.
last_seen string/null Last time FraudGuard observed this infrastructure signal.
updated_at string/null Last enrichment update timestamp.

Current public infrastructure.type values include:

unknown, ai_agent, residential_proxy, vpn, tor_exit, public_proxy, hosting_provider, mobile_network, satellite_network, shared_exit.

network

Field Type Description
asn integer/null Autonomous System Number.
asn_org string/null ASN organization.
isp string/null Internet service provider.
organization string/null Network organization.
prefix string/null Network prefix when available.
connection_type string/null Connection type from network enrichment, such as Corporate, Cable/DSL or Mobile.

geography

Field Type Description
country string/null Country name.
isocode string/null Two-letter ISO 3166-1 alpha-2 country code.
state string/null State, province, or region.
city string/null City.
postal_code string/null Postal code.
timezone string/null IANA timezone.
latitude number/null Latitude.
longitude number/null Longitude.

metadata

Field Type Description
request_id string FraudGuard-generated request ID for tracing support and troubleshooting.
generated_at string Response generation time in ISO 8601 format.
schema_version string Response schema version.
api_version string API version.
engine string Always ace_v2.

ACE v2 Bulk IP Intelligence

ACE v2 Bulk IP Intelligence runs the same ACE v2 analysis as the single-IP endpoint for multiple IPs in one request. Use this endpoint when you need to evaluate batches efficiently while receiving the same per-IP recommendation, classification, risk, activity, customer, infrastructure, network, and geography fields.

The result object for each IP follows the ACE v2 IP Intelligence schema. This section documents only the differences for bulk requests and responses.

Plan Availability

Plan Availability
Starter Not included
Professional Not included
Business Included
Enterprise Included

HTTP Request

POST https://api.fraudguard.io/ace/v2/ip/check/bulk

Authentication

Basic Authentication is required for every request.

Headers

Header Required Description
Authorization Yes Basic Authentication using your FraudGuard API username and password.
Content-Type Yes Must be application/json.

Request Body

{
  "ips": [
    "8.8.8.8",
    "8.216.12.173",
    "app.fraudguard.io"
  ]
}
Field Required Type Description
ips Yes array Array of valid IPv4 addresses, IPv6 addresses, or resolvable hostnames.

Bulk request behavior:

curl -u "username:password" \
  -H "Content-Type: application/json" \
  -X POST "https://api.fraudguard.io/ace/v2/ip/check/bulk" \
  -d '{"ips":["8.8.8.8","8.216.12.173","app.fraudguard.io"]}'
require 'json'
require 'net/http'

uri = URI('https://api.fraudguard.io/ace/v2/ip/check/bulk')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({
  ips: ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']
})

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

puts response.body
import requests
from requests.auth import HTTPBasicAuth

response = requests.post(
    'https://api.fraudguard.io/ace/v2/ip/check/bulk',
    json={'ips': ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']},
    auth=HTTPBasicAuth('username', 'password'),
    timeout=30
)

print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/check/bulk', {
  method: 'POST',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    ips: ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']
  })
});

console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/check/bulk');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => 'username:password',
  CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
  CURLOPT_POSTFIELDS => json_encode([
    'ips' => ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io'],
  ]),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @{
    ips = @('8.8.8.8', '8.216.12.173', 'app.fraudguard.io')
} | ConvertTo-Json

Invoke-WebRequest `
    -Uri 'https://api.fraudguard.io/ace/v2/ip/check/bulk' `
    -Headers $Headers `
    -Method Post `
    -ContentType 'application/json' `
    -Body $body

Example Response

The bulk example response below is shortened to one result object. A real bulk response returns one result object per accepted unique resolved IP, and each result follows the ACE v2 IP Intelligence schema.

When a hostname resolves to a unique result IP, that result includes hostname with the submitted hostname and ip with the resolved address used for the lookup. See the duplicate-resolution caveat above when inputs collapse to the same IP.

{
  "results": [
    {
      "ip": "8.8.8.8",
      "recommendation": {
        "action": "allow",
        "evidence_summary": "No active FraudGuard ACE v2 threat signals were observed for this IP.",
        "cache_ttl_seconds": 28800
      },
      "classification": {
        "primary": "clean",
        "secondary": []
      },
      "risk": {
        "level": 1,
        "label": "minimal",
        "confidence": 100,
        "confidence_factors": [
          "no_active_threat_signals"
        ]
      },
      "observed_activity": {
        "observed": false,
        "attack_families": [],
        "activity": {
          "pattern": "none",
          "trend": "inactive",
          "attack_events_24h": 0,
          "attack_events_7d": 0,
          "attack_events_30d": 0,
          "distinct_attack_types_30d": 0,
          "distinct_target_services_30d": 0,
          "distinct_target_ports_30d": 0,
          "first_seen": null,
          "last_seen": null
        },
        "attacks": [],
        "last_observed_attack": null
      },
      "attributes": {},
      "reasons": [
        {
          "code": "no_active_ace_v2_signals",
          "message": "No active FraudGuard ACE v2 signals observed",
          "severity": "info"
        }
      ],
      "customer": {
        "ip_in_whitelist": false,
        "ip_in_blacklist": false,
        "ip_in_geoblock": false
      },
      "infrastructure": {
        "type": "unknown",
        "provider": null,
        "is_tor_exit": false,
        "is_public_proxy": false,
        "is_vpn": false,
        "is_hosting_provider": false,
        "is_residential_proxy": false,
        "is_mobile_network": false,
        "is_satellite_network": false,
        "is_shared_exit": false,
        "is_ai_agent": false,
        "first_seen": null,
        "last_seen": null,
        "updated_at": null
      },
      "network": {
        "asn": 15169,
        "asn_org": "GOOGLE",
        "isp": "Google",
        "organization": "Google",
        "prefix": null,
        "connection_type": "Corporate"
      },
      "geography": {
        "country": "United States",
        "isocode": "US",
        "state": null,
        "city": null,
        "postal_code": null,
        "timezone": "America/Chicago",
        "latitude": 37.751,
        "longitude": -97.822
      }
    }
  ],
  "count": 1,
  "metadata": {
    "request_id": "acev2_example_bulk_lookup",
    "generated_at": "2026-05-27T14:35:53+00:00",
    "schema_version": "2.0.0",
    "api_version": "2.0.0",
    "engine": "ace_v2"
  }
}

Bulk Response Fields

Field Type Description
results array Array of ACE v2 per-IP result objects. Each object follows the single-IP response schema above, except result-level metadata is omitted.
count integer Number of result objects returned.
metadata object Request-level metadata for the bulk request.

Differences From Single-IP ACE v2


ACE v2 IP Forecast

ACE v2 IP Forecast is FraudGuard's predictive risk API for a single IP address. It uses the ACE v2 engine to compare the IP's current risk state with a near-term forecast based on direct IP activity, historical risk snapshots, active ACE signals, and correlated activity in nearby network space.

This endpoint is intentionally predictive. current_risk and current_action describe the IP's current ACE v2 assessment at the time of the request. forecast_risk and forecast_action describe the model's projected near-term risk and recommended treatment over the returned forecast_horizon. A higher forecast does not always mean the exact IP has already performed malicious activity; inspect signals, nearby_activity, and why to understand whether the forecast is driven by direct observations, related prefix activity, or both.

Use this API when you need forward-looking enforcement guidance, such as adding friction before abuse is directly observed from the exact IP, monitoring IPs from risky prefixes more closely, or deciding whether a currently allowed IP should be challenged on sensitive workflows.

HTTP Request

POST https://api.fraudguard.io/ace/v2/ip/forecast

Authentication

Basic Authentication is required for every request.

Headers

Header Required Description
Authorization Yes Basic Authentication using your FraudGuard API username and password.
Content-Type Yes Must be application/json.

Request Body

{
  "ip": "94.243.8.249"
}
Field Required Type Description
ip Yes string A single valid IPv4 or IPv6 address to forecast.

CIDR ranges, hostnames, and arrays of IPs are not accepted by this endpoint. Submit one normalized IP address per request.

curl -u "username:password" \
  -H "Content-Type: application/json" \
  -X POST "https://api.fraudguard.io/ace/v2/ip/forecast" \
  -d '{"ip":"94.243.8.249"}'
require 'json'
require 'net/http'

uri = URI('https://api.fraudguard.io/ace/v2/ip/forecast')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({ ip: '94.243.8.249' })

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

puts response.body
import requests
from requests.auth import HTTPBasicAuth

response = requests.post(
    'https://api.fraudguard.io/ace/v2/ip/forecast',
    json={'ip': '94.243.8.249'},
    auth=HTTPBasicAuth('username', 'password'),
    timeout=30
)

print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/forecast', {
  method: 'POST',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ ip: '94.243.8.249' })
});

console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/forecast');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => 'username:password',
  CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
  CURLOPT_POSTFIELDS => json_encode(['ip' => '94.243.8.249']),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @{
    ip = '94.243.8.249'
} | ConvertTo-Json

Invoke-WebRequest `
    -Uri 'https://api.fraudguard.io/ace/v2/ip/forecast' `
    -Headers $Headers `
    -Method Post `
    -ContentType 'application/json' `
    -Body $body

Example Response

{
  "ip": "94.243.8.249",
  "current_risk": 1,
  "forecast_risk": 4,
  "current_action": "allow",
  "forecast_action": "challenge",
  "outlook": "worsening",
  "confidence": 90,
  "trend": "rising",
  "time_window": "30d",
  "forecast_horizon": {
    "period": "near_term",
    "days": 7
  },
  "signals": {
    "events_24h": 0,
    "events_7d": 0,
    "events_30d": 0,
    "risk_24h_ago": null,
    "risk_7d_ago": null,
    "risk_30d_ago": null,
    "active_trackers": [],
    "active_attributes": [],
    "max_severity_30d": null,
    "distinct_sources_30d": 0
  },
  "nearby_activity": {
    "prefix": "94.243.8.0/24",
    "events_24h": 30,
    "events_7d": 96,
    "events_30d": 111,
    "distinct_ips_24h": 2,
    "distinct_ips_7d": 10,
    "distinct_ips_30d": 12,
    "active_trackers": [
      "scanner_tracker",
      "abuse_tracker"
    ],
    "active_attributes": [
      "remote_access_probe",
      "persistent_touch_pattern",
      "dense_scan_cluster",
      "command_execution_probe",
      "shell_or_downloader_artifact",
      "suspicious_command_indicator",
      "legacy_shell_probe",
      "scan_retry_pattern",
      "credential_attack_pattern",
      "login_bruteforce_behavior",
      "credential_field_submitted",
      "credential_stuffing_probe",
      "repeated_probe_pattern",
      "sustained_probe_stream",
      "telnet_login_surface_scan",
      "multi_attempt_sequence",
      "high_volume_honeypot_activity",
      "web_route_scan",
      "authentication_surface_scan",
      "known_exploit_path_scan",
      "admin_surface_probe",
      "scripted_request_pattern",
      "recently_active"
    ],
    "max_severity_30d": 4
  },
  "why": [
    "No direct malicious activity observed for this IP",
    "Recent malicious activity observed in the same prefix",
    "Prefix contains scanner or probing activity",
    "Prefix contains abuse activity"
  ],
  "recommendation": "Apply additional scrutiny; nearby ACE activity indicates elevated prefix risk."
}

Forecast Response Fields

Schema stability and dynamic values: the top-level response schema is stable for this API version, while tracker names, attribute names, trend values, outlook values, and why messages are intentionally dynamic. FraudGuard may add new ACE v2 signals, trackers, attributes, trend labels, outlook labels, and explanation text over time. Integrations should parse known fields but tolerate new string values in outlook, trend, active_trackers, active_attributes, and why.

Field Type Description
ip string The IP address submitted in the request.
current_risk integer Current ACE v2 risk level for the IP at request time. Lower values indicate lower current risk; higher values indicate higher current risk.
forecast_risk integer Predictive ACE v2 risk level for the IP over the returned forecast horizon.
current_action string Recommended action for the IP's current state. One of allow, challenge, or block.
forecast_action string Recommended action for the forecast horizon. One of allow, challenge, or block.
outlook string Qualitative comparison between current and forecast risk: worsening, stable, improving, or insufficient_data.
confidence integer Forecast confidence score from 0 to 100. This is model confidence in the forecast, not a literal probability that the IP will attack.
trend string Direction of recent signal movement, such as rising, stable, falling, inactive, or unknown when no usable trend exists.
time_window string Historical lookback window used to evaluate direct and nearby activity, such as 30d.
forecast_horizon object Time period covered by the predictive forecast.
signals object Direct signal summary for the exact IP.
nearby_activity object Correlated ACE v2 activity observed in nearby network space used by the forecast model.
why array Human-readable explanation strings for the current forecast.
recommendation string Human-readable guidance summarizing how to treat the forecast result.

Forecast Interpretation

current_* fields are for the IP's current ACE v2 state. forecast_* fields are for the predicted near-term state. These can differ significantly. In the example above, the IP is currently allowed with current_risk 1, but the forecast is worsening because ACE v2 observed recent scanner and abuse activity in the same prefix. The recommended predictive action is therefore challenge.

Do not derive actions from risk numbers yourself. Use current_action for current enforcement and forecast_action for predictive enforcement. The forecast action can be softer or different from what a static risk-to-action mapping might suggest because it represents forward-looking control guidance, not only a current observed-abuse verdict.

Use signals to determine whether the exact IP has direct activity. Use nearby_activity to determine whether the forecast is being influenced by related prefix behavior. A forecast driven only by nearby_activity is still useful for additional scrutiny, but it should not be presented as evidence that the exact IP already performed the nearby activity.

Risk and Action Values

Risk levels use the ACE v2 1 through 5 scale, where 1 is the lowest risk and 5 is the highest risk. The forecast endpoint returns numeric risk only, so use the returned action fields for enforcement decisions.

Action Meaning
allow No additional friction is recommended for the current or forecasted state.
challenge Add scrutiny or friction, such as human verification, step-up authentication, rate limiting, manual review, or tighter workflow controls.
block Block or deny the request when your application policy allows hard enforcement.

Outlook values describe the relationship between current and forecast risk:

Outlook Meaning
worsening Forecasted risk is higher than current risk or nearby/direct signals indicate increasing concern.
stable Forecasted risk is materially similar to current risk.
improving Forecasted risk is lower than current risk or signals are cooling.
insufficient_data ACE does not yet have enough recent direct or nearby activity for a strong forecast.

forecast_horizon

Field Type Description
period string Human-readable horizon category, such as near_term.
days integer Number of days covered by the forecast horizon.

Read forecast_horizon.days from every response instead of assuming a fixed horizon. The example response forecasts the next 7 days.

signals

signals describes activity and risk history for the exact queried IP.

Field Type Description
events_24h integer Direct ACE v2 events observed for the exact IP in the last 24 hours.
events_7d integer Direct ACE v2 events observed for the exact IP in the last 7 days.
events_30d integer Direct ACE v2 events observed for the exact IP in the last 30 days.
risk_24h_ago integer/null ACE v2 risk level for the exact IP 24 hours ago, when available.
risk_7d_ago integer/null ACE v2 risk level for the exact IP 7 days ago, when available.
risk_30d_ago integer/null ACE v2 risk level for the exact IP 30 days ago, when available.
active_trackers array Active ACE tracker identifiers observed directly for the exact IP.
active_attributes array Active ACE signal attributes observed directly for the exact IP.
max_severity_30d integer/null Maximum direct ACE severity observed for the exact IP in the last 30 days.
distinct_sources_30d integer Number of distinct direct ACE sources that contributed events for the exact IP in the last 30 days.

When signals.events_30d is 0, no direct malicious activity was observed for the exact IP during the returned time_window. The forecast can still rise when nearby network behavior indicates elevated risk.

nearby_activity

nearby_activity describes correlated ACE v2 activity in nearby network space. For IPv4, this is commonly a related prefix such as a /24; for other address families or future models, use the returned prefix value rather than assuming a fixed prefix size.

Field Type Description
prefix string Network prefix used for nearby activity analysis.
events_24h integer ACE v2 events observed in the nearby prefix in the last 24 hours.
events_7d integer ACE v2 events observed in the nearby prefix in the last 7 days.
events_30d integer ACE v2 events observed in the nearby prefix in the last 30 days.
distinct_ips_24h integer Distinct IPs in the nearby prefix with ACE v2 activity in the last 24 hours.
distinct_ips_7d integer Distinct IPs in the nearby prefix with ACE v2 activity in the last 7 days.
distinct_ips_30d integer Distinct IPs in the nearby prefix with ACE v2 activity in the last 30 days.
active_trackers array Active ACE tracker identifiers observed in the nearby prefix.
active_attributes array Active ACE signal attributes observed in the nearby prefix.
max_severity_30d integer/null Maximum ACE severity observed in the nearby prefix in the last 30 days.

Nearby activity helps ACE v2 forecast risk before the exact IP has produced direct evidence. It is especially useful for detecting emerging scanning, abuse, credential attacks, and exploit probing moving through adjacent infrastructure.

Integration Guidance

Get Specific IP Reputation v1

This legacy endpoint returns the original FraudGuard IP reputation schema for one IP address. It remains available for compatibility; use ACE v2 for new integrations, explainable decisions, and the current intelligence model.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/ip/1.221.157.205"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/ip/1.221.157.205','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/ip/1.221.157.205', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/ip/1.221.157.205',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/ip/1.221.157.205';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/ip/1.221.157.205' -Headers $Headers

Example response:

{
    "isocode": "KR",
    "country": "Republic of Korea",
    "state": "Seoul",
    "city": "Seoul",
    "discover_date": "2018-12-11 07:00:45",
    "threat": "honeypot_tracker",
    "risk_level": "5"
}

HTTP Request

GET https://api.fraudguard.io/ip/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific IP Reputation v2

This legacy endpoint returns the v2 FraudGuard reputation schema for one IP address. It remains available for compatibility; use ACE v2 for new integrations.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v2/ip/12.167.53.202"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v2/ip/12.167.53.202','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v2/ip/12.167.53.202', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v2/ip/12.167.53.202',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/ip/12.167.53.202';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/ip/12.167.53.202' -Headers $Headers

Example response:

{
    "isocode": "US",
    "country": "United States",
    "state_code": "CA",
    "state": "California",
    "city": "Pomona",
    "postal_code": "91768",
    "latitude": 34.0662,
    "longitude": -117.7763,
    "timezone": "America/Los_Angeles",
    "connection_type": "Corporate",
    "asn": 7018,
    "asn_organization": "AT&T Services, Inc.",
    "isp": "AT&T Services",
    "organization": "AT&T Services",
    "discover_date": "2018-12-13 03:03:15",
    "threat": "abuse_tracker",
    "risk_level": "4"
}

HTTP Request

GET https://api.fraudguard.io/v2/ip/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific IP v2 Geographic, ISP and Organizational Lookup Only

Returns geography, ISP, and organization data for one IP without running a full reputation lookup. Use it when network context—not a security decision—is the only required output.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v2/ip/geolookup/23.235.13.99','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v2/ip/geolookup/23.235.13.99',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99' -Headers $Headers

Example response:

{
    "isocode": "US",
    "country": "United States",
    "state_code": "MN",
    "state": "Minnesota",
    "city": "Winona",
    "postal_code": "55987",
    "latitude": 44.03,
    "longitude": -91.7009,
    "timezone": "America/Chicago",
    "connection_type": "Cable/DSL",
    "asn": 14828,
    "asn_organization": "Hiawatha Broadband Communications, Inc",
    "isp": "Hiawatha Broadband Communications",
    "organization": "Hiawatha Broadband Communications"
}

HTTP Request

GET https://api.fraudguard.io/v2/ip/geolookup/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific Hostname Reputation v2

The Get Specific Hostname Reputation v2 API resolves the hostname to one IPv4 address and performs a standard reputation lookup for that address. It does not evaluate every A record or any AAAA record; resolve DNS in your application and submit each address separately when complete coverage matters.

This endpoint is useful for quickly evaluating the current IP reputation associated with a hostname at the time of the request.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v2/hostname/fraudguard.io"
require 'net/http'
require 'net/https'

def get_hostname(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_hostname('api.fraudguard.io','/v2/hostname/fraudguard.io','username','password')
import requests
from requests.auth import HTTPBasicAuth
hostname=requests.get('https://api.fraudguard.io/v2/hostname/fraudguard.io', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (hostname.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v2/hostname/fraudguard.io',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/hostname/fraudguard.io';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/hostname/fraudguard.io' -Headers $Headers

Example response:

{
  "isocode":"US",
  "country":"United States",
  "state_code":"MD",
  "state":"Maryland",
  "city":"Chestertown",
  "postal_code":"21620",
  "latitude":39.2125,
  "longitude":-76.0802,
  "timezone":"America/New_York",
  "connection_type":"Corporate",
  "asn":29802,
  "asn_organization":"HIVELOCITY VENTURES CORP",
  "isp":"NOC4Hosts",
  "organization":"Hivelocity Ventures Corp",
  "discover_date":"2020-06-02 03:35:23",
  "threat":"unknown",
  "risk_level":"1"
}

HTTP Request

GET https://api.fraudguard.io/v2/hostname/<hostname>

URL Parameters

Parameter Description
Hostname Any hostname

Get Specific IP Reputation v3 by Threat

Returns the legacy v3 reputation schema for one IP, grouped by threat type. Use ACE v2 for new integrations.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v3/ip-all-threats/89.248.165.0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v3/ip-all-threats/89.248.165.0',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0' -Headers $Headers

Example response:

{
    "isocode": "NL",
    "country": "Netherlands",
    "state_code": "NH",
    "state": "North Holland",
    "city": "Amsterdam",
    "postal_code": "1012",
    "latitude": 52.3759,
    "longitude": 4.8975,
    "timezone": "Europe/Amsterdam",
    "connection_type": "Corporate",
    "asn": 202425,
    "asn_organization": "IP Volume inc",
    "isp": "IP Volume inc",
    "organization": "IP Volume inc",
    "anonymous_tracker": {
        "listed": false,
        "discover_date": "2024-04-23 01:49:38"
    },
    "botnet_tracker": {
        "listed": true,
        "discover_date": "2024-04-22 03:00:23"
    },
    "honeypot_tracker": {
        "listed": false,
        "discover_date": "2024-04-23 01:49:38"
    },
    "abuse_tracker": {
        "listed": false,
        "discover_date": "2024-04-23 01:49:38"
    },
    "spam_tracker": {
        "listed": false,
        "discover_date": "2024-04-23 01:49:38"
    }
}

HTTP Request

GET https://api.fraudguard.io/v3/ip-all-threats/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific IP Reputation v4

Returns the legacy v4 reputation schema with account-specific blacklist and whitelist context. Use ACE v2 for new integrations.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v4/ip/92.42.8.20"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v4/ip/92.42.8.20','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v4/ip/92.42.8.20', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v4/ip/92.42.8.20',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v4/ip/92.42.8.20';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v4/ip/92.42.8.20' -Headers $Headers

Example response:

{
    "isocode": "RU",
    "country": "Russia",
    "state_code": "STA",
    "state": "Stavropol Kray",
    "city": "Pyatigorsk",
    "postal_code": "357500",
    "latitude": 44.0562,
    "longitude": 43.0707,
    "timezone": "Europe/Moscow",
    "connection_type": "Cable/DSL",
    "asn": 44963,
    "asn_organization": "Stavtelecom LLC",
    "isp": "Stavtelecom LLC",
    "organization": "Stavtelecom LLC",
    "discover_date": "2024-11-12 23:37:45",
    "threat": "anonymous_tracker",
    "risk_level": "3",
    "ip_in_whitelist": "false",
    "ip_in_blacklist": "true"
}

HTTP Request

GET https://api.fraudguard.io/v4/ip/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific IP Reputation v5

Returns the legacy v5 reputation schema with account-specific blacklist, whitelist, and geoblock context. Use ACE v2 for new integrations.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v5/ip/1.52.122.126"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v5/ip/1.52.122.126','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v5/ip/1.52.122.126', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v5/ip/1.52.122.126',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v5/ip/1.52.122.126';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v5/ip/1.52.122.126' -Headers $Headers

Example response:

{
    "isocode": "VN",
    "country": "Vietnam",
    "state_code": "HN",
    "state": "Hanoi",
    "city": "Hanoi",
    "postal_code": "unknown",
    "latitude": 21.0292,
    "longitude": 105.8526,
    "timezone": "Asia/Bangkok",
    "connection_type": "Cable/DSL",
    "asn": 18403,
    "asn_organization": "The Corporation for Financing & Promoting Technology",
    "isp": "FPT Telecom",
    "organization": "FPT Telecom",
    "ip_in_whitelist": "false",
    "ip_in_blacklist": "true",
    "ip_in_geoblock": "true",
    "discover_date": "2024-11-13 04:00:08",
    "threat": "honeypot_tracker",
    "risk_level": "5"
}

HTTP Request

GET https://api.fraudguard.io/v5/ip/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Get Specific IP Reputation v5 by Threat

Returns the legacy v5 reputation schema grouped by threat type, with account-specific blacklist, whitelist, and geoblock context. Use ACE v2 for new integrations.

Response Fields

curl -X GET -u "username:password" "https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/v5/ip-all-threats/1.52.122.126','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/v5/ip-all-threats/1.52.122.126',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126' -Headers $Headers

Example response:

{
    "isocode": "VN",
    "country": "Vietnam",
    "state_code": "HN",
    "state": "Hanoi",
    "city": "Hanoi",
    "postal_code": "unknown",
    "latitude": 21.0292,
    "longitude": 105.8526,
    "timezone": "Asia/Bangkok",
    "connection_type": "Cable/DSL",
    "asn": 18403,
    "asn_organization": "The Corporation for Financing & Promoting Technology",
    "isp": "FPT Telecom",
    "organization": "FPT Telecom",
    "ip_in_whitelist": "false",
    "ip_in_blacklist": "true",
    "ip_in_geoblock": "true",
    "anonymous_tracker": {
        "listed": false,
        "discover_date": "2024-11-13 04:34:49"
    },
    "botnet_tracker": {
        "listed": false,
        "discover_date": "2024-11-13 04:34:49"
    },
    "honeypot_tracker": {
        "listed": true,
        "discover_date": "2024-11-13 04:00:08"
    },
    "abuse_tracker": {
        "listed": false,
        "discover_date": "2024-11-13 04:34:49"
    },
    "spam_tracker": {
        "listed": false,
        "discover_date": "2024-11-13 04:34:49"
    }
}

HTTP Request

GET https://api.fraudguard.io/v5/ip-all-threats/<IP>

URL Parameters

Parameter Description
IP Any IPv4 or IPv6 address

Bulk IP Lookup

This legacy bulk endpoint evaluates up to 1,024 IP addresses with the original ACE response schema. Use ACE v2 Bulk IP Intelligence for new integrations.

Response Fields

Each object in the response array represents an IP address and includes the following fields:

curl -X POST -u "username:password" "https://api.fraudguard.io/api/bulk_lookup" -d '["1.20.97.181", "82.25.3.7"]'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '["1.20.97.181", "82.25.3.7"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["1.20.97.181", "82.25.3.7"]'
ip=requests.post('https://api.fraudguard.io/api/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '["1.20.97.181", "82.25.3.7"]';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/bulk_lookup',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["1.20.97.181", "82.25.3.7"]';
$url = 'https://api.fraudguard.io/api/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'["1.20.97.181", "82.25.3.7"]'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/bulk_lookup' -Headers $Headers -Method Post -Body $body

Example request body:

["1.20.97.181", "82.25.3.7"]

Example response:

[{
        "ip": "1.20.97.181",
        "isocode": "TH",
        "country": "Thailand",
        "state_code": "unknown",
        "state": "unknown",
        "city": "unknown",
        "postal_code": "unknown",
        "latitude": 13.75,
        "longitude": 100.4667,
        "timezone": "Asia/Bangkok",
        "connection_type": "Cellular",
        "asn": 23969,
        "asn_organization": "TOT Public Company Limited",
        "isp": "TOT Mobile Co",
        "organization": "TOT",
        "discover_date": "2020-02-22 03:00:11",
        "risk_level": 4,
        "threat": "abuse_tracker"
    },
    {
        "ip": "82.25.3.7",
        "isocode": "GB",
        "country": "United Kingdom",
        "state_code": "ENG",
        "state": "England",
        "city": "Stoke Newington",
        "postal_code": "N16",
        "latitude": 51.5625,
        "longitude": -0.074,
        "timezone": "Europe/London",
        "connection_type": "Cable/DSL",
        "asn": 5089,
        "asn_organization": "Virgin Media Limited",
        "isp": "Virgin Media",
        "organization": "Virgin Media",
        "discover_date": "2020-02-24 01:45:05",
        "risk_level": 1,
        "threat": "unknown"
}]

HTTP Request

POST https://api.fraudguard.io/api/bulk_lookup

Bulk IP Lookup v2

This legacy bulk endpoint evaluates up to 1,024 IP addresses or hostnames.

Compared with v1, the response adds account-specific geoblock, blacklist, and whitelist context. Use ACE v2 Bulk IP Intelligence for new integrations.

Response Fields

Each object in the response array represents an IP address and includes the following fields:

curl -X POST -u "username:password" "https://api.fraudguard.io/api/v2/bulk_lookup" -d '["1.20.97.181", "82.25.3.7"]'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '["1.20.97.181", "82.25.3.7"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/v2/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["1.20.97.181", "82.25.3.7"]'
ip=requests.post('https://api.fraudguard.io/api/v2/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '["1.20.97.181", "82.25.3.7"]';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/v2/bulk_lookup',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["1.20.97.181", "82.25.3.7"]';
$url = 'https://api.fraudguard.io/api/v2/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'["1.20.97.181", "82.25.3.7"]'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v2/bulk_lookup' -Headers $Headers -Method Post -Body $body

Example request body:

["1.20.97.181", "fraudguard.io", "82.25.3.7"]

Example response:

[{
        "ip": "1.20.97.181",
        "isocode": "TH",
        "country": "Thailand",
        "state_code": "10",
        "state": "Bangkok",
        "city": "Bangkok",
        "postal_code": "10200",
        "latitude": 13.7512,
        "longitude": 100.5172,
        "timezone": "Asia/Bangkok",
        "connection_type": "Cable/DSL",
        "asn": 23969,
        "asn_organization": "TOT Public Company Limited",
        "isp": "TOT",
        "organization": "TOT",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "true",
        "discover_date": "2025-01-02 02:01:49",
        "threat": "anonymous_tracker",
        "risk_level": "3"
    },
    {
        "ip": "fraudguard.io",
        "isocode": "US",
        "country": "United States",
        "state_code": "NJ",
        "state": "New Jersey",
        "city": "North Bergen",
        "postal_code": "07047",
        "latitude": 40.7964,
        "longitude": -74.0203,
        "timezone": "America/New_York",
        "connection_type": "Corporate",
        "asn": 14061,
        "asn_organization": "DIGITALOCEAN-ASN",
        "isp": "Digital Ocean",
        "organization": "Digital Ocean",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-12-05 17:43:46",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "82.25.3.7",
        "isocode": "GB",
        "country": "United Kingdom",
        "state_code": "ISL",
        "state": "Islington",
        "city": "Islington",
        "postal_code": "N5",
        "latitude": 51.5507,
        "longitude": -0.0998,
        "timezone": "Europe/London",
        "connection_type": "Cable/DSL",
        "asn": 5089,
        "asn_organization": "Virgin Media Limited",
        "isp": "Virgin Media",
        "organization": "Virgin Media",
        "ip_in_whitelist": "true",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-01-03 16:06:22",
        "threat": "unknown",
        "risk_level": "1"
}]

HTTP Request

POST https://api.fraudguard.io/api/v2/bulk_lookup

Bulk IP Lookup v3

This legacy bulk endpoint evaluates up to 1,024 resolved or expanded addresses and adds account-specific geoblock, blacklist, and whitelist context. It is the only legacy bulk endpoint that accepts CIDR input: IPv4 CIDRs may be as large as /23 and IPv6 CIDRs as large as /119.

Response Fields

Each object in the response array represents an IP address and includes the following fields:

curl -X POST -u "username:password" "https://api.fraudguard.io/api/v3/bulk_lookup" -d '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/v3/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
ip=requests.post('https://api.fraudguard.io/api/v3/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/v3/bulk_lookup',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]';
$url = 'https://api.fraudguard.io/api/v3/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v3/bulk_lookup' -Headers $Headers -Method Post -Body $body

Example request body:

[
  "82.25.3.25",
  "fraudguard.io",
  "2606:4700:4700::1111/127",
  "165.25.3.0/31"
]

Example response:

[
    {
        "ip": "82.25.3.25",
        "isocode": "US",
        "country": "United States",
        "state_code": "NY",
        "state": "New York",
        "city": "New York",
        "postal_code": "10118",
        "latitude": 40.7126,
        "longitude": -74.0066,
        "timezone": "America/New_York",
        "connection_type": "Cable/DSL",
        "asn": 6079,
        "asn_organization": "RCN-AS",
        "isp": "Astound Broadband",
        "organization": "Astound Broadband",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-10-02 23:55:15",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "fraudguard.io",
        "isocode": "US",
        "country": "United States",
        "state_code": "NJ",
        "state": "New Jersey",
        "city": "North Bergen",
        "postal_code": "07047",
        "latitude": 40.7964,
        "longitude": -74.0203,
        "timezone": "America/New_York",
        "connection_type": "Corporate",
        "asn": 14061,
        "asn_organization": "DIGITALOCEAN-ASN",
        "isp": "Digital Ocean",
        "organization": "Digital Ocean",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-12-05 17:43:46",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "2606:4700:4700::1110",
        "isocode": "unknown",
        "country": "unknown",
        "state_code": "unknown",
        "state": "unknown",
        "city": "unknown",
        "postal_code": "unknown",
        "latitude": "unknown",
        "longitude": "unknown",
        "timezone": "unknown",
        "connection_type": "Corporate",
        "asn": 13335,
        "asn_organization": "CLOUDFLARENET",
        "isp": "Cloudflare",
        "organization": "Cloudflare",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-10-02 23:55:16",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "2606:4700:4700::1111",
        "isocode": "unknown",
        "country": "unknown",
        "state_code": "unknown",
        "state": "unknown",
        "city": "unknown",
        "postal_code": "unknown",
        "latitude": "unknown",
        "longitude": "unknown",
        "timezone": "unknown",
        "connection_type": "Corporate",
        "asn": 13335,
        "asn_organization": "CLOUDFLARENET",
        "isp": "Cloudflare",
        "organization": "Cloudflare",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-10-02 23:55:16",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "165.25.3.0",
        "isocode": "US",
        "country": "United States",
        "state_code": "IL",
        "state": "Illinois",
        "city": "Chicago",
        "postal_code": "60602",
        "latitude": 41.8835,
        "longitude": -87.6305,
        "timezone": "America/Chicago",
        "connection_type": "unknown",
        "asn": 328109,
        "asn_organization": "City-of-Cape-Town-AS",
        "isp": "City-of-Cape-Town",
        "organization": "City-of-Cape-Town",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-10-02 23:55:17",
        "threat": "unknown",
        "risk_level": "1"
    },
    {
        "ip": "165.25.3.1",
        "isocode": "US",
        "country": "United States",
        "state_code": "IL",
        "state": "Illinois",
        "city": "Chicago",
        "postal_code": "60602",
        "latitude": 41.8835,
        "longitude": -87.6305,
        "timezone": "America/Chicago",
        "connection_type": "unknown",
        "asn": 328109,
        "asn_organization": "City-of-Cape-Town-AS",
        "isp": "City-of-Cape-Town",
        "organization": "City-of-Cape-Town",
        "ip_in_whitelist": "false",
        "ip_in_blacklist": "false",
        "ip_in_geoblock": "false",
        "discover_date": "2025-10-02 23:55:18",
        "threat": "unknown",
        "risk_level": "1"
    }
]

HTTP Request

POST https://api.fraudguard.io/api/v3/bulk_lookup

ThreatMap Render

The ThreatMap Render API generates an interactive world map for a set of IP addresses and hostnames using FraudGuard threat intelligence. The returned view and embed URLs can be opened without API credentials until they expire.

Plan Availability

Available today for all Professional, Business, and Enterprise users.

Create a ThreatMap

HTTP Request

POST https://api.fraudguard.io/api/v1/threatmap/render

Authentication

Uses standard HTTP Basic Authentication.

Request Body

Provide a JSON object with an ips array and optional rendering fields.

{
  "ips": ["1.20.97.181", "fraudguard.io", "212.102.51.14", "82.25.3.7"],
  "theme": "dark",
  "summary_panel": true,
  "ttl_seconds": 3600
}

Request Fields

Field Type Description
ips array Required. Between 1 and 1,000 IPv4 addresses, IPv6 addresses, and/or hostnames.
theme string Optional. light or dark; defaults to light.
summary_panel boolean Optional. Show the summary panel; defaults to false.
ttl_seconds integer Optional. Retention from 60 to 7,776,000 seconds; defaults to 86,400 and may be reduced by plan limits.

Limits

curl -X POST -u "username:password" \
https://api.fraudguard.io/api/v1/threatmap/render \
-H "Content-Type: application/json" \
-d '{
  "ips": ["1.20.97.181", "fraudguard.io", "212.102.51.14", "82.25.3.7"],
  "theme": "dark",
  "summary_panel": true,
  "ttl_seconds": 3600
}'

Example response:

{
    "threatmap_id": "tm_GENERATED_ID",
    "threatmap_url": "https://api.fraudguard.io/threatmap/tm_GENERATED_ID",
    "embed_url": "https://api.fraudguard.io/threatmap/tm_GENERATED_ID/embed",
    "expires_at": "2026-01-03T07:06:21+00:00",
    "requested_count": 4,
    "plotted_count": 4,
    "unmapped_count": 0,
    "options": {
        "theme": "dark",
        "summary_panel": true,
        "ttl_seconds": 3600
    },
    "summary": {
        "countries": 3,
        "top_threats": [
            {
                "threat": "unknown",
                "count": 2
            },
            {
                "threat": "anonymous_tracker",
                "count": 1
            },
            {
                "threat": "spam_tracker",
                "count": 1
            }
        ],
        "policy_counts": {
            "whitelisted": 0,
            "blacklisted": 0,
            "geoblocked": 0
        }
    }
}

Viewing the Map

Open the returned threatmap_url in any browser to view the interactive map.

Treat both returned URLs as bearer capabilities: anyone who has one can view the map until it expires. Use the shortest practical TTL, do not publish the URL, and do not include sensitive or customer-only IP collections in a publicly embedded map.

Embedding the Map

Use the embed_url in an iframe.

<iframe
  src="https://api.fraudguard.io/threatmap/{THREATMAP_ID}/embed"
  width="100%"
  height="600"
  style="border:0"
  loading="lazy"
  referrerpolicy="no-referrer"
  allowfullscreen>
</iframe>

Get Custom Blacklist

This legacy endpoint returns up to 1,000 of the authenticated account's custom blacklist values, newest first, beginning at the requested zero-based offset. Values that are also present in the account's whitelist are omitted from this response.

curl -X GET -u "username:password" "https://api.fraudguard.io/blacklist/0"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/blacklist/0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/blacklist/0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/blacklist/0',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist/0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist/0' -Headers $Headers

Example response:

[
  "52.36.72.37",
  "144.24.162.232",
  "166.13.138.114",
  "150.44.117.213",
  "51.27.12.17",
  "71.157.88.42"
]

HTTP Request

GET https://api.fraudguard.io/blacklist/<offset>

URL Parameters

Parameter Description
Offset Zero-based row offset. Each response contains at most 1,000 values, ordered newest first.

Get Custom Whitelist

This legacy endpoint returns up to 1,000 of the authenticated account's custom whitelist values, newest first, beginning at the requested zero-based offset.

curl -X GET -u "username:password" "https://api.fraudguard.io/whitelist/0"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/whitelist/0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/whitelist/0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/whitelist/0',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist/0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist/0' -Headers $Headers

Example response:

[
  "4.55.39.206",
  "149.254.117.146",
  "29.99.253.192",
  "240.183.218.206",
  "51.27.12.17",
  "71.157.88.42"
]

HTTP Request

GET https://api.fraudguard.io/whitelist/<offset>

URL Parameters

Parameter Description
Offset Zero-based row offset. Each response contains at most 1,000 values, ordered newest first.

Get Custom GeoBlock

This API endpoint allows users to retrieve the list of IP ranges currently blocked based on their custom geoblocking settings. This feature enables users to enforce location-based access restrictions tailored to their specific security needs.

For users who prefer manual management, geoblocking settings can also be adjusted via the GeoControl page in the web app. This page provides an easy-to-navigate list of countries, allowing users to select regions to block directly, with the API reflecting these changes in real-time.

curl -X GET -u "username:password" "https://api.fraudguard.io/geoblock"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/geoblock','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/geoblock', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/geoblock',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/geoblock';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/geoblock' -Headers $Headers

Example response:

[
"24.51.64.0/18",
"24.206.0.0/19",
"24.231.32.0/19",
"64.66.0.0/20",
"64.150.192.0/18"
]

HTTP Request

GET https://api.fraudguard.io/geoblock?limit={limit}&offset={offset}

Query Parameters

Param Type Default Max Description
limit integer 1000 1000 Maximum number of country geoblock entries to return (each entry may expand into multiple IP ranges in the response).
offset integer 0 Skip the first N country geoblock entries (use for pagination).

Post to Custom Blacklist

This legacy endpoint adds IPv4 addresses or IPv4 CIDR ranges to the authenticated account's custom blacklist.

Blacklist entries are account-specific and are never shared with other customers.

Submit a JSON array of individual IPv4 addresses or IPv4 CIDRs. CIDRs expand to individual addresses, including network and broadcast addresses. Inputs are de-duplicated, and processing stops after 10,000 expanded targets; any remaining targets are silently ignored. Invalid values and IPv6 inputs are skipped by this legacy endpoint.

curl -X POST -u "username:password" "https://api.fraudguard.io/blacklist"
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/blacklist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.post('https://api.fraudguard.io/blacklist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/blacklist',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.post(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist' -Headers $Headers

Example request body:

[
"33.204.31.152",
"22.138.235.67",
"8.8.7.0/24",
"21.10.48.57",
"35.0.177.190"
]

Example response:

{
  "deleted": 0,
  "inserted": 260,
  "errors": 0
}

The example contains four individual addresses plus one /24, which expands to 256 addresses. inserted is the number of unique expanded targets written or refreshed, not necessarily the number of previously absent rows. The legacy errors counter does not report skipped per-item validation failures.

HTTP Request

POST https://api.fraudguard.io/blacklist

Post to Custom Whitelist

This legacy endpoint adds IPv4 addresses or IPv4 CIDR ranges to the authenticated account's custom whitelist.

Entries are account-specific and never shared with other customers. Use whitelisting for trusted infrastructure that must bypass account policy, and review entries regularly to avoid creating a permanent bypass.

Submit a JSON array of individual IPv4 addresses or IPv4 CIDRs. CIDRs expand to individual addresses, including network and broadcast addresses. Inputs are de-duplicated, and processing stops after 10,000 expanded targets; any remaining targets are silently ignored. Invalid values and IPv6 inputs are skipped by this legacy endpoint.

curl -X POST -u "username:password" "https://api.fraudguard.io/whitelist"
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/whitelist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.post('https://api.fraudguard.io/whitelist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/whitelist',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.post(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist' -Headers $Headers

Example request body:

[
"33.204.31.152",
"22.138.235.67",
"8.8.7.0/24",
"21.10.48.57",
"35.0.177.190"
]

Example response:

{
  "deleted": 0,
  "inserted": 260,
  "errors": 0
}

The example contains four individual addresses plus one /24, which expands to 256 addresses. inserted is the number of unique expanded targets written or refreshed, not necessarily the number of previously absent rows. The legacy errors counter does not report skipped per-item validation failures.

HTTP Request

POST https://api.fraudguard.io/whitelist

Delete from Custom Blacklist

This legacy endpoint removes exact IPv4 values from the authenticated account's custom blacklist. It does not expand CIDRs, so delete expanded addresses individually or use the v2 endpoint for CIDR-aware operations.

curl -X DELETE -u "username:password" "https://api.fraudguard.io/blacklist"
require 'net/http'
require 'net/https'

def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts delete_ip('api.fraudguard.io','/blacklist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/blacklist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/blacklist',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.delete(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist' -Headers $Headers

Example request body:

[
"33.204.31.152",
"22.138.235.67",
"24.51.147.29",
"21.10.48.57",
"35.0.177.190"
]

Example response:

{
  "deleted": 5,
  "inserted": 0,
  "errors": 0
}

deleted is the number of submitted targets processed, not the number of rows that existed or were actually removed. A missing address is still included in this legacy counter.

HTTP Request

DELETE https://api.fraudguard.io/blacklist

Delete from Custom Whitelist

This legacy endpoint removes exact IPv4 values from the authenticated account's custom whitelist. It does not expand CIDRs, so delete expanded addresses individually or use the v2 endpoint for CIDR-aware operations.

curl -X DELETE -u "username:password" "https://api.fraudguard.io/whitelist"
require 'net/http'
require 'net/https'

def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts delete_ip('api.fraudguard.io','/whitelist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/whitelist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/whitelist',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.delete(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist' -Headers $Headers

Example request body:

[
"33.204.31.152",
"22.138.235.67",
"24.51.147.29",
"21.10.48.57",
"35.0.177.190"
]

Example response:

{
  "deleted": 5,
  "inserted": 0,
  "errors": 0
}

deleted is the number of submitted targets processed, not the number of rows that existed or were actually removed. A missing address is still included in this legacy counter.

HTTP Request

DELETE https://api.fraudguard.io/whitelist

Get User History

User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.

This API retrieves the most recent access event for a specified user, providing insights into location, device, and security recommendations.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/user-history/<user_id>"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/v1/user-history/<user_id>','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/user-history/<user_id>', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/v1/user-history/<user_id>',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/user-history/<user_id>';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/<user_id>' -Headers $Headers

Example response:

{
  "user_id": "user_example_001",
  "last_activity": {
    "ip": "203.0.113.25",
    "city": "Tokyo",
    "country": "Japan",
    "timestamp": "2024-11-14 03:53:25",
    "user_agent": "Mozilla/5.0 ... Chrome/124.0 Safari/537.36",
    "recommendation": {
      "action": "Challenge",
      "reason": "New Device"
    }
  }
}

last_activity is the newest stored event for the requested user. For an unknown user, do not assume its fields are populated; treat missing or null activity values as no stored record.

HTTP Request

GET https://api.fraudguard.io/api/v1/user-history/<user_id>

URL Parameters

Parameter Description
user_id Identifier for the user whose most recent activity is being retrieved.

Get User History List

User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.

This API retrieves the full (last 100 events) history of access events for a specific user, useful for auditing and identifying patterns over time.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/user-history/list/<user_id>"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/v1/user-history/list/<user_id>','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/user-history/list/<user_id>', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/v1/user-history/list/<user_id>',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/user-history/list/<user_id>';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/list/<user_id>' -Headers $Headers

Example response:

{
    "user_id": "user_example_001",
    "user_history": [
        {
            "ip": "203.0.113.25",
            "city": "Tokyo",
            "country": "Japan",
            "user_agent": "Mozilla/5.0 ... Chrome/84.0.4280.85 Safari/537.36",
            "timestamp": "2024-11-14 03:53:25",
            "recommendation": {
                "action": "Challenge",
                "reason": "New Device"
            }
        },
        {
            "ip": "198.51.100.40",
            "city": "New Taipei",
            "country": "Taiwan",
            "user_agent": "Mozilla/5.0 ... Chrome/87.0.4280.85 Safari/537.36",
            "timestamp": "2024-11-14 03:49:59",
            "recommendation": {
                "action": "Block",
                "reason": "Bad IP Reputation"
            }
        }
    ]
}

HTTP Request

GET https://api.fraudguard.io/api/v1/user-history/list/<user_id>

URL Parameters

Parameter Description
user_id Identifier for the user whose newest 100 stored events are being retrieved.

Post User History Check

User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.

This endpoint records an access event and returns location context plus an advisory recommendation. ip and user_agent are required. user_id is optional; when omitted, FraudGuard generates a 32-character identifier and returns it for use on later calls.

Capture the source IP from a trusted reverse proxy, load balancer, or server connection and the user agent from the actual request. Do not accept either value from an untrusted browser field. Treat the recommendation as one signal in your authentication policy, not as a standalone authorization decision.

Field Required Type Description
user_id No string Stable, non-sensitive identifier used to correlate this user's events.
ip Yes string Valid source IPv4 or IPv6 address observed by your trusted application edge.
user_agent Yes string User-Agent value observed on the access request.

IP addresses, user agents, and stable identifiers can be personal data. Restrict access to these endpoints, set an appropriate retention policy, and disclose the processing required by your application and jurisdiction.

curl -X POST -u "username:password" "https://api.fraudguard.io/api/v1/user-history/check" -d '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/v1/user-history/check','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
ip=requests.post('https://api.fraudguard.io/api/v1/user-history/check', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/v1/user-history/check',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}';
$url = 'https://api.fraudguard.io/api/v1/user-history/check';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/check' -Headers $Headers -Method Post -Body $body

Example request body:

{
  "user_id": "user_example_001",
  "ip": "203.0.113.25",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4280.85 Safari/537.36"
}

Example response:

{
  "user_id": "user_example_001",
  "ip": "203.0.113.25",
  "city": "Tokyo",
  "country": "Japan",
  "timestamp": "2024-11-14 03:53:25",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4280.85 Safari/537.36",
  "recommendation": {
    "action": "Challenge",
    "reason": "New Device"
  }
}

HTTP Request

POST https://api.fraudguard.io/api/v1/user-history/check

Get API Analytics

Returns API usage and activity for the authenticated account over the previous 30 days.

Response Fields

Totals

Top APIs

Geographic Overview

Daily Breakdown

Notes for Developers

  1. Scope:
    • It aggregates data from the past 30 days only.
  2. Reporting Window:
    • This endpoint returns activity from the previous 30 days. It does not expose older records.
  3. Usage Insights:
    • Use this data to monitor API usage patterns, geographic trends, and flagged activity.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/analytics"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/analytics',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/analytics' -Headers $Headers

Example response:

{
    "status": "success",
    "analytics": {
        "totals": {
            "total_requests": 108,
            "blacklisted_count": 2,
            "whitelisted_count": 1,
            "geoblocked_count": 2,
            "risk_level_distribution": {
                "1": 19,
                "2": 2,
                "3": 8,
                "4": 1,
                "5": 1
            },
            "threat_distribution": {
                "anonymous_tracker": 8,
                "botnet_tracker": 3,
                "honeypot_tracker": 1,
                "abuse_tracker": 2,
                "spam_tracker": 1
            }
        },
        "top_apis": [
            {
                "api_name": "Rate Limit Enforce",
                "request_count": "19"
            },
            {
                "api_name": "Get API Analytics",
                "request_count": "16"
            },
            {
                "api_name": "Get Specific IP Reputation v4",
                "request_count": "10"
            },
            {
                "api_name": "Get Specific IP Reputation v5",
                "request_count": "8"
            }
        ],
        "geographic_overview": [
            {
                "country": "Italy",
                "request_count": "10"
            },
            {
                "country": "United States",
                "request_count": "8"
            },
            {
                "country": "Ukraine",
                "request_count": "3"
            },
            {
                "country": "Russia",
                "request_count": "3"
            },
            {
                "country": "Uruguay",
                "request_count": "2"
            }
        ],
        "daily_breakdown": [
            {
                "day": "2024-12-03",
                "total_requests": "108"
            }
        ]
    }
}

HTTP Request

GET https://api.fraudguard.io/api/analytics

Get IP History v1

Returns the last 1,000 IP addresses associated with a risk level (2 through 5) or account policy type (geoblock, whitelist, or blacklist). Results preserve duplicates and reflect the authenticated account's lookup history.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/ip-history/5"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/v1/ip-history/5','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/ip-history/5', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/v1/ip-history/5',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/ip-history/5';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/ip-history/5' -Headers $Headers

Example response:

{
    "type": "5",
    "data": [
        "46.148.112.138",
        "34.75.145.155",
        "5.188.11.2",
        "5.188.11.2",
        "14.29.254.1",
        "89.248.163.2",
        "89.248.163.22",
        "1.93.47.149",
        "1.93.47.149",
        "46.148.112.0"
    ]
}

HTTP Request

GET https://api.fraudguard.io/api/v1/ip-history/<type>

URL Parameters

Parameter Description
Type Risk level 2 through 5, or geoblock, whitelist, or blacklist.

Rate Limit Rule Creation

This API creates a new rate limit rule for the authenticated user.

Request Fields and Current Semantics

Field Required Description
identifier Yes Non-empty rule name. It must be unique within the authenticated account.
limit Yes Positive JSON integer representing the allowed units in the window.
interval_type Yes Send rolling. The create endpoint also accepts calendar, but current enforcement treats both values as rolling windows.
interval_value Yes Positive integer followed by s, m, h, d, w, or y, such as 10s, 15m, 2h, or 7d.
ip No Stored and returned as rule metadata. Current enforcement does not use this stored value; counters are scoped by the ip supplied to each enforce request.

Do not use the accepted mo suffix in production rules: current enforcement interprets a value such as 1mo as one minute. Use an unambiguous day value, such as 30d, until month handling is corrected.

curl -X POST -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules" -d '{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/rate-limits/rules','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}'
ip=requests.post('https://api.fraudguard.io/api/rate-limits/rules', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/rate-limits/rules',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}';
$url = 'https://api.fraudguard.io/api/rate-limits/rules';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules' -Headers $Headers -Method Post -Body $body

Example request body:

{
    "identifier": "form_submission",
    "limit": 100,
    "interval_type": "rolling",
    "interval_value": "1m",
    "ip": ""
}

Successful response:

{
    "status": "success",
    "message": "Rate limit rule created successfully."
}

HTTP Request

POST https://api.fraudguard.io/api/rate-limits/rules

Rate Limit Enforce

This API evaluates one identifier and source IP against a stored rule. Your application calls it before the protected action and must enforce the returned decision itself.

Request and Decision Semantics

Field Required Description
identifier Yes Existing rule identifier owned by the authenticated account.
ip Yes Valid IPv4 or IPv6 address. Each identifier/IP pair has its own rolling counter, regardless of the rule's stored ip metadata.
units No Numeric work units to consume. Values are converted to an integer with a minimum of 1; default 1.

The endpoint returns HTTP 200 for allowed, blocked, and application-level error results. Always inspect the JSON status before allowing the protected action. If status is blocked, deny or defer the action and use retry_after for the next attempt. If status is error, fail according to your own security policy rather than treating the request as allowed.

retry_after is measured from the start of the active block and is returned as a compact value such as 58s, 2m, or 1h. Repeated blocked checks do not restart the timer.

curl -X POST -u "username:password" "https://api.fraudguard.io/api/rate-limits/enforce" -d '{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/rate-limits/enforce','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}'
ip=requests.post('https://api.fraudguard.io/api/rate-limits/enforce', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/rate-limits/enforce',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}';
$url = 'https://api.fraudguard.io/api/rate-limits/enforce';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/enforce' -Headers $Headers -Method Post -Body $body

Example request body:

{
    "identifier": "form_submission",
    "ip": "99.23.5.3",
    "units": 5
}

Allowed response:

The remaining value reflects the remaining units after deducting the requested units.

{
    "status": "allowed",
    "remaining": 95,
    "message": "Request allowed."
}

Blocked response:

{
    "status": "blocked",
    "retry_after": "58s",
    "message": "Rate limit exceeded. Please try again later."
}

HTTP Request

POST https://api.fraudguard.io/api/rate-limits/enforce

Rate Limit Rules Retrieve All

Returns every rate-limit rule owned by the authenticated account.

Details About Retrieved Rules

The /api/rate-limits/rules endpoint returns all rate limit rules for the authenticated user.

Each Rule Contains:

Usage Notes

curl -X GET -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/rate-limits/rules','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/rate-limits/rules', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/rate-limits/rules',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/rules';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules' -Headers $Headers

Example response:

{
    "status": "success",
    "data": [
        {
            "id": 1,
            "identifier": "form_submission",
            "limit": 100,
            "interval_type": "rolling",
            "interval_value": "1m",
            "ip": "99.23.5.3"
        }
    ]
}

HTTP Request

GET https://api.fraudguard.io/api/rate-limits/rules

Rate Limits Analytics

Returns rate-limit usage and block analytics for the authenticated account.

Analytics for Rate Limits

The /api/rate-limits/analytics endpoint provides usage data for rate limits, including:

  1. Total Blocks:

    • The total number of times requests were blocked due to exceeding rate limits.
  2. Most Blocked Rules:

    • The rules with the highest block counts.
  3. Recent Block Activity:

    • The last time each rule was blocked, sorted by recency.
  4. Top Blocked IPs:

    • The IP addresses that triggered the most blocks.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/rate-limits/analytics"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/rate-limits/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/rate-limits/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/rate-limits/analytics',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/analytics' -Headers $Headers

Example response:

{
    "status": "success",
    "data": {
        "total_blocks": 25,
        "most_blocked_rules": [
            {
                "identifier": "form_submission",
                "block_count": 10
            }
        ],
        "recent_blocks": [
            {
                "identifier": "login_attempts",
                "last_block": "2024-11-28 20:45:12"
            }
        ],
        "top_blocked_ips": [
            {
                "ip": "99.23.5.3",
                "block_count": 15
            }
        ]
    }
}

HTTP Request

GET https://api.fraudguard.io/api/rate-limits/analytics

Rate Limit Rule Delete

This API endpoint deletes a specific rate limit rule for the authenticated user.

Usage Notes

  1. Scope:

    • Attempting to delete a rule that does not exist or belongs to another user will result in a 404 Not Found error.
  2. Related State:

    • Deleting the rule removes the rule record only. Existing usage, block, and analytics records are not deleted by this endpoint.
curl -X DELETE -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules/form_submission"
require 'net/http'
require 'net/https'

def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts delete_ip('api.fraudguard.io','/api/rate-limits/rules/form_submission','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/api/rate-limits/rules/form_submission', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/rate-limits/rules/form_submission',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.delete(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/rules/form_submission';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules/form_submission' -Headers $Headers -Method Delete

Successful response:

{
    "status": "success",
    "message": "Rate limit rule deleted successfully."
}

Error response:

{
    "status": "error",
    "message": "Rate limit rule not found or does not belong to the current user."
}

HTTP Request

DELETE https://api.fraudguard.io/api/rate-limits/rules/{identifier}

ThreatWatch Add Monitored IP

This API adds an individual IP address to the ThreatWatch watchlist.

Usage Notes

curl -X POST -u "username:password" "https://api.fraudguard.io/api/threatwatch/add" -d '{
    "ip": "88.25.3.1"
}'
require 'net/http'
require 'net/https'

def post_ip(server,path,username,password)
body = '{
    "ip": "88.25.3.1"
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts post_ip('api.fraudguard.io','/api/threatwatch/add','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
    "ip": "88.25.3.1"
}'
ip=requests.post('https://api.fraudguard.io/api/threatwatch/add', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '{
    "ip": "88.25.3.1"
}';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/threatwatch/add',
  method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
    "ip": "88.25.3.1"
}';
$url = 'https://api.fraudguard.io/api/threatwatch/add';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'{
    "ip": "88.25.3.1"
}'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/add' -Headers $Headers -Method Post -Body $body

Example request body:

{
    "ip": "88.25.3.1"
}

Successful response:

{
    "status": "success",
    "message": "IP added to watchlist."
}

HTTP Request

POST https://api.fraudguard.io/api/threatwatch/add

ThreatWatch Delete Monitored IP

This API endpoint deletes a monitored IP address from the ThreatWatch watchlist.

Usage Notes

curl -X DELETE -u "username:password" "https://api.fraudguard.io/api/threatwatch/delete" -d '{
    "ip": "88.25.3.1"
}'
require 'net/http'
require 'net/https'

def delete_ip(server,path,username,password)
body = '{
    "ip": "88.25.3.1"
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end

puts delete_ip('api.fraudguard.io','/api/threatwatch/delete','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
    "ip": "88.25.3.1"
}'
ip=requests.delete('https://api.fraudguard.io/api/threatwatch/delete', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const querystring = require('querystring');
const https = require('https');


const data = '{
    "ip": "88.25.3.1"
}';

var options = {
  hostname: "api.fraudguard.io",
  port: 443,
  path: '/api/threatwatch/delete',
  method: 'DELETE',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': auth,
        'Content-Length': data.length
    }
};

var req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
    process.stdout.write(d);
  });
});

req.on('error', (e) => {
  console.error(e);
});

req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
    "ip": "88.25.3.1"
}';
$url = 'https://api.fraudguard.io/api/threatwatch/delete';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

$body = @'
'{
    "ip": "88.25.3.1"
}'
'@

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/delete' -Headers $Headers -Method Delete -Body $body

Example request body:

{
    "ip": "88.25.3.1"
}

Successful response:

{
    "status": "success",
    "message": "IP removed from watchlist."
}

HTTP Request

DELETE https://api.fraudguard.io/api/threatwatch/delete

ThreatWatch List All Monitored IPs

Returns every IP currently monitored by ThreatWatch for the authenticated account.

Usage Notes

curl -X GET -u "username:password" "https://api.fraudguard.io/api/threatwatch/list"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/threatwatch/list','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/threatwatch/list', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/threatwatch/list',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/threatwatch/list';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/list' -Headers $Headers

Example response:

{
    "status": "success",
    "monitored_ips": [
        {
            "ip": "12.65.23.1",
            "created_at": "2024-11-30 10:00:00",
            "updated_at": "2024-11-30 12:00:00"
        },
        {
            "ip": "99.2.23.5",
            "created_at": "2024-11-29 14:00:00",
            "updated_at": "2024-11-30 11:00:00"
        }
    ]
}

HTTP Request

GET https://api.fraudguard.io/api/threatwatch/list

ThreatWatch Analytics

Returns ThreatWatch activity summaries, including threat, risk, and geographic patterns for monitored IPs.

Usage Notes

curl -X GET -u "username:password" "https://api.fraudguard.io/api/threatwatch/analytics"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/threatwatch/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/threatwatch/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/threatwatch/analytics',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/threatwatch/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/analytics' -Headers $Headers

Example response:

{
    "status": "success",
    "analytics": {
        "total_monitored_ips": 150,
        "matched_threats": 320,
        "most_active_threats": [
            {
                "ip": "88.25.3.1",
                "threat_count": 25,
                "most_recent_threat": "spam_tracker"
            },
            {
                "ip": "25.3.1.1",
                "threat_count": 18,
                "most_recent_threat": "botnet_tracker"
            }
        ],
        "top_threat_categories": [
            {"threat": "abuse_tracker", "count": 40},
            {"threat": "spam_tracker", "count": 30},
            {"threat": "anonymous_tracker", "count": 22}
        ],
        "geographic_overview": [
            {"country": "United States", "count": 35},
            {"country": "Russia", "count": 25},
            {"country": "China", "count": 15}
        ],
        "recent_activity": [
            {
                "ip": "72.22.51.3",
                "threat": "abuse_tracker",
                "risk": 4,
                "timestamp": "2024-11-30 12:34:56"
            },
            {
                "ip": "98.2.3.2",
                "threat": "spam_tracker",
                "risk": 3,
                "timestamp": "2024-11-30 12:31:15"
            }
        ]
    }
}

most_recent_threat is the category value returned by the current aggregate. It is not guaranteed to be the chronologically newest category; use recent_activity when event order matters.

HTTP Request

GET https://api.fraudguard.io/api/threatwatch/analytics

Raw IP Lists by Risk

This API endpoint returns raw IP address lists direct from the FraudGuard.io attack correlation engine by risk level. This dataset is very dynamic and changes constantly.

curl -X GET -u "username:password" "https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false' -Headers $Headers

Example response:

[
    "87.246.7.0",
    "185.180.143.146",
    "94.102.61.0",
    "91.191.209.0",
    "5.188.206.0"
]

HTTP Request

GET https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false

URL Parameters

Parameter Description
Risk Level Integer from 1 (lowest) to 5 (highest).
Offset Offset for Pagination
CIDR true/false for enabling/disabling CIDR notation in JSON Response
IPv4 true/false for enabling/disabling support for IPv4 addresses
IPv6 true/false for enabling/disabling support for IPv6 addresses
Limit Limit for retrieving IP data within the request. We allow values between 1-1000. We share current API total count of results via X-Total-Count response header.

Raw IP Lists by Threat

This API endpoint returns raw IP address lists direct from the FraudGuard.io attack correlation engine by threat type. This dataset is very dynamic and changes constantly.

curl -X GET -u "username:password" "https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false' -Headers $Headers

Example response:

[
    "5.188.210.93",
    "199.167.138.22",
    "5.188.210.21",
    "185.220.101.23",
    "185.220.101.21"
]

HTTP Request

GET https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false

URL Parameters

Parameter Description
Threat Type Legacy tracker name such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker.
Offset Offset for Pagination
CIDR true/false for enabling/disabling CIDR notation in JSON response
IPv4 true/false for enabling/disabling support for IPv4 addresses
IPv6 true/false for enabling/disabling support for IPv6 addresses
Limit Limit for retrieving IP data within the request. We allow values between 1-1000. We share current API total count of results via X-Total-Count response header.

Advanced Threat Lookup

Searches the ACE dataset with multiple intelligence and network filters for investigation, enrichment, and list building.

Customers can filter results by ASN, ASN Organization, ISP, organization, country, ISO country code, connection type, threat classification, and risk level to analyze and investigate potential threats with precision.

The dataset changes as FraudGuard intelligence and enrichment are updated. Fuzzy search and multi-parameter filtering help customers build targeted investigation and enrichment queries.

curl -X GET -u "username:password" "https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5' -Headers $Headers

Example response:

{
    "total_results": 521,
    "data": [
        {
            "id": "18744",
            "ip": "5.252.176.20",
            "threat": "honeypot_tracker",
            "risk": "5",
            "asn": "39798",
            "asn_organization": "MivoCloud SRL",
            "isp": "MivoCloud SRL",
            "organization": "MivoCloud SRL",
            "isocode": "RU",
            "country": "Russia",
            "connection_type": "Corporate"
        }
    ]
}

HTTP Request

GET https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5

URL Parameters

Parameter Description
ASN (asn) Accepts one or multiple Autonomous System Number (comma-separated).
ASN Organization (asn_organization) Accepts a single ASN organization name (fuzzy search supported).
ISP (isp) Search by internet service provider. Accepts a single ISP name (fuzzy search supported).
Organization (organization) Match a company or entity operating the IPs. Accepts a single organization name (fuzzy search supported).
Country (country) Search by country names (fuzzy search supported).
ISO Code (isocode) Accepts one or multiple two-letter country codes (comma-separated).
Connection Type (connection_type) Accepts one or multiple connection types (comma-separated).
Threat Type (threat) One or more comma-separated legacy threat classifications.
Risk Level (risk) One or more comma-separated risk levels from 1 (lowest) to 5 (highest).
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

LogGuard AI – Top Attackers

Returns the most active and high-risk IPs in the authenticated account's enriched LogGuard dataset, ranked by frequency.

This dataset helps security teams quickly pinpoint recurring threats, update blacklists, tune WAF/firewall rules, and take automated actions based on severity and behavior.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/top-attackers?limit=2"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/top-attackers?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/top-attackers?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/top-attackers?limit=2',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/top-attackers?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/top-attackers?limit=2' -Headers $Headers

Example response:

[
  {
    "ip": "103.121.39.54",
    "attack_count": "19236",
    "threat": "honeypot_tracker",
    "asn_organization": "Digital Dot Net DDN",
    "isp": "Digital Dot Net DDN",
    "organization": "Digital Dot Net DDN",
    "connection_type": "Cable/DSL",
    "country": "Bangladesh",
    "last_seen": "2025-03-18 16:15:35"
  },
  {
    "ip": "164.92.75.90",
    "attack_count": "635",
    "threat": "honeypot_tracker",
    "asn_organization": "unknown",
    "isp": "unknown",
    "organization": "unknown",
    "connection_type": "unknown",
    "country": "United States",
    "last_seen": "2025-03-18 16:13:39"
  }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/top-attackers?limit=2

URL Parameters

Parameter Description
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

Response Fields

Field Description
IP (ip) Source IP address.
Attack Count (attack_count) Number of matching attack records, returned as a numeric string.
Threat (threat) Current FraudGuard legacy threat classification.
ASN Organization (asn_organization) Organization associated with the autonomous system.
ISP (isp) Internet service provider associated with the IP.
Organization (organization) Organization associated with the IP.
Connection Type (connection_type) Network connection category.
Country (country) Country associated with the IP.
Last Seen (last_seen) Most recent matching LogGuard timestamp.

LogGuard AI – Recent Attacks

Returns the most recent LogGuard entries flagged as attacks, including the matched pattern, source IP context, and threat classification.

This data is ideal for real-time alerting, incident response, or security dashboards where visibility into the most current attacker activity is essential.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/recent?limit=2"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/recent?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/recent?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/recent?limit=2',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/recent?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/recent?limit=2' -Headers $Headers

Example response:

[
    {
        "id": "27409",
        "file_name": "access.log.6",
        "log_entry": "179.43.188.122 - - [23/Nov/2024:05:02:37 +0000] \"GET /laravel/.env HTTP/1.1\" 403 177 \"-\" \"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"",
        "attack_type": "web_recon",
        "matched_pattern": "Recon Path Match",
        "ip": "179.43.188.122",
        "threat": "honeypot_tracker",
        "created_at": "2025-03-18 16:21:19"
    },
    {
        "id": "27407",
        "file_name": "access.log.6",
        "log_entry": "179.43.188.122 - - [23/Nov/2024:05:02:37 +0000] \"GET /core/.env HTTP/1.1\" 403 177 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.41\"",
        "attack_type": "web_recon",
        "matched_pattern": "Recon Path Match",
        "ip": "179.43.188.122",
        "threat": "honeypot_tracker",
        "created_at": "2025-03-18 16:21:19"
    }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/recent?limit=2

URL Parameters

Parameter Description
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

Response Fields

Field Description
ID (id) Unique identifier for the log record.
File Name (file_name) Name of the original log file where the attack was detected.
Log Entry (log_entry) Full raw log line associated with the attack.
Attack Type (attack_type) High-level classification of the attack (e.g., web_recon, credential_stuffing).
Matched Pattern (matched_pattern) The rule or pattern that triggered the detection (e.g., Recon Path Match).
IP (ip) IP address of the source of the attack.
Threat (threat) FraudGuard.io threat classification for this IP (e.g., honeypot_tracker).
Created At (created_at) Timestamp when this attack was recorded. Format: YYYY-MM-DD HH:MM:SS.

LogGuard AI – Attack Results Search

Searches enriched LogGuard data by URL path, file name, user agent, or other raw-log content for threat hunting and investigation.

The response includes full details about each match, including IP metadata, detection status, AI involvement, and threat classification.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/attack-results/search?limit=2&query=database','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/attack-results/search?limit=2&query=database',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database' -Headers $Headers

Example response:

[
    {
        "id": "209",
        "file_name": "access.log",
        "log_entry": "103.121.39.54 - - [12/Feb/2025:09:02:04 +0000] \"GET /config/database.yml HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"",
        "attack_type": "web_recon",
        "matched_pattern": "Recon Path Match",
        "ip": "103.121.39.54",
        "threat": "honeypot_tracker",
        "country": "Bangladesh",
        "asn_organization": "Digital Dot Net DDN",
        "isp": "Digital Dot Net DDN",
        "organization": "Digital Dot Net DDN",
        "blacklisted": "0",
        "geoblocked": "0",
        "send_to_ai": "1",
        "ai_confirmed": "1",
        "ai_feedback": null,
        "feedback_at": null,
        "created_at": "2025-03-18 16:12:28"
    },
    {
        "id": "234",
        "file_name": "access.log",
        "log_entry": "103.121.39.54 - - [12/Feb/2025:09:02:18 +0000] \"GET /config/database.php HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"",
        "attack_type": "web_recon",
        "matched_pattern": "Recon Path Match",
        "ip": "103.121.39.54",
        "threat": "honeypot_tracker",
        "country": "Bangladesh",
        "asn_organization": "Digital Dot Net DDN",
        "isp": "Digital Dot Net DDN",
        "organization": "Digital Dot Net DDN",
        "blacklisted": "0",
        "geoblocked": "0",
        "send_to_ai": "1",
        "ai_confirmed": "1",
        "ai_feedback": null,
        "feedback_at": null,
        "created_at": "2025-03-18 16:12:28"
    }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database

URL Parameters

Parameter Description
Query (query) A required string to search within raw log entries (fuzzy match).
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

Response Fields

Field Description
ID (id) Unique identifier for the log record.
File Name (file_name) Name of the original log file where the match occurred.
Log Entry (log_entry) The full raw log line where a match was found.
Attack Type (attack_type) High-level classification of the attack (e.g., web_recon).
Matched Pattern (matched_pattern) The detection rule or string that triggered the alert.
IP (ip) The source IP address of the request.
Threat (threat) FraudGuard.io threat classification (e.g., honeypot_tracker).
Country (country) Geolocation of the IP address.
ASN Organization (asn_organization) Name of the ASN that owns the IP.
ISP (isp) Internet Service Provider for the IP address.
Organization (organization) Company or entity associated with the IP.
Blacklisted (blacklisted) 1 if the IP is currently blacklisted; otherwise 0.
Geoblocked (geoblocked) 1 if the country is geoblocked; otherwise 0.
Send to AI (send_to_ai) 1 if this log entry was sent to LogGuard AI for deeper analysis.
AI Confirmed (ai_confirmed) 1 if LogGuard AI confirmed this entry as malicious.
AI Feedback (ai_feedback) Manual user feedback on AI decision (if any).
Feedback At (feedback_at) Timestamp when feedback was submitted, if available.
Created At (created_at) Timestamp when this log entry was processed.

LogGuard AI – Attack Results

This API endpoint returns the most recent AI-flagged attack log entries detected across your infrastructure. It includes full raw log data, matched patterns, threat classification, and AI confirmation status—giving your team clear visibility into what LogGuard AI is catching in real time.

Unlike the search API, this endpoint does not require a query string and instead provides a raw feed of the most recent malicious or suspicious entries, sorted by detection time.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-results?limit=2"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/attack-results?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-results?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/attack-results?limit=2',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-results?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-results?limit=2' -Headers $Headers

Example response:

[
    {
        "id": "1",
        "file_name": "access.log",
        "log_entry": "78.153.140.149 - - [12/Feb/2025:00:19:27 +0000] \"GET /.env HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.140 Safari/537.36\"",
        "attack_type": "web_recon",
        "matched_pattern": "Recon Path Match",
        "ip": "78.153.140.149",
        "threat": "unknown",
        "country": "Russia",
        "asn_organization": "LLC Melt-internet",
        "isp": "LLC Melt-internet",
        "organization": "LLC Melt-internet",
        "blacklisted": "0",
        "geoblocked": "1",
        "send_to_ai": "1",
        "ai_confirmed": "1",
        "ai_feedback": null,
        "feedback_at": null,
        "created_at": "2025-03-18 16:12:28"
    }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/attack-results?limit=2

URL Parameters

Parameter Description
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

Response Fields

Field Description
ID (id) Unique identifier for the log record.
File Name (file_name) Name of the original log file where the match occurred.
Log Entry (log_entry) The full raw log line where a match was found.
Attack Type (attack_type) High-level classification of the attack (e.g., web_recon).
Matched Pattern (matched_pattern) The detection rule or string that triggered the alert.
IP (ip) The source IP address of the request.
Threat (threat) FraudGuard.io threat classification (e.g., honeypot_tracker).
Country (country) Geolocation of the IP address.
ASN Organization (asn_organization) Name of the ASN that owns the IP.
ISP (isp) Internet Service Provider for the IP address.
Organization (organization) Company or entity associated with the IP.
Blacklisted (blacklisted) 1 if the IP is currently blacklisted; otherwise 0.
Geoblocked (geoblocked) 1 if the country is geoblocked; otherwise 0.
Send to AI (send_to_ai) 1 if this log entry was sent to LogGuard AI for deeper analysis.
AI Confirmed (ai_confirmed) 1 if LogGuard AI confirmed this entry as malicious.
AI Feedback (ai_feedback) Manual user feedback on AI decision (if any).
Feedback At (feedback_at) Timestamp when feedback was submitted, if available.
Created At (created_at) Timestamp when this log entry was processed.

LogGuard AI – Attack Stats

Aggregates detected attack counts by classification across the authenticated account's enriched LogGuard data.

This endpoint is ideal for dashboards, analytics tools, or security reports where visualizing the breakdown of attack categories is valuable.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-stats"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/attack-stats','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-stats', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/attack-stats',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-stats';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-stats' -Headers $Headers

Example response:

[
  {
    "attack_type": "web_recon",
    "count": "15594"
  },
  {
    "attack_type": "unknown",
    "count": "11143"
  },
  {
    "attack_type": "malicious_user_agents",
    "count": "600"
  },
  {
    "attack_type": "path_traversal",
    "count": "15"
  },
  {
    "attack_type": "rce_attempts",
    "count": "10"
  },
  {
    "attack_type": "sql_injection",
    "count": "60"
  }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/attack-stats

URL Parameters

Parameter Type Default Max Description
limit integer 50 1000 Maximum number of classification rows to return.
offset integer 0 Number of rows to skip.

Response Fields

Field Description
Attack Type (attack_type) The category of the detected attack (e.g., web_recon, sql_injection, malicious_user_agents, etc.).
Count (count) The total number of log entries associated with this attack type.

LogGuard AI – Log Files

This API endpoint returns a list of log files uploaded and processed by LogGuard AI. It includes basic metadata such as the file name, file size in bytes, and upload timestamp.

Use this endpoint to audit ingestion activity, build dashboards, or verify which files have been successfully processed.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/log-files?limit=2"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/logguard/log-files?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/log-files?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/logguard/log-files?limit=2',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/log-files?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/log-files?limit=2' -Headers $Headers

Example response:

[
  {
    "id": "1",
    "file_name": "access.log",
    "file_size": "1768697",
    "uploaded_at": "2025-03-18 16:11:42"
  },
  {
    "id": "2",
    "file_name": "access.log.1",
    "file_size": "221563",
    "uploaded_at": "2025-03-18 16:11:42"
  }
]

HTTP Request

GET https://api.fraudguard.io/api/logguard/log-files?limit=2

URL Parameters

Parameter Description
Limit (limit) Accepts a single integer to define the number of results (1-1000).
Offset (offset) Accepts a single integer to paginate through results.

Response Fields

Field Description
ID (id) Unique identifier for the uploaded log file.
File Name (file_name) Name of the uploaded log file.
File Size (file_size) Size of the file in bytes.
Uploaded At (uploaded_at) Timestamp of when the file was uploaded and processed.

Offline Threat Database SQLite

Downloads current FraudGuard threat intelligence as a gzipped SQLite database for local enforcement, enrichment, and analysis.

Use this endpoint to:

Terms and Limitations

By downloading the Offline Threat Database, you acknowledge and agree to the following:

Offline Threat Database Schema

Field Description
ID (id) Internal record ID.
IP Address (ip) IPv4 or IPv6 address.
Threat Classification (threat) Legacy classification such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker.
Risk Score (risk) Integer from 1 (lowest) to 5 (highest).
ASN (asn) Autonomous System Number.
ASN Organization (asn_organization) Name of the ASN organization.
ISP (isp) Internet Service Provider.
Organization (organization) Registered organization.
Country Code (isocode) ISO-3166 country code.
Country (country) Country name.
State / Region (state) State or region, if available.
City (city) City, if available.
Latitude (latitude) Geographic latitude.
Longitude (longitude) Geographic longitude.
Connection Type (connection_type) Connection type (e.g. Cable/DSL, Cellular, Corporate, Satellite, unknown).
Last Updated (updated_at) Timestamp of the last update (UTC).
curl -X GET -L -u "username:password" "https://api.fraudguard.io/v1/offline-db/sqlite" --output fg-database.sqlite.gz

Response: a gzipped SQLite database. Follow the 302 Found redirect to the short-lived signed HTTPS download URL.

Treat the redirect URL as a bearer credential: do not log, share, or place it in client-side code. Send Basic Authentication only to the initial FraudGuard endpoint; do not forward the Authorization header to the signed download host. Stream the response to a temporary file, require a successful HTTP response, and run gzip -t before decompression. Open the extracted database read-only and run SQLite integrity validation before use. Replace the active database atomically only after validation succeeds, and retain the previous known-good snapshot for rollback. Discard expired signed URLs and request the authenticated endpoint again; a 410 Gone response means a new snapshot link is not yet available.

HTTP Request

GET https://api.fraudguard.io/v1/offline-db/sqlite

Offline Threat Database CSV

Downloads current FraudGuard threat intelligence as a gzipped CSV file for local enforcement, enrichment, and analysis.

Use this endpoint to:

Terms and Limitations

By downloading the Offline Threat Database CSV file, you acknowledge and agree to the following:

Offline Threat Database Schema

Field Description
ID (id) Internal record ID.
IP Address (ip) IPv4 or IPv6 address.
Threat Classification (threat) Legacy classification such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker.
Risk Score (risk) Integer from 1 (lowest) to 5 (highest).
ASN (asn) Autonomous System Number.
ASN Organization (asn_organization) Name of the ASN organization.
ISP (isp) Internet Service Provider.
Organization (organization) Registered organization.
Country Code (isocode) ISO-3166 country code.
Country (country) Country name.
State / Region (state) State or region, if available.
City (city) City, if available.
Latitude (latitude) Geographic latitude.
Longitude (longitude) Geographic longitude.
Connection Type (connection_type) Connection type (e.g. Cable/DSL, Cellular, Corporate, Satellite, unknown).
Last Updated (updated_at) Timestamp of the last update (UTC).
curl -X GET -L -u "username:password" "https://api.fraudguard.io/v1/offline-db/csv" --output fg-database.csv.gz

Response: a gzipped CSV database. Follow the 302 Found redirect to the short-lived signed HTTPS download URL.

Treat the redirect URL as a bearer credential: do not log, share, or place it in client-side code. Send Basic Authentication only to the initial FraudGuard endpoint; do not forward the Authorization header to the signed download host. Stream the response to a temporary file, require a successful HTTP response, and run gzip -t before decompression. Validate the CSV header and expected column count before use, then replace the active file atomically. Retain the previous known-good snapshot for rollback. Discard expired signed URLs and request the authenticated endpoint again; a 410 Gone response means a new snapshot link is not yet available.

HTTP Request

GET https://api.fraudguard.io/v1/offline-db/csv

Post Custom Blacklist (v2)

This API creates or updates custom blacklisted IPs using the POST endpoint, returning counters only. Use it to bulk add single IPs or CIDR ranges, attach metadata, and optionally set per-record TTLs. Manual updates can always be managed at Blacklist.

HTTP Request

POST https://api.fraudguard.io/v2/blacklist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An array of objects. Only ip is required. You may send single IPs or CIDR ranges (IPv4). CIDRs are expanded server‑side (with a global cap).

[
  {
    "ip": "33.204.31.152",
    "label": "fraudulent-login",
    "tags": ["incident:2025-08-23", "source:siem"],
    "ttl_seconds": 604800
  },
  { "ip": "8.8.7.0/30",
    "label": "test-range"
 }
]

Field reference

Field Type Required Notes
ip string yes IPv4 or IPv4 CIDR (e.g., 8.8.7.0/24). CIDRs are expanded to single IP rows (cap 10,000 per request).
label string no Up to 100 chars. Replaces the existing label; omission clears the label on an upsert.
tags array<string> no Replaces existing tags. Omission clears tags on an upsert. Max 50 items, each ≤ 64 chars.
ttl_seconds integer no Recalculates expires_at = now + ttl_seconds. Omission clears the existing TTL and expiry on an upsert.

Response

Counters only:

{
  "inserted": 257,
  "updated": 1,
  "errors": 0
}

Behavior & Limits

Examples

curl -u "username:password" -X POST "https://api.fraudguard.io/v2/blacklist" \
  -H "Content-Type: application/json" \
  -d '[
    {"ip": "33.204.31.152", "label": "fraudulent-login", "tags": ["incident:2025-08-23","source:siem"], "ttl_seconds": 604800},
    {"ip": "8.8.7.0/30", "label": "test-range"}
  ]'
require 'net/http'
require 'net/https'
require 'json'

def post_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Post.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = [
  { ip: "33.204.31.152", label: "fraudulent-login", tags: ["incident:2025-08-23","source:siem"], ttl_seconds: 604800 },
  { ip: "8.8.7.0/30", label: "test-range" }
]
puts post_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = [
  {"ip":"33.204.31.152","label":"fraudulent-login","tags":["incident:2025-08-23","source:siem"],"ttl_seconds":604800},
  {"ip":"8.8.7.0/30","label":"test-range"}
]

r = requests.post('https://api.fraudguard.io/v2/blacklist',
  json=body,
  auth=HTTPBasicAuth('username', 'password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify([
  {"ip":"33.204.31.152","label":"fraudulent-login","tags":["incident:2025-08-23","source:siem"],"ttl_seconds":604800},
  {"ip":"8.8.7.0/30","label":"test-range"}
]);

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/blacklist',
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';

$body = json_encode([
  ["ip"=>"33.204.31.152","label"=>"fraudulent-login","tags"=>["incident:2025-08-23","source:siem"],"ttl_seconds"=>604800],
  ["ip"=>"8.8.7.0/30","label"=>"test-range"]
]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_POST => 1,
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @(
  @{ ip = "33.204.31.152"; label = "fraudulent-login"; tags = @("incident:2025-08-23","source:siem"); ttl_seconds = 604800 },
  @{ ip = "8.8.7.0/30"; label = "test-range" }
) | ConvertTo-Json

Invoke-RestMethod -Method Post -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body

Notes & Tips

Get Custom Blacklist (v2)

Retrieve the authenticated account’s blacklist entries. Results exclude any IPs that are whitelisted (whitelist wins), are ordered by newest first, and support simple pagination.

HTTP Request

GET https://api.fraudguard.io/v2/blacklist?limit={limit}&offset={offset}

Authentication: HTTP Basic Auth (-u "username:password")

Accept: application/json

Query Parameters

Param Type Default Max Description
limit integer 1000 1000 Number of rows to return.
offset integer 0 Skip the first N rows (use for pagination).

Response

An array of objects. Each row represents one blacklisted IP.

[
  {
    "id": 12345,
    "ip": "203.0.113.10",
    "label": "abuse:signup-botwave",
    "tags": ["incident:2025-08-22","source:waf"],
    "ttl_seconds": 604800,
    "expires_at": "2025-09-01T12:34:56Z",
    "created_at": "2025-08-23T17:04:05Z",
    "updated_at": "2025-08-23T17:04:05Z"
  }
]

Field reference

Field Type Notes
id integer Internal id.
ip string Canonicalized IPv4 string.
label string or null Optional, short human label.
tags array<string> Optional tags (may be empty).
ttl_seconds integer or null Per-record TTL seconds, if set.
expires_at string (ISO-8601) or null Computed from ttl_seconds when present.
created_at string (ISO-8601) Row creation time (UTC).
updated_at string (ISO-8601) Last mutation time (UTC).

Examples

curl -u "username:password" "https://api.fraudguard.io/v2/blacklist?limit=10&offset=0"
require 'net/http'
require 'net/https'
require 'json'

def get_ips(server, path, username, password)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Get.new(path)
  req.basic_auth username, password
  res = http.request(req)
  JSON.parse(res.body)
end

puts JSON.pretty_generate(
  get_ips('api.fraudguard.io','/v2/blacklist?limit=10&offset=0','username','password')
)
import requests
from requests.auth import HTTPBasicAuth

r = requests.get('https://api.fraudguard.io/v2/blacklist',
  params={'limit': 10, 'offset': 0},
  auth=HTTPBasicAuth('username', 'password'),
  timeout=30)
print(r.text)
const https = require('https');

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/blacklist?limit=10&offset=0',
  method: 'GET',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist?limit=10&offset=0';

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds" }

Invoke-RestMethod -Method Get -Uri 'https://api.fraudguard.io/v2/blacklist?limit=10&offset=0' -Headers $Headers

Notes & Tips

Patch Custom Blacklist (v2)

Partially update existing blacklist entries. Use PATCH when you only need to change label, tags, or ttl_seconds without resubmitting the entire record set.

HTTP Request

PATCH https://api.fraudguard.io/v2/blacklist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An object with targets and set.

{
  "targets": ["8.8.7.0/30","33.204.31.152"],
  "set": {
    "label": "suspected-abuse",
    "tags": ["owner:soc","playbook:auto"],
    "ttl_seconds": 259200
  }
}

Field reference

Field Type Required Notes
targets array<string> yes IPs or CIDRs to update. CIDRs are expanded server-side (cap 10,000 per request).
set.label string no Replaces existing label if provided (≤100 chars).
set.tags array<string> no Replaces existing tags if provided (deduped, capped at 50).
set.ttl_seconds integer no Recomputes expires_at = now + ttl_seconds if provided.

Response

Counters only:

{"updated": 5, "errors": 0}

Behavior & Limits

Examples

curl -u "username:password" -X PATCH "https://api.fraudguard.io/v2/blacklist" \
  -H "Content-Type: application/json" \
  -d '{
    "targets": ["8.8.7.0/30"],
    "set": {
      "tags": ["owner:soc", "playbook:auto"],
      "ttl_seconds": 259200
    }
  }'
require 'net/http'
require 'net/https'
require 'json'

def patch_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Patch.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = {
  targets: ["8.8.7.0/30"],
  set: { tags: ["owner:soc","playbook:auto"], ttl_seconds: 259200 }
}
puts patch_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = {
  "targets": ["8.8.7.0/30"],
  "set": { "tags": ["owner:soc","playbook:auto"], "ttl_seconds": 259200 }
}

r = requests.patch('https://api.fraudguard.io/v2/blacklist',
  json=body,
  auth=HTTPBasicAuth('username','password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify({
  targets: ["8.8.7.0/30"],
  set: { tags: ["owner:soc","playbook:auto"], ttl_seconds: 259200 }
});

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/blacklist',
  method: 'PATCH',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';

$body = json_encode([
  "targets" => ["8.8.7.0/30"],
  "set" => [ "tags" => ["owner:soc","playbook:auto"], "ttl_seconds" => 259200 ]
]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @{
  targets = @("8.8.7.0/30")
  set = @{ tags = @("owner:soc","playbook:auto"); ttl_seconds = 259200 }
} | ConvertTo-Json

Invoke-RestMethod -Method Patch -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body

Notes & Tips

Delete Custom Blacklist (v2)

Bulk remove blacklist entries by IP or CIDR. DELETE expands any CIDRs server‑side, ignores non‑existent rows (no error), and returns counters only.

HTTP Request

DELETE https://api.fraudguard.io/v2/blacklist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An object with targets.

{
  "targets": ["33.204.31.152", "8.8.7.0/31"]
}

Field reference

Field Type Required Notes
targets array<string> yes IPs or CIDRs to delete. CIDRs are expanded server-side (cap 10,000 per request).

Response

Counters only:

{"deleted": 3, "inserted": 0, "errors": 0}

Behavior & Limits

Examples

curl -u "username:password" -X DELETE "https://api.fraudguard.io/v2/blacklist" \
  -H "Content-Type: application/json" \
  -d '{"targets": ["33.204.31.152","8.8.7.0/31"]}'
require 'net/http'
require 'net/https'
require 'json'

def delete_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Delete.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = { targets: ["33.204.31.152","8.8.7.0/31"] }
puts delete_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = { "targets": ["33.204.31.152","8.8.7.0/31"] }

r = requests.delete('https://api.fraudguard.io/v2/blacklist',
  json=body,
  auth=HTTPBasicAuth('username','password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify({ targets: ["33.204.31.152","8.8.7.0/31"] });

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/blacklist',
  method: 'DELETE',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';

$body = json_encode([ "targets" => ["33.204.31.152","8.8.7.0/31"] ]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_CUSTOMREQUEST => "DELETE",
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @{ targets = @("33.204.31.152","8.8.7.0/31") } | ConvertTo-Json

Invoke-RestMethod -Method Delete -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body

Post Custom Whitelist (v2)

This API creates or updates custom whitelisted IPs using the POST endpoint, returning counters only. Use it to bulk add single IPs or CIDR ranges, attach metadata, and optionally set per-record TTLs. Manual updates can always be managed at Whitelist.

HTTP Request

POST https://api.fraudguard.io/v2/whitelist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An array of objects. Only ip is required. You may send single IPs or CIDR ranges (IPv4). CIDRs are expanded server‑side (with a global cap).

[
  {
    "ip": "72.121.15.3",
    "label": "vpn-endpoint",
    "tags": ["owner:soc"],
    "ttl_seconds": 604800
  },
  { "ip": "8.8.7.0/30" }
]

Field reference

Field Type Required Notes
ip string yes IPv4 or IPv4 CIDR (e.g., 8.8.7.0/24). CIDRs are expanded to single IP rows (cap 10,000 per request).
label string no Up to 100 chars. Replaces the existing label; omission clears the label on an upsert.
tags array<string> no Replaces existing tags. Omission clears tags on an upsert. Max 50 items, each ≤ 64 chars.
ttl_seconds integer no Recalculates expires_at = now + ttl_seconds. Omission clears the existing TTL and expiry on an upsert.

Response

Counters only:

{
  "inserted": 5,
  "updated": 1,
  "errors": 0
}

Behavior & Limits

Examples

curl -u "username:password" -X POST "https://api.fraudguard.io/v2/whitelist" \
  -H "Content-Type: application/json" \
  -d '[
    {"ip": "72.121.15.3", "label": "vpn-endpoint", "tags": ["owner:soc"], "ttl_seconds": 604800},
    {"ip": "8.8.7.0/30"}
  ]'
require 'net/http'
require 'net/https'
require 'json'

def post_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Post.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = [
  { ip: "72.121.15.3", label: "vpn-endpoint", tags: ["owner:soc"], ttl_seconds: 604800 },
  { ip: "8.8.7.0/30" }
]
puts post_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = [
  {"ip":"72.121.15.3","label":"vpn-endpoint","tags":["owner:soc"],"ttl_seconds":604800},
  {"ip":"8.8.7.0/30"}
]

r = requests.post('https://api.fraudguard.io/v2/whitelist',
  json=body,
  auth=HTTPBasicAuth('username', 'password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify([
  {"ip":"72.121.15.3","label":"vpn-endpoint","tags":["owner:soc"],"ttl_seconds":604800},
  {"ip":"8.8.7.0/30"}
]);

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/whitelist',
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';

$body = json_encode([
  ["ip"=>"72.121.15.3","label"=>"vpn-endpoint","tags"=>["owner:soc"],"ttl_seconds"=>604800],
  ["ip"=>"8.8.7.0/30"]
]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_POST => 1,
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @(
  @{ ip = "72.121.15.3"; label = "vpn-endpoint"; tags = @("owner:soc"); ttl_seconds = 604800 },
  @{ ip = "8.8.7.0/30" }
) | ConvertTo-Json

Invoke-RestMethod -Method Post -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body

Get Custom Whitelist (v2)

Retrieve the authenticated account’s whitelist entries. Results are ordered by newest first and support simple pagination.

HTTP Request

GET https://api.fraudguard.io/v2/whitelist?limit={limit}&offset={offset}

Authentication: HTTP Basic Auth (-u "username:password")

Accept: application/json

Query Parameters

Param Type Default Max Description
limit integer 1000 1000 Number of rows to return.
offset integer 0 Skip the first N rows (use for pagination).

Ordering: Results are returned by id DESC (newest first).

Response

An array of objects. Each row represents one whitelisted IP.

[
  {
    "id": 45678,
    "ip": "72.121.15.3",
    "label": "vpn-endpoint",
    "tags": ["owner:soc"],
    "ttl_seconds": 604800,
    "expires_at": "2025-09-01T12:34:56Z",
    "created_at": "2025-08-23T17:04:05Z",
    "updated_at": "2025-08-23T17:04:05Z"
  }
]

Field reference

Field Type Notes
id integer Internal row id.
ip string Canonicalized IPv4 string.
label string or null Optional, short human label.
tags array<string> Optional tags (may be empty). Old rows without tags are returned as [].
ttl_seconds integer or null Per-record TTL seconds, if set.
expires_at string (ISO-8601) or null Computed from ttl_seconds when present.
created_at string (ISO-8601) Row creation time (UTC).
updated_at string (ISO-8601) Last mutation time (UTC).

Examples

curl -u "username:password" "https://api.fraudguard.io/v2/whitelist?limit=10&offset=0"
require 'net/http'
require 'net/https'
require 'json'

def get_ips(server, path, username, password)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Get.new(path)
  req.basic_auth username, password
  res = http.request(req)
  JSON.parse(res.body)
end

puts JSON.pretty_generate(
  get_ips('api.fraudguard.io','/v2/whitelist?limit=10&offset=0','username','password')
)
import requests
from requests.auth import HTTPBasicAuth

r = requests.get('https://api.fraudguard.io/v2/whitelist',
  params={'limit': 10, 'offset': 0},
  auth=HTTPBasicAuth('username', 'password'),
  timeout=30)
print(r.text)
const https = require('https');

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/whitelist?limit=10&offset=0',
  method: 'GET',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist?limit=10&offset=0';

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds" }

Invoke-RestMethod -Method Get -Uri 'https://api.fraudguard.io/v2/whitelist?limit=10&offset=0' -Headers $Headers

Patch Custom Whitelist (v2)

Partially update existing whitelist entries. Use PATCH when you only need to change label, tags, or ttl_seconds without resubmitting the entire record set. PATCH does not touch blacklist state.

HTTP Request

PATCH https://api.fraudguard.io/v2/whitelist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An object with targets and set.

{
  "targets": ["8.8.7.0/30","72.121.15.3"],
  "set": {
    "label": "trusted-source",
    "tags": ["owner:soc","customer-allow"],
    "ttl_seconds": 259200
  }
}

Field reference

Field Type Required Notes
targets array<string> yes IPs or CIDRs to update. CIDRs are expanded server-side (cap 10,000 per request).
set.label string no Replaces existing label if provided (≤100 chars).
set.tags array<string> no Replaces existing tags if provided (deduped, capped at 50).
set.ttl_seconds integer no Recomputes expires_at = now + ttl_seconds if provided.

Response

Counters only:

{"updated": 5, "errors": 0}

Behavior & Limits

Examples

curl -u "username:password" -X PATCH "https://api.fraudguard.io/v2/whitelist" \
  -H "Content-Type: application/json" \
  -d '{
    "targets": ["8.8.7.0/30"],
    "set": {
      "tags": ["owner:soc", "customer-allow"],
      "ttl_seconds": 259200
    }
  }'
require 'net/http'
require 'net/https'
require 'json'

def patch_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Patch.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = {
  targets: ["8.8.7.0/30"],
  set: { tags: ["owner:soc","customer-allow"], ttl_seconds: 259200 }
}
puts patch_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = {
  "targets": ["8.8.7.0/30"],
  "set": { "tags": ["owner:soc","customer-allow"], "ttl_seconds": 259200 }
}

r = requests.patch('https://api.fraudguard.io/v2/whitelist',
  json=body,
  auth=HTTPBasicAuth('username','password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify({
  targets: ["8.8.7.0/30"],
  set: { tags: ["owner:soc","customer-allow"], ttl_seconds: 259200 }
});

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/whitelist',
  method: 'PATCH',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';

$body = json_encode([
  "targets" => ["8.8.7.0/30"],
  "set" => [ "tags" => ["owner:soc","customer-allow"], "ttl_seconds" => 259200 ]
]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @{
  targets = @("8.8.7.0/30")
  set = @{ tags = @("owner:soc","customer-allow"); ttl_seconds = 259200 }
} | ConvertTo-Json

Invoke-RestMethod -Method Patch -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body

Delete Custom Whitelist (v2)

Bulk remove whitelist entries by IP or CIDR. DELETE expands any CIDRs server‑side, ignores non‑existent rows (no error), and returns counters only.

HTTP Request

DELETE https://api.fraudguard.io/v2/whitelist

Authentication: HTTP Basic Auth (-u "username:password")

Content-Type: application/json

Request Body

An object with targets.

{
  "targets": ["72.121.15.3", "8.8.7.0/31"]
}

Field reference

Field Type Required Notes
targets array<string> yes IPs or CIDRs to delete. CIDRs are expanded server-side (cap 10,000 per request).

Response

Counters only:

{"deleted": 3, "inserted": 0, "errors": 0}

Behavior & Limits

Examples

curl -u "username:password" -X DELETE "https://api.fraudguard.io/v2/whitelist" \
  -H "Content-Type: application/json" \
  -d '{"targets": ["72.121.15.3","8.8.7.0/31"]}'
require 'net/http'
require 'net/https'
require 'json'

def delete_ips(server, path, username, password, body)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req = Net::HTTP::Delete.new(path, { 'Content-Type' => 'application/json' })
  req.basic_auth username, password
  req.body = body.to_json
  res = http.request(req)
  res.body
end

body = { targets: ["72.121.15.3","8.8.7.0/31"] }
puts delete_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth

body = { "targets": ["72.121.15.3","8.8.7.0/31"] }

r = requests.delete('https://api.fraudguard.io/v2/whitelist',
  json=body,
  auth=HTTPBasicAuth('username','password'),
  timeout=30)
print(r.text)
const https = require('https');

const data = JSON.stringify({ targets: ["72.121.15.3","8.8.7.0/31"] });

const options = {
  hostname: 'api.fraudguard.io',
  port: 443,
  path: '/v2/whitelist',
  method: 'DELETE',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': Buffer.byteLength(data),
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
  }
};

const req = https.request(options, (res) => {
  let body = '';
  res.on('data', (d) => { body += d; });
  res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';

$body = json_encode([ "targets" => ["72.121.15.3","8.8.7.0/31"] ]);

$ch = curl_init();
curl_setopt_array($ch, [
  CURLOPT_URL => $url,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => "$login:$password",
  CURLOPT_CUSTOMREQUEST => "DELETE",
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }

$body = @{ targets = @("72.121.15.3","8.8.7.0/31") } | ConvertTo-Json

Invoke-RestMethod -Method Delete -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body

Random ACE IP

This endpoint supports quick troubleshooting and validation by returning one random IP from the FraudGuard ACE dataset. You may filter by one risk level, one exact threat classification, both, or neither.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker"
require 'net/http'
require 'net/https'

def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end

puts get_ip('api.fraudguard.io','/api/v1/random-ip?risk=5&threat=botnet_tracker','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
   host: 'api.fraudguard.io',
   port: 443,
   path: '/api/v1/random-ip?risk=5&threat=botnet_tracker',
   headers: {
      'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
   }
};

request = https.get(options, function(res){
   var body = "";
   res.on('data', function(data) {
      body += data;
   });
   res.on('end', function() {
      console.log(body);
   })
   res.on('error', function(e) {
     console.log("Got error: " + e.message);
   });
    });

}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker' -Headers $Headers

Example response:

{
    "ip": "192.35.53.235",
    "risk": "5",
    "threat": "botnet_tracker"
}

HTTP Request

GET https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker

Query Parameters

Parameter Description
Threat Type (threat) Optional single legacy threat classification, such as botnet_tracker. Comma-separated values are not supported.
Risk Level (risk) Optional single risk level from 1 (lowest) to 5 (highest). Comma-separated values are not supported.

ip is a response field, not a request parameter.

Geo Threat API

Returns nearby attacker intelligence for one IP using geographic, ASN, ISP, and organization context. Candidate results are limited to the same country, risk 2 or higher, and the requested geographic area.

GeoThreat leverages the same geographic, ASN, and threat data that powers our IP reputation APIs, but focuses specifically on nearby attackers within a configurable radius.

Response Fields

At the top level, the response mirrors our IP Reputation v2 API with geographic and organizational data for the queried IP:

In addition, the response contains a nested geo_threat object, which describes the nearby attackers:

geo_threat.results applies the exact distance filter and orders matching rows by:

  1. Same ISP as the queried IP
  2. Same ASN
  3. Same city
  4. Higher risk
  5. Shorter distance_km
  6. More recent updated_at
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2"
require 'net/http'
require 'net/https'

def get_geo_threat(server, path, username, password)
  http = Net::HTTP.new(server, 443)
  http.use_ssl = true
  req  = Net::HTTP::Get.new(path)
  req.basic_auth username, password
  response = http.request(req)
  response.body
end

puts get_geo_threat(
  'api.fraudguard.io',
  '/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2',
  'username',
  'password'
)
import requests
from requests.auth import HTTPBasicAuth

response = requests.get(
    'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2',
    params={
        'radius_km': 100,
        'page': 1,
        'limit': 2,
    },
    verify=True,
    auth=HTTPBasicAuth('username', 'password')
)

print(response.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');

const https = require('https');

var options = {
  host: 'api.fraudguard.io',
  port: 443,
  path: '/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2',
  method: 'GET',
  headers: {
    'Authorization': auth
  }
};

var req = https.request(options, function(res) {
  var body = "";
  res.on('data', function(data) {
    body += data;
  });
  res.on('end', function() {
    console.log(body);
  });
});

req.on('error', function(e) {
  console.error(e);
});

req.end();
<?php
$login    = 'username';
$password = 'password';
$url      = 'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
}

Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2' -Headers $Headers

Example response:

{
    "isocode": "BR",
    "country": "Brazil",
    "state_code": "SP",
    "state": "São Paulo",
    "city": "Carapicuíba",
    "postal_code": "06300",
    "latitude": -23.5257,
    "longitude": -46.8288,
    "timezone": "America/Sao_Paulo",
    "connection_type": "Cable/DSL",
    "asn": 27699,
    "asn_organization": "TELEFONICA BRASIL S.A",
    "isp": "Vivo",
    "organization": "Vivo",
    "discover_date": "2025-12-03 04:40:32",
    "threat": "unknown",
    "risk_level": "1",
    "geo_threat": {
        "query_ip": "187.34.26.2",
        "radius_km": 100,
        "page": 1,
        "limit": 2,
        "total_attackers": 2430,
        "results": [
            {
                "ip": "177.139.130.157",
                "threat": "anonymous_tracker",
                "risk": "3",
                "asn": "27699",
                "asn_organization": "TELEFONICA BRASIL S.A",
                "isp": "Vivo",
                "organization": "Vivo",
                "isocode": "BR",
                "country": "Brazil",
                "state": "São Paulo",
                "city": "São Paulo",
                "latitude": "-23.629300",
                "longitude": "-46.635100",
                "connection_type": "Corporate",
                "updated_at": "2025-12-03 04:19:18",
                "distance_km": "22.85584792284798"
            },
            {
                "ip": "179.111.216.102",
                "threat": "anonymous_tracker",
                "risk": "3",
                "asn": "27699",
                "asn_organization": "TELEFONICA BRASIL S.A",
                "isp": "Vivo",
                "organization": "Vivo",
                "isocode": "BR",
                "country": "Brazil",
                "state": "São Paulo",
                "city": "São Paulo",
                "latitude": "-23.629300",
                "longitude": "-46.635100",
                "connection_type": "Cable/DSL",
                "updated_at": "2025-12-03 03:56:40",
                "distance_km": "22.85584792284798"
            }
        ]
    }
}

HTTP Request

GET https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2

URL and Query Parameters

Parameter Type Default Accepted values Description
IP (ip) string Valid IPv4 or IPv6 address Address supplied in the URL path.
radius_km integer 100 1500 Exact result radius in kilometers. An out-of-range value uses the default.
page integer 1 1 or greater One-based result page. Values below 1 use the default.
limit integer 25 1100 Results per page. An out-of-range value uses the default.

If the queried IP has no usable latitude and longitude, geo_threat.results is empty and the radius, page, and limit fields are returned as null.

IP Dispute Manager API

IP Dispute Manager provides a structured workflow for handling blocked IP disputes. Use these endpoints to generate a public dispute link, review submissions, and apply an allowlist, blocklist, or dismiss decision with full IP context.

Returns the unique, BotGuard-protected public dispute URL for your account. This link is designed to be shared on WAF 403 pages, support flows, or "access denied" screens so users can request an exception.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-dispute/form"
{
  "public_id": "dispute_example_id",
  "public_url": "https://api.fraudguard.io/ip-dispute-form?id=dispute_example_id",
  "customer_id": "12345",
  "customer_email": "security-team@example.com",
  "created_at": "2026-02-03 21:22:41",
  "updated_at": "2026-02-03 21:22:41"
}

The response contains account information and a public form identifier. Return it only to authorized backend or administrative callers, and do not log the full response.

HTTP Request

GET https://api.fraudguard.io/api/ip-dispute/form

URL Parameters

None.


List IP Disputes

Returns a list of disputes for the authenticated customer. Use filters to review pending items or audit past decisions.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-disputes?status=pending&limit=100&offset=0"
[
  {
    "id": 101,
    "ip": "203.0.113.14",
    "submitter_name": "Jane Doe",
    "submitter_email": "jane@example.com",
    "status": "pending",
    "created_at": "2026-02-03 20:41:12",
    "decision_at": null
  }
]

HTTP Request

GET https://api.fraudguard.io/api/ip-disputes

Query Parameters

Parameter Description
status Optional. Filter by pending, allowlisted, blocklisted, or dismissed.
limit Optional. Max results to return (1-500). Default 100.
offset Optional. Pagination offset. Default 0.

Get IP Dispute by ID

Fetch a single dispute with the full IP reputation snapshot captured at submission time. The ip_context field mirrors the v5 IP reputation response so you can review risk, threat, ASN/ISP, geo, and list membership.

curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-disputes/101"
{
  "id": "117",
  "fg_user_id": "1142",
  "public_id": "H3xkL9qZ0pB7nM4tR2sV8wQ1",
  "ip": "203.0.113.14",
  "submitter_name": "Jane Doe",
  "submitter_email": "jane@example.com",
  "customer_email": "customer@example.com",
  "status": "allowlisted",
  "decision_notes": "Verified customer traffic",
  "decision_by": "customer_username",
  "decision_at": "2026-02-03 21:12:45",
  "list_action": "allowlist",
  "ip_context_json": "{\"isocode\":\"US\",\"country\":\"United States\",\"state_code\":\"FL\",\"state\":\"Florida\",\"city\":\"Brooksville\",\"postal_code\":\"34601\",\"latitude\":28.5651,\"longitude\":-82.3755,\"timezone\":\"America/New_York\",\"connection_type\":\"Cable/DSL\",\"asn\":33363,\"asn_organization\":\"BHN-33363\",\"isp\":\"Spectrum\",\"organization\":\"Spectrum\",\"ip_in_whitelist\":\"false\",\"ip_in_blacklist\":\"false\",\"ip_in_geoblock\":\"false\",\"discover_date\":\"2026-02-03 21:06:40\",\"threat\":\"unknown\",\"risk_level\":\"1\"}",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
  "referrer": "https://api.fraudguard.io/ip-dispute-form?id=H3xkL9qZ0pB7nM4tR2sV8wQ1",
  "customer_notified_status": "sent",
  "customer_notified_at": "2026-02-03 21:06:40",
  "customer_notified_error": null,
  "created_at": "2026-02-03 21:06:40",
  "updated_at": "2026-02-03 21:12:45",
  "ip_context": {
    "isocode": "US",
    "country": "United States",
    "state_code": "FL",
    "state": "Florida",
    "city": "Brooksville",
    "postal_code": "34601",
    "latitude": 28.5651,
    "longitude": -82.3755,
    "timezone": "America/New_York",
    "connection_type": "Cable/DSL",
    "asn": 33363,
    "asn_organization": "BHN-33363",
    "isp": "Spectrum",
    "organization": "Spectrum",
    "ip_in_whitelist": "false",
    "ip_in_blacklist": "false",
    "ip_in_geoblock": "false",
    "discover_date": "2026-02-03 21:06:40",
    "threat": "unknown",
    "risk_level": "1"
  }
}

HTTP Request

GET https://api.fraudguard.io/api/ip-disputes/{id}

URL Parameters

Parameter Description
id The dispute ID.

Decide IP Dispute (Allowlist, Blocklist, or Dismiss)

Submit a decision for a dispute. Decisions update your custom lists automatically.

Send parameters as form-encoded data (application/x-www-form-urlencoded).

curl -X POST -u "username:password" \
  -d "action=allow&notes=Verified customer traffic" \
  "https://api.fraudguard.io/api/ip-disputes/101/decision"
{
  "id": 101,
  "status": "allowlisted",
  "list_action": "allowlist"
}

HTTP Request

POST https://api.fraudguard.io/api/ip-disputes/{id}/decision

POST Parameters

Parameter Description
action Required. allow, block, or dismiss.
notes Optional. Decision notes for internal tracking.

Send these fields as application/x-www-form-urlencoded and URL-encode each value. Never concatenate untrusted notes directly into a form body.


BotGuard API (Human Verification)

BotGuard is FraudGuard's human-verification layer. It adds a mobile challenge to help deter automated browsers and abusive workflows on sensitive routes such as login, signup, password reset, checkout, account changes, contact forms, and high-cost API operations. Treat it as one control in a layered abuse-prevention strategy, not proof that all automation has been stopped.

At a high level:

  1. Your page loads the BotGuard JavaScript.
  2. You attach BotGuard to a form or action.
  3. When a human completes the challenge, BotGuard produces a botguard_token.
  4. Your server verifies the token using the BotGuard Verify API.
  5. If valid, you proceed with your protected business logic.

Client-Side Integration

Load the BotGuard client:

<script src="https://api.fraudguard.io/js/botguard.js?v=1"></script>

Create an instance and attach it to a form. BotGuard will intercept the submit, run a verification flow, and then populate a hidden form field named botguard_token before allowing the POST to continue.

<form id="myProtectedForm" method="POST" action="">
  <input type="hidden" name="botguard_token" id="botguard_token" value="" />
  <button type="submit">Continue</button>
</form>

<script>
  var bg = BotGuard.create({
    apiBase: "https://api.fraudguard.io"
  });

  bg.attachToForm({
    formSelector: "#myProtectedForm"
  });
</script>

What the client produces

After a successful human verification, BotGuard provides:

Your backend must verify this token before doing anything protected. The current API does not consume a token after successful verification; tokens and session tokens remain reusable until their returned expires_at time. Do not use client-side challenge state as authorization.

Hosted Client Session and QR Behavior

The hosted client stores the returned session token in browser localStorage under botguard_session. On later form submissions, it sends that session token to FraudGuard's session-verification endpoint; a valid session can skip a new challenge, but your server must still verify the resulting botguard_token before processing the form.

The hosted client currently renders the desktop QR code through api.qrserver.com. The complete BotGuard mobile challenge URL, including its challenge identifier, is sent to that third-party QR service. Disclose this transfer in your privacy notice and confirm that it meets your security, privacy, and vendor-review requirements before deployment.

Verify a BotGuard Token

Use this endpoint from your backend to validate a botguard_token.

HTTP Request

GET https://api.fraudguard.io/botguard/token/verify?token=<TOKEN>

Query Parameters

Parameter Description
token The botguard_token produced by the BotGuard JS client.

Authentication

This endpoint uses HTTP Basic Authentication with your FraudGuard API credentials. Call it only from your backend; never expose those credentials in browser code.

Example

curl -u "username:password" \
  "https://api.fraudguard.io/botguard/token/verify?token=YOUR_BOTGUARD_TOKEN"

Success Response

{
  "valid": true,
  "token": "bg_...",
  "session_token": "bg_sess_...",
  "expires_at": "YYYY-MM-DD HH:MM:SS"
}

Failure Response

{
  "valid": false,
  "error": "expired"
}

An unknown or missing token returns {"valid":false}. An expired token also includes "error":"expired".

Required Backend Behavior

The 403 status above is the status your protected application should return. It is separate from the HTTP status returned by the FraudGuard verification endpoint.

Backend Integration Pattern

This is the recommended flow BotGuard is designed for:

  1. Your public page renders a normal HTML form.
  2. BotGuard JS attaches to the form and injects botguard_token on successful verification.
  3. Your server checks the token on POST and blocks requests without it.
  4. Your server verifies the token using the Verify API.
  5. You run your actual protected code only after BotGuard verification passes.

Session Trust

The hosted client persists session_token in localStorage; the BotGuard API does not set a cookie. The first successful session-verification call can extend the associated expires_at value to as much as 72 hours, and later valid checks reuse that session token until it expires.

If you build a server-managed session instead, store trust in a Secure, HttpOnly cookie with an appropriate SameSite policy, a narrow Path, and an expiry no later than the returned expires_at. A custom client is required if you do not want the hosted script to use localStorage.

Token and Privacy Hygiene

BotGuard verification values are sent in GET query strings, including token, session_token, and challenge_id. Redact the entire query string from application, reverse-proxy, CDN, WAF, APM, analytics, and support logs. Do not log verification responses because they can contain both the challenge token and reusable session token.

BotGuard processes challenge identifiers, tokens, session state, and the source IP associated with a challenge. Keep your privacy notice and retention controls aligned with your use of the service.

Common Integration Notes

Troubleshooting

Rotating Proxy (RRP) Detection API

The Rotating Proxy (RRP) Detection API identifies browser sessions whose source IP changes repeatedly while a browser fingerprint remains stable. This pattern can be consistent with rotating proxies used for scraping, credential attacks, account abuse, or rate-limit evasion, but it can also occur during legitimate network changes.

Use RRP as a risk signal for step-up verification or review. Do not hard-block solely on an RRP result without accounting for mobile roaming, carrier-grade NAT, VPN transitions, and normal network switching.

The RRP Detection system consists of:

Plan Availability

Plan Availability
Starter Not included
Professional Included
Business Included
Enterprise Included

JavaScript Integration

Customers must embed the FraudGuard RRP detection script on protected pages.

<script src="https://api.fraudguard.io/js/fg-rrp.js?key=YOUR_PUBLIC_KEY"></script>

Replace YOUR_PUBLIC_KEY with the public site key generated in your FraudGuard dashboard. This key is intentionally browser-visible and identifies the active RRP site configuration; it is not a substitute for the Basic Auth credentials used by the reporting endpoints.

The script sends initial detection pings, then heartbeat samples while the page remains visible for up to 180 seconds. It emits a browser event named fg:rrp_detected when the API confirms rotation.

Telemetry and Client Storage

The hosted script:

IP addresses, persistent identifiers, user agents, and browser/device characteristics can be personal data. Limit the script to workflows where this signal is needed, disclose the collection and client-side persistence, and apply your consent, retention, access-control, and deletion requirements.

RRP Ping Endpoint

This browser-facing endpoint is used by the embedded JavaScript snippet to report session observations. Most integrations should let the hosted script call it.

HTTP Request

POST https://api.fraudguard.io/api/rrp/ping

Authentication and Headers

Header Required Description
X-FG-KEY Yes Public RRP site key. The hosted script reads it from its own ?key= parameter and sends it in this header.
Content-Type Yes Must be application/json.

Request Body

{
  "client_id": "string",
  "page_load_id": "string",
  "fingerprint_hash": "string",
  "t_submit_ms": 1771480000000,
  "sampling": false,
  "sample_phase": "detect"
}

Field Descriptions

Field Required Type Description
client_id Yes string Persistent client identifier generated by the hosted script.
page_load_id Yes string Identifier generated for the current page load. Rotation is evaluated within this page-load scope.
fingerprint_hash Yes string SHA-256 browser-fingerprint hash generated by the hosted script.
t_submit_ms No integer Client submission time as Unix epoch milliseconds from Date.now(). Server observation time, not this value, determines the detection window.
sampling No boolean false for initial detection pings and true for heartbeat or post-detection sampling.
sample_phase No string Hosted-client phase: detect, heartbeat, or harvest.
event_id No integer Existing event identifier attached by the hosted client to harvest pings after detection.

Response Example

{
  "rotation_detected": true,
  "confidence": 90,
  "distinct_ips_window": 3,
  "window_seconds": 120,
  "event_id": 4812,
  "reasons": [
    "rrp_3plus_ips_window",
    "fingerprint_stable"
  ]
}

Response Fields

Field Type Description
rotation_detected boolean true only when at least three distinct source IPs are observed with one stable fingerprint in the current window.
confidence integer Detection confidence from 0 to 100 for the current window.
distinct_ips_window integer Distinct source IPs observed for the same customer, client, and page load during the window.
window_seconds integer Detection lookback window; currently 120.
event_id integer RRP event record identifier. An event record is created even when rotation is not detected.
reasons array Machine-readable reasons for the current result.
Reason Meaning
rrp_3plus_ips_window At least three distinct source IPs were observed in the window.
rrp_4plus_ips_window At least four distinct source IPs were observed in the window.
rrp_5plus_ips_window At least five distinct source IPs were observed in the window.
fingerprint_stable The submitted fingerprint stayed constant across the observations.
fingerprint_changed More than one submitted fingerprint was observed; rotation_detected remains false.

Get RRP Events

Retrieve RRP page-load event records for your account, newest first. The response includes observations where rotation was not detected; inspect distinct_ip_count_window, confidence, and the detail record before enforcement.

HTTP Request

GET https://api.fraudguard.io/api/rrp/events

Authentication

Basic Authentication required.

Query Parameters

Parameter Description
limit Optional. Number of rows to return (1200). Default 50; larger values are clamped to 200.
offset Optional. Pagination offset. Default 0.

Response Example

{
  "limit": 50,
  "offset": 0,
  "rows": [
    {
      "id": "101",
      "client_id": "fgc_1234567890123456789012345678901234567890",
      "page_load_id": "pl_987654321098765432109876543210987654321_1771480000000",
      "first_seen_at": "2026-02-19 12:00:01",
      "last_seen_at": "2026-02-19 12:00:21",
      "distinct_ip_count_window": "1",
      "confidence": "0",
      "blacklist_action": "none",
      "blacklist_ip_added": null,
      "created_at": "2026-02-19 12:00:01",
      "updated_at": "2026-02-19 12:00:21"
    }
  ]
}

The list response does not include a total count. Continue by increasing offset until rows is empty or contains fewer than limit records.

Get RRP Event Detail

Retrieve full details for a specific RRP event record.

HTTP Request

GET https://api.fraudguard.io/api/rrp/events/<id>

Replace <id> with the event ID returned from the RRP Ping response.

Authentication

Basic Authentication required.

Response Example

{
  "id": "102",
  "customer_id": "cust_AbC123xYz",
  "client_id": "fgc_1234567890123456789012345678901234567890",
  "page_load_id": "pl_987654321098765432109876543210987654321_1771480000000",
  "fingerprint_hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
  "first_seen_at": "2026-02-19 11:55:00",
  "last_seen_at": "2026-02-19 11:57:30",
  "distinct_ip_count_window": "4",
  "time_window_seconds": "120",
  "ip_list_json": "[\"203.0.113.10\", \"198.51.100.22\", \"192.0.2.44\", \"198.51.100.55\"]",
  "reasons_json": "[\"rrp_3plus_ips_window\", \"rrp_4plus_ips_window\", \"fingerprint_stable\"]",
  "confidence": "97",
  "blacklist_action": "none",
  "blacklist_ip_added": null,
  "created_at": "2026-02-19 11:55:00",
  "updated_at": "2026-02-19 11:57:30"
}

The /api/rrp/events/<id> endpoint returns the full stored event record, including the account identifier, observed IP list, detection reasons, fingerprint hash, and highest stored confidence score. It returns 400 for an invalid ID and 404 when the event does not exist for the authenticated account.

ip_list_json and reasons_json are JSON-encoded strings, so parse each value once more after decoding the top-level response. Treat event details as sensitive security telemetry and restrict access to authorized backend and investigation workflows.

Detection Logic Overview

An RRP event is confirmed when:

With a stable fingerprint, confidence is 90 for three distinct IPs, 97 for four, and 100 for five or more. If the fingerprint changes, rotation_detected is false even when three or more IPs are present.

Customers may optionally enable account-specific enforcement policies that add high-confidence RRP IP addresses to their FraudGuard custom blacklist. To discuss automated enforcement, email hello@fraudguard.io.


Attack Stream

Attack Stream provides live access to raw FraudGuard honeypot telemetry. It is powered by the ACE v2 engine, but delivers live-forward events instead of a single-IP verdict; optional enrich=ace responses add ACE decision context to each attacker. That shared engine is why Attack Stream appears in the ACE v2 IP Intelligence documentation group.

It is designed for SIEM, SOAR, threat hunting, blocking, enrichment, alerting, and customer-owned detection pipelines that need to consume attacker activity as FraudGuard observes it.

Attack Stream v1 is a live-forward pull API. The first request returns the latest events and a cursor; subsequent requests use that cursor to receive newer events. Historical backfill is not included.

Attack Stream Delivery Model

Delivery Status Description
Pull API Available Poll api.fraudguard.io for live events using cursor-based pagination.

Read Attack Stream Events

Use this endpoint for the initial read and every cursor-based follow-up request.

Attack Stream HTTP Request

GET https://api.fraudguard.io/attackstream/v1/events

Attack Stream Authentication

Basic Authentication is required for every request.

curl -u "username:password" \
  "https://api.fraudguard.io/attackstream/v1/events?limit=10"
require 'json'
require 'net/http'

uri = URI('https://api.fraudguard.io/attackstream/v1/events?limit=10')
request = Net::HTTP::Get.new(uri)
request.basic_auth('username', 'password')

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

puts response.body
import requests
from requests.auth import HTTPBasicAuth

response = requests.get(
    'https://api.fraudguard.io/attackstream/v1/events',
    params={'limit': 10},
    auth=HTTPBasicAuth('username', 'password'),
    timeout=30
)

print(response.text)
const response = await fetch('https://api.fraudguard.io/attackstream/v1/events?limit=10', {
  method: 'GET',
  headers: {
    'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
    'Accept': 'application/json'
  }
});

console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/attackstream/v1/events?limit=10');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
  CURLOPT_USERPWD => 'username:password',
  CURLOPT_HTTPHEADER => ['Accept: application/json'],
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"

$Headers = @{
    Authorization = $basicAuthValue
    Accept = 'application/json'
}

Invoke-WebRequest `
    -Uri 'https://api.fraudguard.io/attackstream/v1/events?limit=10' `
    -Headers $Headers `
    -Method Get

Attack Stream Polling Flow

  1. Make a first request without a cursor.
  2. Process the returned events in array order.
  3. Store the returned next_cursor.
  4. Poll again with cursor=<next_cursor>.
  5. Repeat forever, waiting at least poll_after_seconds before the next request.

First request:

curl -u "username:password" \
  "https://api.fraudguard.io/attackstream/v1/events?limit=100"

Follow-up request:

curl -u "username:password" \
  "https://api.fraudguard.io/attackstream/v1/events?limit=100&cursor=eyJ2IjoxLCJsYXN0X2lkIjoxMjM0NTY3ODkwLCJpc3N1ZWRfYXQiOjE3ODM1MzkxNjN9.example"

Important cursor behavior:

Attack Stream Query Parameters

Parameter Type Default Description
limit integer 100 Number of events to return. Must be between 1 and 100.
cursor string none Opaque cursor returned by the previous response.
format string json Response format. Use json for the normal envelope or jsonl for newline-delimited event objects.
enrich string none Use ace to include FraudGuard ACE context for each attacker IP when available.

Unsupported query parameters return 400 unsupported_parameter.

Attack Stream Response Order

Events are returned oldest-to-newest inside each response. Process events in array order.

The stream_sequence field is a monotonically increasing stream position for Attack Stream. It is useful for deduplication, logging, and debugging, but customers should use next_cursor rather than building their own sequence query.

Attack Stream JSON Response

Example response:

{
  "success": true,
  "api": "FraudGuard Attack Stream",
  "api_version": "1.0.0",
  "delivery": "pull",
  "count": 2,
  "limit": 2,
  "next_cursor": "eyJ2IjoxLCJsYXN0X2lkIjo1MDYxNzcxMzEsImlzc3VlZF9hdCI6MTc4MzUzOTE2M30.example",
  "poll_after_seconds": 5,
  "rate_limit": {
    "requests_per_minute": 60,
    "requests_per_day": 50000,
    "request_minute_remaining": 59,
    "request_day_remaining": 49994,
    "events_per_day": 1000000,
    "event_day_remaining": 999688
  },
  "events": [
    {
      "schema": "fraudguard.attackstream.event.v1",
      "event_id": "74b960fc-c49d-4c81-9248-a725209c7ef3",
      "stream_sequence": 506162682,
      "observed_at": "2026-07-08T17:29:24+00:00",
      "received_at": "2026-07-08T17:29:41+00:00",
      "attacker": {
        "ip": "45.112.149.170",
        "port": 40918
      },
      "target": {
        "port": 11434,
        "protocol": "http",
        "service": "ollama"
      },
      "event": {
        "type": "ai_model_enumeration"
      },
      "http": {
        "method": "GET",
        "path": "/api/tags",
        "user_agent": "Go-http-client/1.1"
      }
    },
    {
      "schema": "fraudguard.attackstream.event.v1",
      "event_id": "89942c3b-0f2e-4442-8441-6854c57dd17b",
      "stream_sequence": 506177131,
      "observed_at": "2026-07-08T17:33:58+00:00",
      "received_at": "2026-07-08T17:34:19+00:00",
      "attacker": {
        "ip": "45.112.149.170",
        "port": 60878
      },
      "target": {
        "port": 11434,
        "protocol": "http",
        "service": "ollama"
      },
      "event": {
        "type": "ai_model_enumeration"
      },
      "http": {
        "method": "GET",
        "path": "/api/tags",
        "user_agent": "Go-http-client/1.1"
      }
    }
  ],
  "generated_at": "2026-07-08T19:32:43+00:00"
}

Attack Stream Top-Level Fields

Field Type Description
success boolean true for successful JSON envelope responses.
api string API product name.
api_version string Attack Stream API version.
delivery string Delivery mode. Current value is pull.
count integer Number of events returned in this response.
limit integer Requested page size after validation.
next_cursor string/null Opaque cursor for the next polling request.
poll_after_seconds integer Minimum suggested wait before the next poll.
rate_limit object Current request and delivered-event rate limit state.
events array Attack Stream event objects.
generated_at string API response generation timestamp in ISO 8601 format.

poll_after_seconds is never lower than 2 seconds in Attack Stream v1. Clients that are caught up should normally receive a longer wait time, such as 5 seconds.

rate_limit

Field Type Description
requests_per_minute integer Request limit per minute.
requests_per_day integer Request limit per day.
request_minute_remaining integer Remaining requests in the current minute window.
request_day_remaining integer Remaining requests in the current day window.
events_per_day integer Delivered-event limit per day.
event_day_remaining integer Remaining delivered events in the current day window.

Attack Stream Event Fields

Field Type Description
schema string Event schema identifier. Current value is fraudguard.attackstream.event.v1.
event_id string Unique event identifier.
stream_sequence integer Monotonically increasing stream sequence.
observed_at string/null Timestamp from the honeypot event observation.
received_at string/null Timestamp when FraudGuard received/stored the event.
attacker object Source IP and source port observed by the honeypot.
target object Target service, protocol, and target port.
event object Event metadata, including the public event type.
http object HTTP request fields when applicable.
ace object Present only when enrich=ace is requested and ACE data exists for the attacker IP.

attacker

Field Type Description
ip string/null Source IP address observed by FraudGuard honeypots.
port integer/null Source port observed by the honeypot.

target

Field Type Description
port integer/null Target port associated with the observed service.
protocol string/null Observed protocol.
service string/null Observed or inferred honeypot service.

event

Field Type Description
type string/null Public event type, such as ai_model_enumeration, smb_negotiation_probe, sip_register_attempt, ssh_login_attempt, or waf_attack.

Event type values are intentionally extensible. FraudGuard may add new honeypot detections, services, protocols, and event types over time. Integrations should parse known values but tolerate new strings.

http

Field Type Description
method string/null HTTP method for HTTP-based attacks, such as GET, POST, or HEAD.
path string/null HTTP request path observed by the honeypot.
user_agent string/null HTTP user agent observed by the honeypot.

For non-HTTP events, these fields may be null.

Attack Stream ACE Enrichment

Add enrich=ace to include FraudGuard ACE context for each attacker IP when available.

curl -u "username:password" \
  "https://api.fraudguard.io/attackstream/v1/events?limit=10&enrich=ace"

When ACE enrichment exists for an attacker IP, the event includes:

{
  "ace": {
    "risk": 5,
    "action": "block",
    "confidence": 88,
    "classification": "scanner_tracker",
    "trend": "rising",
    "events_24h": 123,
    "events_7d": 940,
    "events_30d": 4120,
    "first_seen": "2026-06-12T14:22:10+00:00",
    "last_seen": "2026-07-08T17:34:19+00:00"
  }
}

ACE enrichment does not change which Attack Stream events are returned. It adds FraudGuard's current risk, recommended action, confidence, classification, trend, recent event counts, and first/last seen context for the source IP.

Field Type Description
risk integer ACE risk level from 1 (lowest) to 5 (highest).
action string allow for risk 1-2, challenge for 3-4, or block for 5.
confidence integer Confidence from 0 to 99.
classification string/null clean or a tracker classification such as scanner_tracker, botnet_tracker, or honeypot_tracker.
trend string/null rising, cooling, or stable.
events_24h, events_7d, events_30d integer Observed event counts for each window.
first_seen, last_seen string/null ISO 8601 timestamps when available.

Attack Stream JSONL Format

Use format=jsonl for newline-delimited JSON.

curl -u "username:password" \
  "https://api.fraudguard.io/attackstream/v1/events?limit=100&format=jsonl"

JSONL responses use application/x-ndjson and emit one Attack Stream event object per line. The normal JSON envelope is not included. Cursor, count, and rate-limit metadata are returned in response headers.

Attack Stream Response Headers

Header Description
X-AttackStream-Limit Validated request limit.
X-AttackStream-Count Number of events returned.
X-AttackStream-Next-Cursor Cursor for the next polling request.
X-AttackStream-Poll-After-Seconds Minimum suggested wait before polling again.
X-AttackStream-Min-Poll-Seconds Minimum enforced poll interval per customer.
X-RateLimit-Requests-Minute-Limit Request limit per minute.
X-RateLimit-Requests-Minute-Remaining Remaining requests in the current minute window.
X-RateLimit-Requests-Day-Limit Request limit per day.
X-RateLimit-Requests-Day-Remaining Remaining requests in the current day window.
X-RateLimit-Events-Day-Limit Delivered-event limit per day.
X-RateLimit-Events-Day-Remaining Remaining delivered events in the current day window.
Retry-After Returned on 429 rate limit responses.

Attack Stream Rate Limits

Attack Stream uses separate request and delivered-event limits.

Limit Value Notes
Maximum page size 100 events Larger limit values return 400 invalid_limit.
Minimum poll interval 2 seconds Enforced per API customer. More than one accepted request inside the interval returns 429 rate_limit_exceeded.
Requests per minute 60 Enforced per API customer.
Requests per day 50,000 Enforced per API customer.
Delivered events per day 1,000,000 Counts events returned to the customer.

Every request, including requests rejected for polling too quickly, counts against the request rate limits. Only events delivered in a response count against the delivered-event limit.

Clients should respect poll_after_seconds and the X-AttackStream-Poll-After-Seconds header. Parallel pollers or polling faster than the advertised cadence can cause 429 rate_limit_exceeded responses. Attack Stream v1 will not ask clients to poll faster than once every 2 seconds; polling every 2 seconds for a full day is 43,200 requests, below the documented 50,000 request/day limit.

Attack Stream Errors

Status Code Description
400 invalid_limit limit is outside the allowed 1..100 range.
400 invalid_cursor Cursor is malformed or fails signature validation.
400 invalid_format format is not json or jsonl.
400 invalid_enrich enrich is not none or ace.
400 unsupported_parameter A query parameter other than limit, cursor, format, or enrich was submitted.
400 invalid_parameter A supported query parameter was submitted more than once or as a non-scalar value.
401 Bad Authentication Missing or invalid Basic Authentication credentials.
429 rate_limit_exceeded Request rate limit or minimum poll interval exceeded.
429 event_limit_exceeded Delivered-event limit exceeded.
429 Enterprise plan required The credentials are valid but are not authorized for Enterprise-only Attack Stream access.
503 rate_limit_unavailable Rate limiting could not be enforced, so the API failed closed.
500 attackstream_error Temporary Attack Stream service error.

JSON-formatted errors use this shape:

{
  "success": false,
  "error": {
    "code": "invalid_limit",
    "message": "The limit parameter must be between 1 and 100.",
    "details": []
  },
  "generated_at": "2026-07-08T19:32:43+00:00"
}

Authentication and plan-gating errors may be returned as plain text by shared FraudGuard authentication middleware.

Attack Stream Integration Guidance

Errors

FraudGuard uses standard HTTP status codes. Always branch on the status code before parsing a success response; individual products may also return a machine-readable error code and message.

Error Code Meaning
200 OK — request completed successfully.
201 Created — a resource was created successfully.
204 No Content — request completed successfully with no response body.
400 Bad Request — malformed input or an unsupported parameter.
401 Unauthorized — credentials are missing or invalid.
403 Forbidden — credentials are valid, but the account cannot access this resource.
404 Not Found — the resource does not exist or is outside the account’s scope.
409 Conflict — the request conflicts with an existing resource.
422 Unprocessable Entity — the request is valid JSON but fails field validation.
429 Too Many Requests — a rate limit was reached, or a product uses 429 for an account-access gate. Inspect the response before retrying and honor Retry-After when present.
500 Internal Server Error — an unexpected server error occurred. Retry a safe request with backoff.
503 Service Unavailable — the service is temporarily unavailable. Retry a safe request with backoff.

Do not retry 400, 401, 403, 404, 409, or 422 without changing the request or account state. Retry a 429 only when the response identifies a temporary rate limit; a plan or access-gate response will not recover through backoff. For retryable 429, 500, and 503 responses, use exponential backoff with jitter and a maximum retry count. Never log credentials or the Authorization header.