Build with explainable IP intelligence.
Turn directly observed hostile behavior into explainable allow, challenge, and block decisions. Start with ACE v2 for one IP, then add bulk evaluation, customer policy, live telemetry, and security automation as your integration grows.
ACE v1 remains supported and documented for customers with existing integrations. Those APIs continue to provide the familiar risk levels, legacy threat labels, reputation lookups, bulk workflows, and downloadable intelligence that production systems rely on today.
ACE v2 is FraudGuard's current engine and the future of the platform. It is where we are concentrating new detection logic, richer evidence, explainable recommendations, forecasting, and live capabilities such as Attack Stream. New integrations should begin with ACE v2; existing ACE v1 customers can continue operating normally and adopt ACE v2 as they modernize their enforcement workflows.
In this reference, ACE v2 IP Intelligence contains the recommended decision APIs and ACE v2-powered live telemetry. IP intelligence contains ACE v1 compatibility APIs plus specialized lookup and downloadable-data endpoints.
ACE v1 versus ACE v2
Both engines use FraudGuard threat intelligence, but they expose different decision models and are not schema-compatible.
| ACE v1 | ACE v2 | |
|---|---|---|
| Best for | Maintaining existing integrations that use the numbered reputation, bulk, list, or legacy threat endpoints. | New real-time enforcement, explainable decisions, bulk evaluation, forecasting, and live ACE telemetry. |
| Primary output | A risk_level from 1–5 and a legacy threat label such as abuse_tracker, honeypot_tracker, or spam_tracker, with enrichment varying by endpoint version. |
A recommended allow, challenge, or block action supported by risk, confidence, classifications, reason codes, attributes, and infrastructure context. |
| Evidence model | A summarized reputation result with fields such as discover_date, geography, network enrichment, and—on later endpoints—customer list membership. |
Time-windowed observed activity, attack families and event types, targeted services and ports, signal freshness, behavior patterns, and human-readable evidence. |
| Integration rule | Continue using it when an existing workflow depends on its response schema or a specialized endpoint is not available in ACE v2. | Use recommendation.action as the default enforcement input and retain reasons and confidence_factors for explanation and review. |
Integration essentials
- Create credentials. Start a trial or open API keys in the FraudGuard dashboard to get your API username and password.
- Base URL:
https://api.fraudguard.io - Authentication: HTTP Basic Authentication with your FraudGuard API username and password. Send credentials only over HTTPS and store them in a secrets manager or server-side environment variables.
- Request format: Send
Content-Type: application/jsonfor JSON request bodies andAccept: application/jsonwhen you expect JSON. - Rate limits: Limits vary by plan and product. Retry a
429only when the response identifies a temporary rate limit, and honorRetry-Afterwhen present. A plan or access-gate429requires an account change and will not recover through retries. - Reliability: Set a request timeout. Retry retryable rate-limit
429,500, and503responses with exponential backoff and jitter; automatically retry only idempotent requests unless your workflow prevents duplicate writes. - Caching: When ACE v2 returns
cache_ttl_seconds, reuse the decision for that period unless your policy requires a fresher lookup. - Errors: Check the HTTP status before parsing success data. Log the status, sanitized error code/message, and any request identifier returned by the endpoint. Never log credentials, tokens, full query strings, or response bodies containing personal or customer data.
ACE v2 IP Intelligence
ACE v2 IP Intelligence is FraudGuard's next-generation IP reputation API. It is designed for real-time allow, challenge, and block decisions using verified FraudGuard honeypot observations, attack behavior, infrastructure enrichment, network context, geography, and account-specific customer controls.
Unlike static IP lists, ACE v2 explains why a recommendation was made. A response can show the observed attack families, attack volume over 24-hour, 7-day, and 30-day windows, targeted services, protocols and ports, current infrastructure classification, customer whitelist/blacklist/geoblock matches, confidence factors, and human-readable reasons.
Plan Availability
| Plan | Availability |
|---|---|
| Starter | Not included |
| Professional | Included |
| Business | Included |
| Enterprise | Included |
HTTP Request
POST https://api.fraudguard.io/ace/v2/ip/check
Authentication
Basic Authentication is required for every request.
Headers
| Header | Required | Description |
|---|---|---|
| Authorization | Yes | Basic Authentication using your FraudGuard API username and password. |
| Content-Type | Yes | Must be application/json. |
Request Body
{
"ip": "8.216.12.173"
}
| Field | Required | Type | Description |
|---|---|---|---|
| ip | Yes | string | A single valid IPv4 address, IPv6 address, or resolvable hostname. |
CIDR ranges are not accepted by this endpoint. Submit one normalized IP address or hostname per request.
If you submit a hostname, FraudGuard resolves it to one IP address and runs the normal ACE v2 IP lookup against that resolved IP. If DNS returns multiple IP addresses, one resolved address is used for the lookup. The response ip field contains the resolved IP address, and the response includes a hostname field containing the original submitted hostname.
curl -u "username:password" \
-H "Content-Type: application/json" \
-X POST "https://api.fraudguard.io/ace/v2/ip/check" \
-d '{"ip":"8.216.12.173"}'
require 'json'
require 'net/http'
uri = URI('https://api.fraudguard.io/ace/v2/ip/check')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({ ip: '8.216.12.173' })
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(request)
end
puts response.body
import requests
from requests.auth import HTTPBasicAuth
response = requests.post(
'https://api.fraudguard.io/ace/v2/ip/check',
json={'ip': '8.216.12.173'},
auth=HTTPBasicAuth('username', 'password'),
timeout=30
)
print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/check', {
method: 'POST',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
'Content-Type': 'application/json'
},
body: JSON.stringify({ ip: '8.216.12.173' })
});
console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/check');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => 'username:password',
CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
CURLOPT_POSTFIELDS => json_encode(['ip' => '8.216.12.173']),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @{
ip = '8.216.12.173'
} | ConvertTo-Json
Invoke-WebRequest `
-Uri 'https://api.fraudguard.io/ace/v2/ip/check' `
-Headers $Headers `
-Method Post `
-ContentType 'application/json' `
-Body $body
Example Response
{
"ip": "8.216.12.173",
"recommendation": {
"action": "block",
"evidence_summary": "This IP was observed performing 3 total attack events across 2 FraudGuard honeypots in the last 7 days, including 2 Jenkins probing events and 1 HTTP/WAF probing event, most recently on May 26, 2026 at 19:31 UTC.",
"cache_ttl_seconds": 14400
},
"classification": {
"primary": "web_scanner",
"secondary": [
"multi_service_scanner",
"honeypot_attacker",
"ai_automation",
"hosting_provider"
]
},
"risk": {
"level": 5,
"label": "critical",
"confidence": 85,
"confidence_factors": [
"recent_activity",
"repeated_activity",
"multi_honeypot_reach",
"specific_attack_signature",
"multiple_attack_types",
"multiple_target_services"
]
},
"observed_activity": {
"observed": true,
"attack_families": [
"web_probe"
],
"activity": {
"pattern": "burst",
"trend": "burst",
"attack_events_24h": 3,
"attack_events_7d": 3,
"attack_events_30d": 3,
"distinct_attack_types_30d": 2,
"distinct_target_services_30d": 2,
"distinct_target_ports_30d": 2,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
},
"attacks": [
{
"type": "jenkins_login_page_probe",
"service": "jenkins",
"protocol": "http",
"destination_port": 8080,
"attack_events_24h": 2,
"attack_events_7d": 2,
"attack_events_30d": 2,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T15:45:54+00:00",
"last_seen": "2026-05-26T15:45:57+00:00"
},
{
"type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"attack_events_24h": 1,
"attack_events_7d": 1,
"attack_events_30d": 1,
"honeypots_reached_24h": 1,
"honeypots_reached_7d": 1,
"honeypots_reached_30d": 1,
"first_seen": "2026-05-26T19:31:59+00:00",
"last_seen": "2026-05-26T19:31:59+00:00"
}
],
"last_observed_attack": {
"event_type": "waf_attack",
"service": "http",
"protocol": "http",
"destination_port": 80,
"observed_at": "2026-05-26T19:31:59+00:00"
}
},
"attributes": {
"ai_automation_suspected": {
"detected": true
}
},
"reasons": [
{
"code": "abusive_activity_observed",
"message": "Abusive activity observed by FraudGuard ACE",
"severity": "high"
},
{
"code": "scanner_activity_observed",
"message": "Scanner or probing activity observed",
"severity": "medium"
},
{
"code": "honeypot_interaction_observed",
"message": "Interaction observed across FraudGuard honeypot infrastructure",
"severity": "high"
},
{
"code": "waf_attack_activity_observed",
"message": "HTTP/WAF attack activity observed",
"severity": "high"
},
{
"code": "activity_within_7_days",
"message": "Activity observed within the last 7 days",
"severity": "high"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "hosting_provider",
"provider": "Alibaba Cloud",
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": true,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": "2026-05-18T02:44:12+00:00",
"last_seen": "2026-05-18T15:07:09+00:00",
"updated_at": "2026-05-18T15:07:09+00:00"
},
"network": {
"asn": 45102,
"asn_org": "Alibaba US Technology Co., Ltd.",
"isp": "Alibaba",
"organization": "Alibaba",
"prefix": "8.216.12.0/24",
"connection_type": "Corporate"
},
"geography": {
"country": "Japan",
"isocode": "JP",
"state": "Tokyo",
"city": "Tokyo",
"postal_code": "102-0082",
"timezone": "Asia/Tokyo",
"latitude": 35.6893,
"longitude": 139.6899
},
"metadata": {
"request_id": "acev2_example_single_lookup",
"generated_at": "2026-05-27T00:47:35+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
Response Fields
Schema stability and dynamic values: the response schema is stable for this API version, while classification and signal values are intentionally dynamic. FraudGuard may add new detections, services, attack signatures, infrastructure categories, behavior models, confidence factors, reason codes, attributes, attack families, attack types, and infrastructure types over time. Integrations should parse known fields but tolerate new values in classification, confidence_factors, attack_families, attacks[].type, reasons[].code, attributes, and infrastructure.type.
| Field | Type | Description |
|---|---|---|
| ip | string | The IP address evaluated by ACE v2. For direct IP requests, this is the submitted IP. For hostname requests, this is the resolved IP used for lookup. |
| hostname | string | Present only when the request ip value was a hostname. Contains the original hostname submitted in the request. |
| recommendation | object | High-level enforcement guidance for the IP. |
| classification | object | Primary and secondary labels describing the strongest observed behavior or infrastructure context. |
| risk | object | Numeric risk level, risk label, confidence score, and confidence factors. |
| observed_activity | object | FraudGuard honeypot and WAF observations for the IP. |
| attributes | object | Machine-readable signal attributes. Keys are signal names and values currently contain detected: true. |
| reasons | array | Human-readable reasons converted into stable reason codes and severities. |
| customer | object | Account-specific whitelist, blacklist, and geoblock context for the authenticated customer. |
| infrastructure | object | FraudGuard infrastructure enrichment for the IP or matching network range. |
| network | object | ASN, ISP, organization, prefix, and connection-type enrichment. |
| geography | object | Country, region, city, postal code, timezone, latitude, and longitude enrichment. |
| metadata | object | Request metadata. Present on the single-IP endpoint response. |
recommendation
| Field | Type | Description |
|---|---|---|
| action | string | Recommended action. One of allow, challenge, or block. |
| evidence_summary | string | Human-readable summary of the strongest evidence. This may mention observed event volume, targeted services, honeypot reach, WAF activity, infrastructure context, and most recent observation time. |
| cache_ttl_seconds | integer | Suggested cache duration for the verdict. |
Recommended action values:
| Value | Meaning |
|---|---|
| allow | No active ACE v2 threat behavior was observed, or only minimal-risk context was present. |
| challenge | Medium, high, or context-driven risk where additional friction is appropriate. Commonly used for suspicious activity, high-risk scanning that does not meet the block threshold, or proxy/anonymized infrastructure where a softer control is appropriate. |
| block | Critical risk. Used when ACE v2 observes strong malicious behavior such as credential attacks, exploitation, high-volume probing, or repeated honeypot interaction. |
Cache guidance: use cache_ttl_seconds as FraudGuard's recommended cache duration for your own cache layer. ACE v2 may return different TTLs based on risk level, signal freshness, observed activity, infrastructure context, and how quickly the underlying evidence may change.
classification
| Field | Type | Description |
|---|---|---|
| primary | string | The highest-priority classification for the IP. Clean IPs return clean. |
| secondary | array | Additional supporting classifications. This array may be empty. |
Current public classification values include:
| Classification | Description |
|---|---|
| clean | No active ACE v2 threat signals were observed. |
| credential_attacker | Credential attack, login probing, brute-force, password, or authentication behavior. |
| exploit_prober | Exploit, injection, command execution, shell, downloader, or state-changing probing behavior. |
| botnet_activity | Botnet-associated activity. |
| spam_abuser | Spam, SMTP, mail relay, or spam-campaign behavior. |
| signup_abuser | Signup or account-creation abuse behavior. |
| checkout_abuser | Checkout or transaction-abuse behavior. |
| scraper | Scraping, headless browser, Selenium, or Playwright-style automation. |
| ai_endpoint_scanner | AI, LLM, OpenAI-compatible, Ollama, model discovery, or AI gateway probing. |
| cloud_infrastructure_scanner | Docker, Kubernetes, cloud control plane, or orchestration API scanning. |
| industrial_control_scanner | Industrial control system probing such as Modbus. |
| database_scanner | Database or datastore probing such as Redis, MongoDB, MySQL, PostgreSQL, MSSQL, Elasticsearch, or Memcached. |
| enterprise_service_scanner | Enterprise service probing such as SMB, LDAP, directory services, or Windows networking. |
| remote_access_scanner | SSH, Telnet, FTP, RDP, VNC, remote access, remote desktop, or file-transfer probing. |
| web_scanner | HTTP, web route, WAF, Jenkins, WordPress, GraphQL, CMS, admin, or sensitive-path probing. |
| voip_scanner | SIP, VoIP, PBX, or telephony-service probing. |
| edge_appliance_scanner | Edge appliance or gateway probing. |
| network_service_scanner | DNS, NTP, SNMP, resolver, or network service probing. |
| messaging_service_scanner | MQTT, AMQP, queue broker, or messaging-service probing. |
| mobile_device_scanner | ADB or mobile-device service probing. |
| open_proxy_scanner | Open proxy or proxy-service probing. |
| game_server_scanner | Game server probing. |
| media_server_scanner | Media server probing such as Plex. |
| multi_service_scanner | The IP targeted multiple services or ports. |
| honeypot_attacker | The IP interacted with FraudGuard honeypot infrastructure. |
| suspicious_activity | Risk signals exist but do not map to a more specific public behavior classification. |
| repeat_offender | Recurring or persistent behavior over time. |
| ai_automation | AI automation or automated AI-assisted behavior suspected. |
| anonymous_network | Anonymous/proxy network context or behavior. |
| residential_proxy | Residential proxy infrastructure. |
| tor_exit | Tor exit infrastructure. |
| vpn_exit | VPN infrastructure. This is context only and is not inherently malicious by itself. |
| public_proxy | Public proxy infrastructure. |
| shared_exit | Shared exit infrastructure. This is a derived ACE v2 context signal based on observed traffic and infrastructure patterns, not a standalone maliciousness verdict. |
| hosting_provider | Hosting provider, cloud, VPS, or datacenter infrastructure. This is context only and is not inherently malicious by itself. |
| mobile_network | Mobile network infrastructure. This is context only and is not inherently malicious by itself. |
| satellite_network | Satellite network infrastructure. This is context only and is not inherently malicious by itself. |
| ai_agent | AI agent infrastructure. This is context only and is not inherently malicious by itself. |
risk
| Field | Type | Description |
|---|---|---|
| level | integer | Numeric risk level from 1 to 5. |
| label | string | Human-readable risk label. |
| confidence | integer | Confidence score from 0 to 100. |
| confidence_factors | array | Machine-readable factors explaining the confidence score. |
Risk levels:
| Level | Label | Typical recommendation |
|---|---|---|
| 1 | minimal | allow |
| 2 | low | challenge |
| 3 | medium | challenge |
| 4 | high | block |
| 5 | critical | block |
ACE v2 no longer uses the legacy threat taxonomy from earlier FraudGuard APIs. Use classification, reasons, attributes, and observed_activity for behavioral context, and use the returned recommendation—not the numeric risk alone—as the default enforcement input.
Current public confidence factors include:
| Factor | Description |
|---|---|
| no_active_threat_signals | No active ACE v2 threat behavior was observed for the IP during the current evaluation. |
| recent_activity | FraudGuard observed activity recently enough to increase confidence in the current verdict. |
| activity_within_7_days | FraudGuard observed activity from the IP within the last 7 days. |
| activity_within_30_days | FraudGuard observed activity from the IP within the last 30 days. |
| high_event_volume | The IP generated enough observed events to make the signal stronger than a small number of isolated probes. |
| repeated_activity | The IP showed repeated activity instead of a single isolated observation. |
| multi_honeypot_reach | The IP reached multiple FraudGuard honeypots, which strengthens confidence that the behavior is intentional and not incidental. |
| observed_activity_evidence | The verdict is supported by direct FraudGuard-observed activity rather than enrichment context alone. |
| specific_attack_signature | The observed behavior matched a specific attack, probe, protocol, or service signature. |
| multiple_attack_types | The IP was associated with more than one attack or event type. |
| multiple_target_services | The IP targeted more than one service, application, or protocol surface. |
| repeat_behavior_pattern | The IP showed a recurring or persistent behavior pattern over time. |
| high_severity_events | One or more observed events mapped to higher-severity behavior such as credential attacks, exploitation, or state-changing probes. |
| multi_source_corroboration | Multiple FraudGuard signal sources contributed to the verdict. |
| multiple_correlated_signals | Several independent signals aligned around the same risk decision. |
| infrastructure_context | Infrastructure enrichment, such as proxy, hosting, Tor, VPN, or shared-exit context, contributed supporting context. |
| ace_signal_history | Historical ACE signal data for the IP or related network context contributed to confidence. |
observed_activity
| Field | Type | Description |
|---|---|---|
| observed | boolean | true when FraudGuard observed activity for the IP in honeypot/WAF telemetry. |
| attack_families | array | High-level families of observed attack behavior. |
| activity | object | Aggregate event counts, trend, pattern, distinct target counts, and first/last seen timestamps. |
| attacks | array | Top observed attack/event types with service, protocol, destination port, event counts, honeypot reach, and first/last seen timestamps. |
| last_observed_attack | object/null | Most recent observed attack event, or null when no activity was observed. |
The observed_activity.activity object contains:
| Field | Type | Description |
|---|---|---|
| pattern | string | Aggregate activity pattern. See the supported values below. |
| trend | string | Direction of recent activity. See the supported values below. |
| attack_events_24h | integer | Events observed in the last 24 hours. |
| attack_events_7d | integer | Events observed in the last 7 days. |
| attack_events_30d | integer | Events observed in the last 30 days. |
| distinct_attack_types_30d | integer | Distinct attack or event types observed in the last 30 days. |
| distinct_target_services_30d | integer | Distinct target services observed in the last 30 days. |
| distinct_target_ports_30d | integer | Distinct destination ports observed in the last 30 days. |
| first_seen | string/null | First observed timestamp in ISO 8601 format, or null when no activity was observed. |
| last_seen | string/null | Most recent observed timestamp in ISO 8601 format, or null when no activity was observed. |
Supported activity.pattern values:
| Value | Meaning |
|---|---|
| none | No observed activity. |
| single_probe | One observed event. |
| low_volume_probe | Low-volume activity against one service. |
| low_volume_multi_service_probe | Low-volume activity against multiple services. |
| burst | Concentrated recent activity. |
| persistent | Long-running activity over a broader window. |
| recurring | Repeated activity that does not meet the burst or persistent definition. |
Supported activity.trend values:
| Value | Meaning |
|---|---|
| inactive | No active behavior in the current evaluation window. |
| cooling | Activity exists but has slowed or aged. |
| stable | Activity remains present without strong rise or cooling. |
| rising | Recent activity is increasing compared with prior observations. |
| burst | Tight burst of activity in a short window. |
Current public attack_families include:
| Family | Description |
|---|---|
| credential_probe | Login, authentication, brute-force, credential-stuffing, or credential submission behavior. |
| web_probe | HTTP, WAF, web route, admin panel, CMS, sensitive-path, or application probing behavior. |
| database_probe | Database or datastore probing such as Redis, MongoDB, MySQL, PostgreSQL, MSSQL, Elasticsearch, or Memcached. |
| cloud_infrastructure_probe | Cloud, container, orchestration, Kubernetes, Docker, or cloud-control-plane probing behavior. |
| ai_endpoint_probe | AI, LLM, OpenAI-compatible API, Ollama, model discovery, or AI gateway probing behavior. |
| spam_probe | SMTP, mail relay, spam infrastructure, or spam-campaign probing behavior. |
| voip_probe | SIP, VoIP, PBX, telephony, or registration probing behavior. |
| enterprise_service_probe | SMB, LDAP, directory service, Windows networking, file share, or enterprise service probing behavior. |
| industrial_control_probe | Industrial control system probing, including Modbus and related operational technology services. |
| mobile_device_probe | Mobile device service probing, including ADB or related mobile administration surfaces. |
| messaging_service_probe | Messaging, queue broker, MQTT, AMQP, or similar service probing behavior. |
| network_service_probe | DNS, NTP, SNMP, resolver, or other general network service probing behavior. |
| proxy_probe | Proxy, open proxy, forwarding, or proxy-service probing behavior. |
| game_server_probe | Game server or game-service probing behavior. |
| media_server_probe | Media server probing behavior, such as Plex or similar media application surfaces. |
| edge_appliance_probe | Edge appliance, gateway, firewall, router, or perimeter device probing behavior. |
| generic_scan | General scanning behavior that does not map cleanly to a more specific public family. |
Each object in observed_activity.attacks contains:
| Field | Type | Description |
|---|---|---|
| type | string | Public attack/event type, such as waf_attack, ssh_attack, jenkins_login_page_probe, postgresql_login_attempt, or ai_api_probe. |
| service | string/null | Targeted service, such as http, ssh, jenkins, postgresql, redis, smb, or ai_api. |
| protocol | string/null | Protocol associated with the observation, such as http, ssh, postgresql, smb, or sip/udp. |
| destination_port | integer/null | Destination port targeted by the activity. |
| attack_events_24h | integer | Events observed in the last 24 hours. |
| attack_events_7d | integer | Events observed in the last 7 days. |
| attack_events_30d | integer | Events observed in the last 30 days. |
| honeypots_reached_24h | integer | FraudGuard honeypots reached in the last 24 hours. |
| honeypots_reached_7d | integer | FraudGuard honeypots reached in the last 7 days. |
| honeypots_reached_30d | integer | FraudGuard honeypots reached in the last 30 days. |
| first_seen | string/null | First observed timestamp in ISO 8601 format. |
| last_seen | string/null | Last observed timestamp in ISO 8601 format. |
When present, observed_activity.last_observed_attack contains:
| Field | Type | Description |
|---|---|---|
| event_type | string | Public attack or event type for the most recent observation. |
| service | string/null | Targeted service, when available. |
| protocol | string/null | Protocol associated with the observation, when available. |
| destination_port | integer/null | Destination port targeted by the observation, when available. |
| observed_at | string | Observation timestamp in ISO 8601 format. |
attributes
attributes is an intentionally dynamic signal map. Keys are public signal names and values currently contain detected: true.
Common example attribute groups include:
| Group | Example attributes |
|---|---|
| AI and automation | ai_automation_suspected, llm_api_probe, openai_compatible_api_probe, model_discovery_activity, ai_gateway_reconnaissance |
| Credential activity | credential_attack_pattern, credential_field_submitted, credential_stuffing_probe, login_bruteforce_behavior, password_field_interaction, multi_attempt_sequence |
| Web and admin probing | http_attack_surface_mapping, web_route_scan, sensitive_file_probe, jenkins_console_recon, ci_cd_admin_probe, cms_surface_probe |
| Database and datastore probing | database_login_probe, datastore_exposure_probe, redis_command_probe, mongodb_wire_probe, mysql_handshake_scan, postgres_startup_scan, sql_service_recon |
| Enterprise services | smb_negotiation_scan, windows_network_probe, enterprise_file_share_probe, directory_service_probe |
| Messaging, VoIP, and industrial | amqp_handshake_scan, messaging_service_probe, queue_broker_probe, sip_registration_probe, voip_service_probe, modbus_function_probe |
| Behavior and volume | high_volume_honeypot_activity, repeated_probe_pattern, sustained_probe_stream, dense_scan_cluster, scan_retry_pattern, persistent_touch_pattern |
| Payload and protocol indicators | binary_protocol_fingerprint, protocol_handshake_probe, payload_domain_indicator, payload_ip_indicator, payload_url_indicator, shell_or_downloader_artifact |
reasons
Each reason contains:
| Field | Type | Description |
|---|---|---|
| code | string | Stable machine-readable reason code. |
| message | string | Human-readable reason. |
| severity | string | One of info, low, medium, high, or critical. |
Current public ACE v2 reason codes include:
| Code | Severity | Message |
|---|---|---|
| honeypot_interaction_observed | high | Interaction observed across FraudGuard honeypot infrastructure |
| scanner_activity_observed | medium | Scanner or probing activity observed |
| abusive_activity_observed | high | Abusive activity observed by FraudGuard ACE |
| anonymized_network_behavior_observed | medium | Anonymized network behavior observed |
| tor_exit_infrastructure_observed | medium | Tor exit infrastructure signal observed |
| public_proxy_infrastructure_observed | medium | Public proxy infrastructure signal observed |
| residential_proxy_infrastructure_observed | medium | Residential proxy infrastructure signal observed |
| shared_exit_infrastructure_observed | medium | Shared exit infrastructure signal observed |
| botnet_activity_observed | critical | Botnet-associated activity observed |
| spam_activity_observed | medium | Spam-related activity observed |
| vpn_infrastructure_observed | low | VPN infrastructure signal observed |
| credential_attack_behavior_observed | high | Credential attack behavior observed |
| command_execution_probe_observed | critical | Command execution or state-changing probe observed |
| exploit_or_sensitive_probe_observed | high | Exploit, admin, or sensitive-path probing observed |
| ai_service_reconnaissance_observed | medium | AI service reconnaissance observed |
| waf_attack_activity_observed | high | HTTP/WAF attack activity observed |
| activity_within_7_days | high | Activity observed within the last 7 days |
| high_event_volume_observed | high | High-volume attack activity observed |
| activity_within_30_days | medium | Activity observed within the last 30 days |
| multi_source_activity_observed | medium | Seen across multiple FraudGuard sources |
| ace_risk_signals_detected | medium | FraudGuard ACE v2 detected active risk signals for this IP |
| ace_signal_observed | medium | FraudGuard ACE signal observed |
| no_active_ace_v2_signals | info | No active FraudGuard ACE v2 signals observed |
Note: anonymized_network_behavior_observed can come from observed behavior, such as AI/API/proxy-style probing, and is not limited to current infrastructure flags. More specific current infrastructure reasons are emitted separately, such as public_proxy_infrastructure_observed or tor_exit_infrastructure_observed.
customer
The customer object is account-specific and is evaluated for the authenticated API user.
These fields are provided for customers who use FraudGuard custom whitelist, blacklist, or geoblock features. ACE v2 does not use these account-specific customer lists to change recommendation.action, risk, or classification; if your integration depends on whitelist, blacklist, or geoblock enforcement, check these values in your own application logic.
| Field | Type | Description |
|---|---|---|
| ip_in_whitelist | boolean | true when the IP exists in the authenticated customer's whitelist. |
| ip_in_blacklist | boolean | true when the IP exists in the authenticated customer's blacklist. |
| ip_in_geoblock | boolean | true when the IP's country ISO code matches one of the authenticated customer's geoblocked countries. |
infrastructure
| Field | Type | Description |
|---|---|---|
| type | string | Primary infrastructure type. See supported values below. |
| provider | string/null | Best available provider name for the infrastructure context. |
| is_tor_exit | boolean | Indicates Tor exit infrastructure. |
| is_public_proxy | boolean | Indicates public proxy infrastructure. |
| is_vpn | boolean | Indicates VPN infrastructure. |
| is_hosting_provider | boolean | Indicates hosting, cloud, VPS, or datacenter context. |
| is_residential_proxy | boolean | Indicates residential proxy context. |
| is_mobile_network | boolean | Indicates mobile network context. |
| is_satellite_network | boolean | Indicates satellite network context. |
| is_shared_exit | boolean | Indicates shared exit infrastructure. |
| is_ai_agent | boolean | Indicates AI agent infrastructure. |
| first_seen | string/null | First time FraudGuard observed this infrastructure signal. |
| last_seen | string/null | Last time FraudGuard observed this infrastructure signal. |
| updated_at | string/null | Last enrichment update timestamp. |
Current public infrastructure.type values include:
unknown, ai_agent, residential_proxy, vpn, tor_exit, public_proxy, hosting_provider, mobile_network, satellite_network, shared_exit.
network
| Field | Type | Description |
|---|---|---|
| asn | integer/null | Autonomous System Number. |
| asn_org | string/null | ASN organization. |
| isp | string/null | Internet service provider. |
| organization | string/null | Network organization. |
| prefix | string/null | Network prefix when available. |
| connection_type | string/null | Connection type from network enrichment, such as Corporate, Cable/DSL or Mobile. |
geography
| Field | Type | Description |
|---|---|---|
| country | string/null | Country name. |
| isocode | string/null | Two-letter ISO 3166-1 alpha-2 country code. |
| state | string/null | State, province, or region. |
| city | string/null | City. |
| postal_code | string/null | Postal code. |
| timezone | string/null | IANA timezone. |
| latitude | number/null | Latitude. |
| longitude | number/null | Longitude. |
metadata
| Field | Type | Description |
|---|---|---|
| request_id | string | FraudGuard-generated request ID for tracing support and troubleshooting. |
| generated_at | string | Response generation time in ISO 8601 format. |
| schema_version | string | Response schema version. |
| api_version | string | API version. |
| engine | string | Always ace_v2. |
ACE v2 Bulk IP Intelligence
ACE v2 Bulk IP Intelligence runs the same ACE v2 analysis as the single-IP endpoint for multiple IPs in one request. Use this endpoint when you need to evaluate batches efficiently while receiving the same per-IP recommendation, classification, risk, activity, customer, infrastructure, network, and geography fields.
The result object for each IP follows the ACE v2 IP Intelligence schema. This section documents only the differences for bulk requests and responses.
Plan Availability
| Plan | Availability |
|---|---|
| Starter | Not included |
| Professional | Not included |
| Business | Included |
| Enterprise | Included |
HTTP Request
POST https://api.fraudguard.io/ace/v2/ip/check/bulk
Authentication
Basic Authentication is required for every request.
Headers
| Header | Required | Description |
|---|---|---|
| Authorization | Yes | Basic Authentication using your FraudGuard API username and password. |
| Content-Type | Yes | Must be application/json. |
Request Body
{
"ips": [
"8.8.8.8",
"8.216.12.173",
"app.fraudguard.io"
]
}
| Field | Required | Type | Description |
|---|---|---|---|
| ips | Yes | array | Array of valid IPv4 addresses, IPv6 addresses, or resolvable hostnames. |
Bulk request behavior:
- Maximum accepted unique resolved IP lookups per request:
100. - Duplicate resolved IPs are de-duplicated before lookup.
- Empty string values are ignored.
- CIDR ranges are not accepted.
- Hostnames are resolved to one IP address and then looked up like normal ACE v2 IPs. If DNS returns multiple IP addresses, one resolved address is used for the lookup.
- Results are keyed by unique resolved IP, not by request-array position. If multiple hostnames—or a hostname and a literal IP—resolve to the same address, they collapse into one result and its
hostnamefield cannot represent every original input. Resolve DNS client-side or avoid colliding inputs when one-to-one attribution matters. - If any non-empty submitted value is not a valid IPv4 address, IPv6 address, or resolvable hostname, the entire request returns an error instead of a partial result.
- Billing and monthly usage counters are incremented by the number of accepted unique resolved IP lookups, not by one per HTTP request.
curl -u "username:password" \
-H "Content-Type: application/json" \
-X POST "https://api.fraudguard.io/ace/v2/ip/check/bulk" \
-d '{"ips":["8.8.8.8","8.216.12.173","app.fraudguard.io"]}'
require 'json'
require 'net/http'
uri = URI('https://api.fraudguard.io/ace/v2/ip/check/bulk')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({
ips: ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']
})
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(request)
end
puts response.body
import requests
from requests.auth import HTTPBasicAuth
response = requests.post(
'https://api.fraudguard.io/ace/v2/ip/check/bulk',
json={'ips': ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']},
auth=HTTPBasicAuth('username', 'password'),
timeout=30
)
print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/check/bulk', {
method: 'POST',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
'Content-Type': 'application/json'
},
body: JSON.stringify({
ips: ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io']
})
});
console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/check/bulk');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => 'username:password',
CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
CURLOPT_POSTFIELDS => json_encode([
'ips' => ['8.8.8.8', '8.216.12.173', 'app.fraudguard.io'],
]),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @{
ips = @('8.8.8.8', '8.216.12.173', 'app.fraudguard.io')
} | ConvertTo-Json
Invoke-WebRequest `
-Uri 'https://api.fraudguard.io/ace/v2/ip/check/bulk' `
-Headers $Headers `
-Method Post `
-ContentType 'application/json' `
-Body $body
Example Response
The bulk example response below is shortened to one result object. A real bulk response returns one result object per accepted unique resolved IP, and each result follows the ACE v2 IP Intelligence schema.
When a hostname resolves to a unique result IP, that result includes hostname with the submitted hostname and ip with the resolved address used for the lookup. See the duplicate-resolution caveat above when inputs collapse to the same IP.
{
"results": [
{
"ip": "8.8.8.8",
"recommendation": {
"action": "allow",
"evidence_summary": "No active FraudGuard ACE v2 threat signals were observed for this IP.",
"cache_ttl_seconds": 28800
},
"classification": {
"primary": "clean",
"secondary": []
},
"risk": {
"level": 1,
"label": "minimal",
"confidence": 100,
"confidence_factors": [
"no_active_threat_signals"
]
},
"observed_activity": {
"observed": false,
"attack_families": [],
"activity": {
"pattern": "none",
"trend": "inactive",
"attack_events_24h": 0,
"attack_events_7d": 0,
"attack_events_30d": 0,
"distinct_attack_types_30d": 0,
"distinct_target_services_30d": 0,
"distinct_target_ports_30d": 0,
"first_seen": null,
"last_seen": null
},
"attacks": [],
"last_observed_attack": null
},
"attributes": {},
"reasons": [
{
"code": "no_active_ace_v2_signals",
"message": "No active FraudGuard ACE v2 signals observed",
"severity": "info"
}
],
"customer": {
"ip_in_whitelist": false,
"ip_in_blacklist": false,
"ip_in_geoblock": false
},
"infrastructure": {
"type": "unknown",
"provider": null,
"is_tor_exit": false,
"is_public_proxy": false,
"is_vpn": false,
"is_hosting_provider": false,
"is_residential_proxy": false,
"is_mobile_network": false,
"is_satellite_network": false,
"is_shared_exit": false,
"is_ai_agent": false,
"first_seen": null,
"last_seen": null,
"updated_at": null
},
"network": {
"asn": 15169,
"asn_org": "GOOGLE",
"isp": "Google",
"organization": "Google",
"prefix": null,
"connection_type": "Corporate"
},
"geography": {
"country": "United States",
"isocode": "US",
"state": null,
"city": null,
"postal_code": null,
"timezone": "America/Chicago",
"latitude": 37.751,
"longitude": -97.822
}
}
],
"count": 1,
"metadata": {
"request_id": "acev2_example_bulk_lookup",
"generated_at": "2026-05-27T14:35:53+00:00",
"schema_version": "2.0.0",
"api_version": "2.0.0",
"engine": "ace_v2"
}
}
Bulk Response Fields
| Field | Type | Description |
|---|---|---|
| results | array | Array of ACE v2 per-IP result objects. Each object follows the single-IP response schema above, except result-level metadata is omitted. |
| count | integer | Number of result objects returned. |
| metadata | object | Request-level metadata for the bulk request. |
Differences From Single-IP ACE v2
- Single-IP endpoint request body uses
ip; bulk request body usesips. - Single-IP response contains one result object with
metadatainside that object. - Bulk response contains
results,count, and top-levelmetadata. - Each bulk
results[]object uses the same fields as a single-IP response, but does not include per-resultmetadata. - Bulk requests are billed by accepted unique resolved IP lookup count.
- Bulk validation is all-or-nothing for invalid non-empty IP or hostname values.
ACE v2 IP Forecast
ACE v2 IP Forecast is FraudGuard's predictive risk API for a single IP address. It uses the ACE v2 engine to compare the IP's current risk state with a near-term forecast based on direct IP activity, historical risk snapshots, active ACE signals, and correlated activity in nearby network space.
This endpoint is intentionally predictive. current_risk and current_action describe the IP's current ACE v2 assessment at the time of the request. forecast_risk and forecast_action describe the model's projected near-term risk and recommended treatment over the returned forecast_horizon. A higher forecast does not always mean the exact IP has already performed malicious activity; inspect signals, nearby_activity, and why to understand whether the forecast is driven by direct observations, related prefix activity, or both.
Use this API when you need forward-looking enforcement guidance, such as adding friction before abuse is directly observed from the exact IP, monitoring IPs from risky prefixes more closely, or deciding whether a currently allowed IP should be challenged on sensitive workflows.
HTTP Request
POST https://api.fraudguard.io/ace/v2/ip/forecast
Authentication
Basic Authentication is required for every request.
Headers
| Header | Required | Description |
|---|---|---|
| Authorization | Yes | Basic Authentication using your FraudGuard API username and password. |
| Content-Type | Yes | Must be application/json. |
Request Body
{
"ip": "94.243.8.249"
}
| Field | Required | Type | Description |
|---|---|---|---|
| ip | Yes | string | A single valid IPv4 or IPv6 address to forecast. |
CIDR ranges, hostnames, and arrays of IPs are not accepted by this endpoint. Submit one normalized IP address per request.
curl -u "username:password" \
-H "Content-Type: application/json" \
-X POST "https://api.fraudguard.io/ace/v2/ip/forecast" \
-d '{"ip":"94.243.8.249"}'
require 'json'
require 'net/http'
uri = URI('https://api.fraudguard.io/ace/v2/ip/forecast')
request = Net::HTTP::Post.new(uri)
request.basic_auth('username', 'password')
request['Content-Type'] = 'application/json'
request.body = JSON.generate({ ip: '94.243.8.249' })
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(request)
end
puts response.body
import requests
from requests.auth import HTTPBasicAuth
response = requests.post(
'https://api.fraudguard.io/ace/v2/ip/forecast',
json={'ip': '94.243.8.249'},
auth=HTTPBasicAuth('username', 'password'),
timeout=30
)
print(response.text)
const response = await fetch('https://api.fraudguard.io/ace/v2/ip/forecast', {
method: 'POST',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
'Content-Type': 'application/json'
},
body: JSON.stringify({ ip: '94.243.8.249' })
});
console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/ace/v2/ip/forecast');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => 'username:password',
CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
CURLOPT_POSTFIELDS => json_encode(['ip' => '94.243.8.249']),
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @{
ip = '94.243.8.249'
} | ConvertTo-Json
Invoke-WebRequest `
-Uri 'https://api.fraudguard.io/ace/v2/ip/forecast' `
-Headers $Headers `
-Method Post `
-ContentType 'application/json' `
-Body $body
Example Response
{
"ip": "94.243.8.249",
"current_risk": 1,
"forecast_risk": 4,
"current_action": "allow",
"forecast_action": "challenge",
"outlook": "worsening",
"confidence": 90,
"trend": "rising",
"time_window": "30d",
"forecast_horizon": {
"period": "near_term",
"days": 7
},
"signals": {
"events_24h": 0,
"events_7d": 0,
"events_30d": 0,
"risk_24h_ago": null,
"risk_7d_ago": null,
"risk_30d_ago": null,
"active_trackers": [],
"active_attributes": [],
"max_severity_30d": null,
"distinct_sources_30d": 0
},
"nearby_activity": {
"prefix": "94.243.8.0/24",
"events_24h": 30,
"events_7d": 96,
"events_30d": 111,
"distinct_ips_24h": 2,
"distinct_ips_7d": 10,
"distinct_ips_30d": 12,
"active_trackers": [
"scanner_tracker",
"abuse_tracker"
],
"active_attributes": [
"remote_access_probe",
"persistent_touch_pattern",
"dense_scan_cluster",
"command_execution_probe",
"shell_or_downloader_artifact",
"suspicious_command_indicator",
"legacy_shell_probe",
"scan_retry_pattern",
"credential_attack_pattern",
"login_bruteforce_behavior",
"credential_field_submitted",
"credential_stuffing_probe",
"repeated_probe_pattern",
"sustained_probe_stream",
"telnet_login_surface_scan",
"multi_attempt_sequence",
"high_volume_honeypot_activity",
"web_route_scan",
"authentication_surface_scan",
"known_exploit_path_scan",
"admin_surface_probe",
"scripted_request_pattern",
"recently_active"
],
"max_severity_30d": 4
},
"why": [
"No direct malicious activity observed for this IP",
"Recent malicious activity observed in the same prefix",
"Prefix contains scanner or probing activity",
"Prefix contains abuse activity"
],
"recommendation": "Apply additional scrutiny; nearby ACE activity indicates elevated prefix risk."
}
Forecast Response Fields
Schema stability and dynamic values: the top-level response schema is stable for this API version, while tracker names, attribute names, trend values, outlook values, and why messages are intentionally dynamic. FraudGuard may add new ACE v2 signals, trackers, attributes, trend labels, outlook labels, and explanation text over time. Integrations should parse known fields but tolerate new string values in outlook, trend, active_trackers, active_attributes, and why.
| Field | Type | Description |
|---|---|---|
| ip | string | The IP address submitted in the request. |
| current_risk | integer | Current ACE v2 risk level for the IP at request time. Lower values indicate lower current risk; higher values indicate higher current risk. |
| forecast_risk | integer | Predictive ACE v2 risk level for the IP over the returned forecast horizon. |
| current_action | string | Recommended action for the IP's current state. One of allow, challenge, or block. |
| forecast_action | string | Recommended action for the forecast horizon. One of allow, challenge, or block. |
| outlook | string | Qualitative comparison between current and forecast risk: worsening, stable, improving, or insufficient_data. |
| confidence | integer | Forecast confidence score from 0 to 100. This is model confidence in the forecast, not a literal probability that the IP will attack. |
| trend | string | Direction of recent signal movement, such as rising, stable, falling, inactive, or unknown when no usable trend exists. |
| time_window | string | Historical lookback window used to evaluate direct and nearby activity, such as 30d. |
| forecast_horizon | object | Time period covered by the predictive forecast. |
| signals | object | Direct signal summary for the exact IP. |
| nearby_activity | object | Correlated ACE v2 activity observed in nearby network space used by the forecast model. |
| why | array | Human-readable explanation strings for the current forecast. |
| recommendation | string | Human-readable guidance summarizing how to treat the forecast result. |
Forecast Interpretation
current_* fields are for the IP's current ACE v2 state. forecast_* fields are for the predicted near-term state. These can differ significantly. In the example above, the IP is currently allowed with current_risk 1, but the forecast is worsening because ACE v2 observed recent scanner and abuse activity in the same prefix. The recommended predictive action is therefore challenge.
Do not derive actions from risk numbers yourself. Use current_action for current enforcement and forecast_action for predictive enforcement. The forecast action can be softer or different from what a static risk-to-action mapping might suggest because it represents forward-looking control guidance, not only a current observed-abuse verdict.
Use signals to determine whether the exact IP has direct activity. Use nearby_activity to determine whether the forecast is being influenced by related prefix behavior. A forecast driven only by nearby_activity is still useful for additional scrutiny, but it should not be presented as evidence that the exact IP already performed the nearby activity.
Risk and Action Values
Risk levels use the ACE v2 1 through 5 scale, where 1 is the lowest risk and 5 is the highest risk. The forecast endpoint returns numeric risk only, so use the returned action fields for enforcement decisions.
| Action | Meaning |
|---|---|
| allow | No additional friction is recommended for the current or forecasted state. |
| challenge | Add scrutiny or friction, such as human verification, step-up authentication, rate limiting, manual review, or tighter workflow controls. |
| block | Block or deny the request when your application policy allows hard enforcement. |
Outlook values describe the relationship between current and forecast risk:
| Outlook | Meaning |
|---|---|
| worsening | Forecasted risk is higher than current risk or nearby/direct signals indicate increasing concern. |
| stable | Forecasted risk is materially similar to current risk. |
| improving | Forecasted risk is lower than current risk or signals are cooling. |
| insufficient_data | ACE does not yet have enough recent direct or nearby activity for a strong forecast. |
forecast_horizon
| Field | Type | Description |
|---|---|---|
| period | string | Human-readable horizon category, such as near_term. |
| days | integer | Number of days covered by the forecast horizon. |
Read forecast_horizon.days from every response instead of assuming a fixed horizon. The example response forecasts the next 7 days.
signals
signals describes activity and risk history for the exact queried IP.
| Field | Type | Description |
|---|---|---|
| events_24h | integer | Direct ACE v2 events observed for the exact IP in the last 24 hours. |
| events_7d | integer | Direct ACE v2 events observed for the exact IP in the last 7 days. |
| events_30d | integer | Direct ACE v2 events observed for the exact IP in the last 30 days. |
| risk_24h_ago | integer/null | ACE v2 risk level for the exact IP 24 hours ago, when available. |
| risk_7d_ago | integer/null | ACE v2 risk level for the exact IP 7 days ago, when available. |
| risk_30d_ago | integer/null | ACE v2 risk level for the exact IP 30 days ago, when available. |
| active_trackers | array | Active ACE tracker identifiers observed directly for the exact IP. |
| active_attributes | array | Active ACE signal attributes observed directly for the exact IP. |
| max_severity_30d | integer/null | Maximum direct ACE severity observed for the exact IP in the last 30 days. |
| distinct_sources_30d | integer | Number of distinct direct ACE sources that contributed events for the exact IP in the last 30 days. |
When signals.events_30d is 0, no direct malicious activity was observed for the exact IP during the returned time_window. The forecast can still rise when nearby network behavior indicates elevated risk.
nearby_activity
nearby_activity describes correlated ACE v2 activity in nearby network space. For IPv4, this is commonly a related prefix such as a /24; for other address families or future models, use the returned prefix value rather than assuming a fixed prefix size.
| Field | Type | Description |
|---|---|---|
| prefix | string | Network prefix used for nearby activity analysis. |
| events_24h | integer | ACE v2 events observed in the nearby prefix in the last 24 hours. |
| events_7d | integer | ACE v2 events observed in the nearby prefix in the last 7 days. |
| events_30d | integer | ACE v2 events observed in the nearby prefix in the last 30 days. |
| distinct_ips_24h | integer | Distinct IPs in the nearby prefix with ACE v2 activity in the last 24 hours. |
| distinct_ips_7d | integer | Distinct IPs in the nearby prefix with ACE v2 activity in the last 7 days. |
| distinct_ips_30d | integer | Distinct IPs in the nearby prefix with ACE v2 activity in the last 30 days. |
| active_trackers | array | Active ACE tracker identifiers observed in the nearby prefix. |
| active_attributes | array | Active ACE signal attributes observed in the nearby prefix. |
| max_severity_30d | integer/null | Maximum ACE severity observed in the nearby prefix in the last 30 days. |
Nearby activity helps ACE v2 forecast risk before the exact IP has produced direct evidence. It is especially useful for detecting emerging scanning, abuse, credential attacks, and exploit probing moving through adjacent infrastructure.
Integration Guidance
- Use
current_actionwhen you only need the immediate ACE v2 decision for the exact IP. - Use
forecast_actionwhen you want predictive controls for sensitive flows, such as login, signup, checkout, password reset, account changes, scraping-prone pages, and high-cost API endpoints. - Treat
challengeas a step-up control, not necessarily as a hard deny. Common challenge actions include BotGuard, CAPTCHA, MFA, rate limiting, device checks, queueing, or manual review. - Do not describe forecast-only risk as confirmed direct abuse. The
signalsobject is always present; whensignals.events_30dis0andnearby_activityis elevated, explain that the forecast is based on related network activity. - Log
current_risk,forecast_risk,current_action,forecast_action,outlook,confidence,time_window,forecast_horizon, andwhyfor review and tuning. - Cache conservatively. This endpoint does not return
cache_ttl_seconds, and forecasts can change as ACE v2 receives new telemetry. - Re-query before durable account actions, permanent blocks, or support decisions that depend on the latest forecast.
Get Specific IP Reputation v1
This legacy endpoint returns the original FraudGuard IP reputation schema for one IP address. It remains available for compatibility; use ACE v2 for new integrations, explainable decisions, and the current intelligence model.
Response Fields
isocode: The two-letter ISO 3166-1 alpha-2 country code representing the country associated with the IP address. Example:"KR"for the Republic of Korea.country: The full name of the country where the IP address is located. Example:"Republic of Korea".state: The state or region within the country associated with the IP address. Example:"Seoul".city: The city associated with the IP address. Example:"Seoul".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2018-12-11 07:00:45".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
5(indicating a critical-risk IP).
curl -X GET -u "username:password" "https://api.fraudguard.io/ip/1.221.157.205"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/ip/1.221.157.205','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/ip/1.221.157.205', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/ip/1.221.157.205',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/ip/1.221.157.205';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/ip/1.221.157.205' -Headers $Headers
Example response:
{
"isocode": "KR",
"country": "Republic of Korea",
"state": "Seoul",
"city": "Seoul",
"discover_date": "2018-12-11 07:00:45",
"threat": "honeypot_tracker",
"risk_level": "5"
}
HTTP Request
GET https://api.fraudguard.io/ip/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific IP Reputation v2
This legacy endpoint returns the v2 FraudGuard reputation schema for one IP address. It remains available for compatibility; use ACE v2 for new integrations.
Response Fields
isocode: The two-letter ISO 3166-1 alpha-2 country code representing the country associated with the IP address. Example:"US"for the United States.country: The full name of the country where the IP address is located. Example:"United States".state_code: The abbreviated code for the state or region within the country. Example:"CA"for California.state: The full name of the state or region corresponding to thestate_code. Example:"California".city: The city associated with the IP address. Example:"Pomona".postal_code: The postal or ZIP code for the location. Example:"91768".latitude: The geographic latitude of the IP address's location. Example:34.0662.longitude: The geographic longitude of the IP address's location. Example:-117.7763.timezone: The IANA time zone identifier for the location. Example:"America/Los_Angeles".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Corporate".asn: The Autonomous System Number associated with the IP address. Example:7018.asn_organization: The organization that owns the ASN. Example:"AT&T Services, Inc.".isp: The Internet Service Provider providing connectivity for the IP address. Example:"AT&T Services".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"AT&T Services".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2018-12-13 03:03:15".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
4(indicating a high-risk IP).
curl -X GET -u "username:password" "https://api.fraudguard.io/v2/ip/12.167.53.202"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v2/ip/12.167.53.202','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v2/ip/12.167.53.202', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v2/ip/12.167.53.202',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/ip/12.167.53.202';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/ip/12.167.53.202' -Headers $Headers
Example response:
{
"isocode": "US",
"country": "United States",
"state_code": "CA",
"state": "California",
"city": "Pomona",
"postal_code": "91768",
"latitude": 34.0662,
"longitude": -117.7763,
"timezone": "America/Los_Angeles",
"connection_type": "Corporate",
"asn": 7018,
"asn_organization": "AT&T Services, Inc.",
"isp": "AT&T Services",
"organization": "AT&T Services",
"discover_date": "2018-12-13 03:03:15",
"threat": "abuse_tracker",
"risk_level": "4"
}
HTTP Request
GET https://api.fraudguard.io/v2/ip/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific IP v2 Geographic, ISP and Organizational Lookup Only
Returns geography, ISP, and organization data for one IP without running a full reputation lookup. Use it when network context—not a security decision—is the only required output.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address. Example:"US"for the United States.country: The full name of the country where the IP address is located. Example:"United States".state_code: The abbreviated code for the state or region within the country. Example:"MN"for Minnesota.state: The full name of the state or region corresponding to thestate_code. Example:"Minnesota".city: The city associated with the IP address. Example:"Winona".postal_code: The postal or ZIP code for the location. Example:"55987".latitude: The geographic latitude of the IP address's location. Example:44.03.longitude: The geographic longitude of the IP address's location. Example:-91.7009.timezone: The time zone identifier for the location. Example:"America/Chicago".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:14828.asn_organization: The organization that owns the ASN. Example:"Hiawatha Broadband Communications, Inc".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Hiawatha Broadband Communications".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Hiawatha Broadband Communications".
curl -X GET -u "username:password" "https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v2/ip/geolookup/23.235.13.99','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v2/ip/geolookup/23.235.13.99',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/ip/geolookup/23.235.13.99' -Headers $Headers
Example response:
{
"isocode": "US",
"country": "United States",
"state_code": "MN",
"state": "Minnesota",
"city": "Winona",
"postal_code": "55987",
"latitude": 44.03,
"longitude": -91.7009,
"timezone": "America/Chicago",
"connection_type": "Cable/DSL",
"asn": 14828,
"asn_organization": "Hiawatha Broadband Communications, Inc",
"isp": "Hiawatha Broadband Communications",
"organization": "Hiawatha Broadband Communications"
}
HTTP Request
GET https://api.fraudguard.io/v2/ip/geolookup/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific Hostname Reputation v2
The Get Specific Hostname Reputation v2 API resolves the hostname to one IPv4 address and performs a standard reputation lookup for that address. It does not evaluate every A record or any AAAA record; resolve DNS in your application and submit each address separately when complete coverage matters.
This endpoint is useful for quickly evaluating the current IP reputation associated with a hostname at the time of the request.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address of the hostname. Example:"US"for the United States.country: The full name of the country where the IP address of the hostname is located. Example:"United States".state_code: The abbreviated code for the state or region within the country. Example:"MD"for Maryland.state: The full name of the state or region corresponding to thestate_code. Example:"Maryland".city: The city associated with the IP address of the hostname. Example:"Chestertown".postal_code: The postal or ZIP code for the location. Example:"21620".latitude: The geographic latitude of the IP address's location. Example:39.2125.longitude: The geographic longitude of the IP address's location. Example:-76.0802.timezone: The time zone identifier for the location. Example:"America/New_York".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Corporate".asn: The Autonomous System Number associated with the IP address. Example:29802.asn_organization: The organization that owns the ASN. Example:"HIVELOCITY VENTURES CORP".isp: The Internet Service Provider providing connectivity for the IP address. Example:"NOC4Hosts".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Hivelocity Ventures Corp".discover_date: The date and time when the hostname was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2020-06-02 03:35:23".threat: The category of threat detected for the hostname, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the hostname:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the hostname has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the hostname is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the hostname, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from hostnames that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or hostnames flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign hostname with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
1(indicating a low-risk hostname).
curl -X GET -u "username:password" "https://api.fraudguard.io/v2/hostname/fraudguard.io"
require 'net/http'
require 'net/https'
def get_hostname(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_hostname('api.fraudguard.io','/v2/hostname/fraudguard.io','username','password')
import requests
from requests.auth import HTTPBasicAuth
hostname=requests.get('https://api.fraudguard.io/v2/hostname/fraudguard.io', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (hostname.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v2/hostname/fraudguard.io',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/hostname/fraudguard.io';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v2/hostname/fraudguard.io' -Headers $Headers
Example response:
{
"isocode":"US",
"country":"United States",
"state_code":"MD",
"state":"Maryland",
"city":"Chestertown",
"postal_code":"21620",
"latitude":39.2125,
"longitude":-76.0802,
"timezone":"America/New_York",
"connection_type":"Corporate",
"asn":29802,
"asn_organization":"HIVELOCITY VENTURES CORP",
"isp":"NOC4Hosts",
"organization":"Hivelocity Ventures Corp",
"discover_date":"2020-06-02 03:35:23",
"threat":"unknown",
"risk_level":"1"
}
HTTP Request
GET https://api.fraudguard.io/v2/hostname/<hostname>
URL Parameters
| Parameter | Description |
|---|---|
| Hostname | Any hostname |
Get Specific IP Reputation v3 by Threat
Returns the legacy v3 reputation schema for one IP, grouped by threat type. Use ACE v2 for new integrations.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address. Example:"NL"for the Netherlands.country: The full name of the country where the IP address is located. Example:"Netherlands".state_code: The abbreviated code for the state or region within the country. Example:"NH"for North Holland.state: The full name of the state or region corresponding to thestate_code. Example:"North Holland".city: The city associated with the IP address. Example:"Amsterdam".postal_code: The postal or ZIP code for the location. Example:"1012".latitude: The geographic latitude of the IP address's location. Example:52.3759.longitude: The geographic longitude of the IP address's location. Example:4.8975.timezone: The time zone identifier for the location. Example:"Europe/Amsterdam".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Corporate".asn: The Autonomous System Number associated with the IP address. Example:202425.asn_organization: The organization that owns the ASN. Example:"IP Volume inc".isp: The Internet Service Provider providing connectivity for the IP address. Example:"IP Volume inc".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"IP Volume inc".anonymous_tracker: Indicates whether the IP address is associated with anonymization services like proxies or TOR.listed: Boolean value (trueorfalse) indicating if the IP is flagged.discover_date: The date and time when this association was first identified, formatted as"YYYY-MM-DD HH:MM:SS". Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
vpn_tracker: Indicates whether the IP address is associated with anonymization services like VPNs.listed: Boolean value (trueorfalse) indicating if the IP is flagged.discover_date: The date and time when this association was first identified, formatted as"YYYY-MM-DD HH:MM:SS". Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
botnet_tracker: Indicates whether the IP address is part of a botnet network.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": true, "discover_date": "2024-04-22 03:00:23".
honeypot_tracker: Indicates whether the IP address has interacted with honeypot traps, suggesting malicious behavior.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
abuse_tracker: Indicates whether the IP address has been involved in abusive activities, such as unauthorized access attempts.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
spam_tracker: Indicates whether the IP address is linked to spamming activities, including the distribution of unsolicited emails.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
curl -X GET -u "username:password" "https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v3/ip-all-threats/89.248.165.0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v3/ip-all-threats/89.248.165.0',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v3/ip-all-threats/89.248.165.0' -Headers $Headers
Example response:
{
"isocode": "NL",
"country": "Netherlands",
"state_code": "NH",
"state": "North Holland",
"city": "Amsterdam",
"postal_code": "1012",
"latitude": 52.3759,
"longitude": 4.8975,
"timezone": "Europe/Amsterdam",
"connection_type": "Corporate",
"asn": 202425,
"asn_organization": "IP Volume inc",
"isp": "IP Volume inc",
"organization": "IP Volume inc",
"anonymous_tracker": {
"listed": false,
"discover_date": "2024-04-23 01:49:38"
},
"botnet_tracker": {
"listed": true,
"discover_date": "2024-04-22 03:00:23"
},
"honeypot_tracker": {
"listed": false,
"discover_date": "2024-04-23 01:49:38"
},
"abuse_tracker": {
"listed": false,
"discover_date": "2024-04-23 01:49:38"
},
"spam_tracker": {
"listed": false,
"discover_date": "2024-04-23 01:49:38"
}
}
HTTP Request
GET https://api.fraudguard.io/v3/ip-all-threats/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific IP Reputation v4
Returns the legacy v4 reputation schema with account-specific blacklist and whitelist context. Use ACE v2 for new integrations.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address. Example:"RU"for Russia.country: The full name of the country where the IP address is located. Example:"Russia".state_code: The abbreviated code for the state or region within the country. Example:"STA"for Stavropol Kray.state: The full name of the state or region corresponding to thestate_code. Example:"Stavropol Kray".city: The city associated with the IP address. Example:"Pyatigorsk".postal_code: The postal or ZIP code for the location. Example:"357500".latitude: The geographic latitude of the IP address's location. Example:44.0562.longitude: The geographic longitude of the IP address's location. Example:43.0707.timezone: The time zone identifier for the location. Example:"Europe/Moscow".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:44963.asn_organization: The organization that owns the ASN. Example:"Stavtelecom LLC".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Stavtelecom LLC".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Stavtelecom LLC".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2024-11-12 23:37:45".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
3(indicating a moderate-risk IP).
ip_in_whitelist: Indicates whether the IP address is present in a custom whitelist. Example:"false".ip_in_blacklist: Indicates whether the IP address is present in a custom blacklist. Example:"true".
curl -X GET -u "username:password" "https://api.fraudguard.io/v4/ip/92.42.8.20"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v4/ip/92.42.8.20','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v4/ip/92.42.8.20', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v4/ip/92.42.8.20',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v4/ip/92.42.8.20';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v4/ip/92.42.8.20' -Headers $Headers
Example response:
{
"isocode": "RU",
"country": "Russia",
"state_code": "STA",
"state": "Stavropol Kray",
"city": "Pyatigorsk",
"postal_code": "357500",
"latitude": 44.0562,
"longitude": 43.0707,
"timezone": "Europe/Moscow",
"connection_type": "Cable/DSL",
"asn": 44963,
"asn_organization": "Stavtelecom LLC",
"isp": "Stavtelecom LLC",
"organization": "Stavtelecom LLC",
"discover_date": "2024-11-12 23:37:45",
"threat": "anonymous_tracker",
"risk_level": "3",
"ip_in_whitelist": "false",
"ip_in_blacklist": "true"
}
HTTP Request
GET https://api.fraudguard.io/v4/ip/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific IP Reputation v5
Returns the legacy v5 reputation schema with account-specific blacklist, whitelist, and geoblock context. Use ACE v2 for new integrations.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address. Example:"VN"for Vietnam.country: The full name of the country where the IP address is located. Example:"Vietnam".state_code: The abbreviated code for the state or region within the country. Example:"HN"for Hanoi.state: The full name of the state or region corresponding to thestate_code. Example:"Hanoi".city: The city associated with the IP address. Example:"Hanoi".postal_code: The postal or ZIP code for the location. Example:"unknown".latitude: The geographic latitude of the IP address's location. Example:21.0292.longitude: The geographic longitude of the IP address's location. Example:105.8526.timezone: The time zone identifier for the location. Example:"Asia/Bangkok".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:18403.asn_organization: The organization that owns the ASN. Example:"The Corporation for Financing & Promoting Technology".isp: The Internet Service Provider providing connectivity for the IP address. Example:"FPT Telecom".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"FPT Telecom".ip_in_whitelist: Indicates whether the IP address is present in a custom whitelist. Example:"false".ip_in_blacklist: Indicates whether the IP address is present in a custom blacklist. Example:"true".ip_in_geoblock: Indicates whether the IP address is blocked based on its geographic location. Example:"true".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2024-11-13 04:00:08".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
5(indicating a critical-risk IP).
curl -X GET -u "username:password" "https://api.fraudguard.io/v5/ip/1.52.122.126"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v5/ip/1.52.122.126','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v5/ip/1.52.122.126', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v5/ip/1.52.122.126',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v5/ip/1.52.122.126';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v5/ip/1.52.122.126' -Headers $Headers
Example response:
{
"isocode": "VN",
"country": "Vietnam",
"state_code": "HN",
"state": "Hanoi",
"city": "Hanoi",
"postal_code": "unknown",
"latitude": 21.0292,
"longitude": 105.8526,
"timezone": "Asia/Bangkok",
"connection_type": "Cable/DSL",
"asn": 18403,
"asn_organization": "The Corporation for Financing & Promoting Technology",
"isp": "FPT Telecom",
"organization": "FPT Telecom",
"ip_in_whitelist": "false",
"ip_in_blacklist": "true",
"ip_in_geoblock": "true",
"discover_date": "2024-11-13 04:00:08",
"threat": "honeypot_tracker",
"risk_level": "5"
}
HTTP Request
GET https://api.fraudguard.io/v5/ip/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Get Specific IP Reputation v5 by Threat
Returns the legacy v5 reputation schema grouped by threat type, with account-specific blacklist, whitelist, and geoblock context. Use ACE v2 for new integrations.
Response Fields
isocode: The two-letter country code representing the country associated with the IP address. Example:"US"for the United States.country: The full name of the country where the IP address is located. Example:"United States".state_code: The abbreviated code for the state or region within the country. Example:"CA"for California.state: The full name of the state or region corresponding to thestate_code. Example:"California".city: The city associated with the IP address. Example:"Los Angeles".postal_code: The postal or ZIP code for the location. Example:"90001".latitude: The geographic latitude of the IP address's location. Example:34.0522.longitude: The geographic longitude of the IP address's location. Example:-118.2437.timezone: The time zone identifier for the location. Example:"America/Los_Angeles".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:12345.asn_organization: The organization that owns the ASN. Example:"Example ISP Inc.".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Example ISP".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Example Organization".ip_in_whitelist: Indicates whether the IP address is present in a custom whitelist. Example:"false".ip_in_blacklist: Indicates whether the IP address is present in a custom blacklist. Example:"true".ip_in_geoblock: Indicates whether the IP address is blocked based on its geographic location. Example:"false".anonymous_tracker: Indicates whether the IP address is associated with anonymization services like proxies or TOR.listed: Boolean value (trueorfalse) indicating if the IP is flagged.discover_date: The date and time when this association was first identified, formatted as"YYYY-MM-DD HH:MM:SS". Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
vpn_tracker: Indicates whether the IP address is associated with anonymization services like VPNs.listed: Boolean value (trueorfalse) indicating if the IP is flagged.discover_date: The date and time when this association was first identified, formatted as"YYYY-MM-DD HH:MM:SS". Example:"listed": false, "discover_date": "2024-04-23 01:49:38".
botnet_tracker: Indicates whether the IP address is part of a botnet network.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": true, "discover_date": "2024-11-29 12:00:00".
honeypot_tracker: Indicates whether the IP address has interacted with honeypot traps, suggesting malicious behavior.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": false, "discover_date": "2024-11-28 08:00:00".
abuse_tracker: Indicates whether the IP address has been involved in abusive activities, such as unauthorized access attempts.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": true, "discover_date": "2024-11-27 15:30:00".
spam_tracker: Indicates whether the IP address is linked to spamming activities, including the distribution of unsolicited emails.listed: Boolean value indicating if the IP is flagged.discover_date: The date and time when this association was first identified. Example:"listed": false, "discover_date": "2024-11-26 10:45:00".
curl -X GET -u "username:password" "https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/v5/ip-all-threats/1.52.122.126','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/v5/ip-all-threats/1.52.122.126',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/v5/ip-all-threats/1.52.122.126' -Headers $Headers
Example response:
{
"isocode": "VN",
"country": "Vietnam",
"state_code": "HN",
"state": "Hanoi",
"city": "Hanoi",
"postal_code": "unknown",
"latitude": 21.0292,
"longitude": 105.8526,
"timezone": "Asia/Bangkok",
"connection_type": "Cable/DSL",
"asn": 18403,
"asn_organization": "The Corporation for Financing & Promoting Technology",
"isp": "FPT Telecom",
"organization": "FPT Telecom",
"ip_in_whitelist": "false",
"ip_in_blacklist": "true",
"ip_in_geoblock": "true",
"anonymous_tracker": {
"listed": false,
"discover_date": "2024-11-13 04:34:49"
},
"botnet_tracker": {
"listed": false,
"discover_date": "2024-11-13 04:34:49"
},
"honeypot_tracker": {
"listed": true,
"discover_date": "2024-11-13 04:00:08"
},
"abuse_tracker": {
"listed": false,
"discover_date": "2024-11-13 04:34:49"
},
"spam_tracker": {
"listed": false,
"discover_date": "2024-11-13 04:34:49"
}
}
HTTP Request
GET https://api.fraudguard.io/v5/ip-all-threats/<IP>
URL Parameters
| Parameter | Description |
|---|---|
| IP | Any IPv4 or IPv6 address |
Bulk IP Lookup
This legacy bulk endpoint evaluates up to 1,024 IP addresses with the original ACE response schema. Use ACE v2 Bulk IP Intelligence for new integrations.
Response Fields
Each object in the response array represents an IP address and includes the following fields:
ip: The original IP address you submitted. Example:"1.20.97.181".isocode: The two-letter country code representing the country associated with the IP address. Example:"TH"for Thailand.country: The full name of the country where the IP address is located. Example:"Thailand".state_code: The abbreviated code for the state or region within the country. Example:"ENG"for England.state: The full name of the state or region corresponding to thestate_code. Example:"England".city: The city associated with the IP address. Example:"Stoke Newington". If unavailable, it will return"unknown".postal_code: The postal or ZIP code for the location. Example:"N16". If unavailable, it will return"unknown".latitude: The geographic latitude of the IP address's location. Example:51.5625.longitude: The geographic longitude of the IP address's location. Example:-0.074.timezone: The time zone identifier for the location. Example:"Europe/London".connection_type: The type of internet connection used. Possible values include:"Cellular","Cable/DSL","Corporate". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:5089.asn_organization: The organization that owns the ASN. Example:"Virgin Media Limited".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Virgin Media".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Virgin Media".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2020-02-24 01:45:05".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
5(indicating a critical-risk IP).
curl -X POST -u "username:password" "https://api.fraudguard.io/api/bulk_lookup" -d '["1.20.97.181", "82.25.3.7"]'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '["1.20.97.181", "82.25.3.7"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["1.20.97.181", "82.25.3.7"]'
ip=requests.post('https://api.fraudguard.io/api/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '["1.20.97.181", "82.25.3.7"]';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/bulk_lookup',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["1.20.97.181", "82.25.3.7"]';
$url = 'https://api.fraudguard.io/api/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'["1.20.97.181", "82.25.3.7"]'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/bulk_lookup' -Headers $Headers -Method Post -Body $body
Example request body:
["1.20.97.181", "82.25.3.7"]
Example response:
[{
"ip": "1.20.97.181",
"isocode": "TH",
"country": "Thailand",
"state_code": "unknown",
"state": "unknown",
"city": "unknown",
"postal_code": "unknown",
"latitude": 13.75,
"longitude": 100.4667,
"timezone": "Asia/Bangkok",
"connection_type": "Cellular",
"asn": 23969,
"asn_organization": "TOT Public Company Limited",
"isp": "TOT Mobile Co",
"organization": "TOT",
"discover_date": "2020-02-22 03:00:11",
"risk_level": 4,
"threat": "abuse_tracker"
},
{
"ip": "82.25.3.7",
"isocode": "GB",
"country": "United Kingdom",
"state_code": "ENG",
"state": "England",
"city": "Stoke Newington",
"postal_code": "N16",
"latitude": 51.5625,
"longitude": -0.074,
"timezone": "Europe/London",
"connection_type": "Cable/DSL",
"asn": 5089,
"asn_organization": "Virgin Media Limited",
"isp": "Virgin Media",
"organization": "Virgin Media",
"discover_date": "2020-02-24 01:45:05",
"risk_level": 1,
"threat": "unknown"
}]
HTTP Request
POST https://api.fraudguard.io/api/bulk_lookup
Bulk IP Lookup v2
This legacy bulk endpoint evaluates up to 1,024 IP addresses or hostnames.
Compared with v1, the response adds account-specific geoblock, blacklist, and whitelist context. Use ACE v2 Bulk IP Intelligence for new integrations.
Response Fields
Each object in the response array represents an IP address and includes the following fields:
ip: The original value you submitted — this may be an IP address or a hostname. Example:"1.20.97.181" or "fraudguard.io".isocode: The two-letter country code representing the country associated with the IP address. Example:"TH"for Thailand.country: The full name of the country where the IP address is located. Example:"Thailand".state_code: The abbreviated code for the state or region within the country. Example:"ENG"for England.state: The full name of the state or region corresponding to thestate_code. Example:"England".city: The city associated with the IP address. Example:"Stoke Newington". If unavailable, it will return"unknown".postal_code: The postal or ZIP code for the location. Example:"N16". If unavailable, it will return"unknown".latitude: The geographic latitude of the IP address's location. Example:51.5625.longitude: The geographic longitude of the IP address's location. Example:-0.074.timezone: The time zone identifier for the location. Example:"Europe/London".connection_type: The type of internet connection used. Possible values include:"Cellular","Cable/DSL","Corporate". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:5089.asn_organization: The organization that owns the ASN. Example:"Virgin Media Limited".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Virgin Media".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Virgin Media".ip_in_whitelist: Indicates whether the IP address is present in a custom whitelist. Example:"false".ip_in_blacklist: Indicates whether the IP address is present in a custom blacklist. Example:"true".ip_in_geoblock: Indicates whether the IP address is blocked based on its geographic location. Example:"true".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2020-02-24 01:45:05".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
5(indicating a critical-risk IP).
curl -X POST -u "username:password" "https://api.fraudguard.io/api/v2/bulk_lookup" -d '["1.20.97.181", "82.25.3.7"]'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '["1.20.97.181", "82.25.3.7"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/v2/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["1.20.97.181", "82.25.3.7"]'
ip=requests.post('https://api.fraudguard.io/api/v2/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '["1.20.97.181", "82.25.3.7"]';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/v2/bulk_lookup',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["1.20.97.181", "82.25.3.7"]';
$url = 'https://api.fraudguard.io/api/v2/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'["1.20.97.181", "82.25.3.7"]'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v2/bulk_lookup' -Headers $Headers -Method Post -Body $body
Example request body:
["1.20.97.181", "fraudguard.io", "82.25.3.7"]
Example response:
[{
"ip": "1.20.97.181",
"isocode": "TH",
"country": "Thailand",
"state_code": "10",
"state": "Bangkok",
"city": "Bangkok",
"postal_code": "10200",
"latitude": 13.7512,
"longitude": 100.5172,
"timezone": "Asia/Bangkok",
"connection_type": "Cable/DSL",
"asn": 23969,
"asn_organization": "TOT Public Company Limited",
"isp": "TOT",
"organization": "TOT",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "true",
"discover_date": "2025-01-02 02:01:49",
"threat": "anonymous_tracker",
"risk_level": "3"
},
{
"ip": "fraudguard.io",
"isocode": "US",
"country": "United States",
"state_code": "NJ",
"state": "New Jersey",
"city": "North Bergen",
"postal_code": "07047",
"latitude": 40.7964,
"longitude": -74.0203,
"timezone": "America/New_York",
"connection_type": "Corporate",
"asn": 14061,
"asn_organization": "DIGITALOCEAN-ASN",
"isp": "Digital Ocean",
"organization": "Digital Ocean",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-12-05 17:43:46",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "82.25.3.7",
"isocode": "GB",
"country": "United Kingdom",
"state_code": "ISL",
"state": "Islington",
"city": "Islington",
"postal_code": "N5",
"latitude": 51.5507,
"longitude": -0.0998,
"timezone": "Europe/London",
"connection_type": "Cable/DSL",
"asn": 5089,
"asn_organization": "Virgin Media Limited",
"isp": "Virgin Media",
"organization": "Virgin Media",
"ip_in_whitelist": "true",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-01-03 16:06:22",
"threat": "unknown",
"risk_level": "1"
}]
HTTP Request
POST https://api.fraudguard.io/api/v2/bulk_lookup
Bulk IP Lookup v3
This legacy bulk endpoint evaluates up to 1,024 resolved or expanded addresses and adds account-specific geoblock, blacklist, and whitelist context. It is the only legacy bulk endpoint that accepts CIDR input: IPv4 CIDRs may be as large as /23 and IPv6 CIDRs as large as /119.
Response Fields
Each object in the response array represents an IP address and includes the following fields:
ip: The submitted IP or hostname, or an individual address produced by CIDR expansion. CIDR strings are not returned unchanged; one result is returned for each expanded address. Example:"1.20.97.181","fraudguard.io","165.25.3.0", or"2606:4700:4700::1110".isocode: The two-letter country code representing the country associated with the IP address. Example:"TH"for Thailand.country: The full name of the country where the IP address is located. Example:"Thailand".state_code: The abbreviated code for the state or region within the country. Example:"ENG"for England.state: The full name of the state or region corresponding to thestate_code. Example:"England".city: The city associated with the IP address. Example:"Stoke Newington". If unavailable, it will return"unknown".postal_code: The postal or ZIP code for the location. Example:"N16". If unavailable, it will return"unknown".latitude: The geographic latitude of the IP address's location. Example:51.5625.longitude: The geographic longitude of the IP address's location. Example:-0.074.timezone: The time zone identifier for the location. Example:"Europe/London".connection_type: The type of internet connection used. Possible values include:"Cellular","Cable/DSL","Corporate". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:5089.asn_organization: The organization that owns the ASN. Example:"Virgin Media Limited".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Virgin Media".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Virgin Media".ip_in_whitelist: Indicates whether the IP address is present in a custom whitelist. Example:"false".ip_in_blacklist: Indicates whether the IP address is present in a custom blacklist. Example:"true".ip_in_geoblock: Indicates whether the IP address is blocked based on its geographic location. Example:"true".discover_date: The date and time when the IP address was first identified or reported for suspicious activity, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2020-02-24 01:45:05".threat: The category of threat detected for the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). This field highlights specific behaviors or associations flagged for the IP:"abuse_tracker": Indicates involvement in abusive activities, such as unauthorized access attempts or exploitation."honeypot_tracker": Associated with honeypot traps, suggesting the IP has been caught in decoy systems designed to detect malicious behavior."botnet_tracker": Part of a botnet network, indicating the IP is likely compromised and under the control of malicious actors."spam_tracker": Linked to spamming activities, including the distribution of unsolicited emails or messages."anonymous_tracker": Associated with anonymization services like proxies or TOR, which can be used to mask the true origin of traffic."vpn_tracker": Represents IP addresses associated with VPN servers, used primarily for anonymizing user traffic."unknown": No specific threat detected.
risk_level: A numeric value representing the assessed threat level of the IP address, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Therisk_levelreflects not just the nature of malicious activities but also factors in time and recurrence:- Older incidents, especially from IPs that have not repeated their behavior, may have a lower risk level due to the lack of recent activity.
- Recurring offenders or IPs flagged for multiple recent events are assigned a higher risk level. The scale typically ranges from 1 to 5, with higher numbers indicating greater risk:
- Level 1 (Low Risk): Minimal or negligible threat. Likely a benign IP with a clean reputation.
- Level 2: Some indicators of suspicious behavior but not considered actively dangerous.
- Level 3: Moderate risk with signs of suspicious or harmful activity.
- Level 4: High risk with significant evidence of malicious behavior, often repeated or recent.
- Level 5 (Critical Risk): Severe threats, actively engaged in malicious activities and requiring immediate attention.
Example:
5(indicating a critical-risk IP).
curl -X POST -u "username:password" "https://api.fraudguard.io/api/v3/bulk_lookup" -d '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/v3/bulk_lookup','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
ip=requests.post('https://api.fraudguard.io/api/v3/bulk_lookup', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/v3/bulk_lookup',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]';
$url = 'https://api.fraudguard.io/api/v3/bulk_lookup';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'["82.25.3.25","2606:4700:4700::1111/127","165.25.3.0/31"]'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v3/bulk_lookup' -Headers $Headers -Method Post -Body $body
Example request body:
[
"82.25.3.25",
"fraudguard.io",
"2606:4700:4700::1111/127",
"165.25.3.0/31"
]
Example response:
[
{
"ip": "82.25.3.25",
"isocode": "US",
"country": "United States",
"state_code": "NY",
"state": "New York",
"city": "New York",
"postal_code": "10118",
"latitude": 40.7126,
"longitude": -74.0066,
"timezone": "America/New_York",
"connection_type": "Cable/DSL",
"asn": 6079,
"asn_organization": "RCN-AS",
"isp": "Astound Broadband",
"organization": "Astound Broadband",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-10-02 23:55:15",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "fraudguard.io",
"isocode": "US",
"country": "United States",
"state_code": "NJ",
"state": "New Jersey",
"city": "North Bergen",
"postal_code": "07047",
"latitude": 40.7964,
"longitude": -74.0203,
"timezone": "America/New_York",
"connection_type": "Corporate",
"asn": 14061,
"asn_organization": "DIGITALOCEAN-ASN",
"isp": "Digital Ocean",
"organization": "Digital Ocean",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-12-05 17:43:46",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "2606:4700:4700::1110",
"isocode": "unknown",
"country": "unknown",
"state_code": "unknown",
"state": "unknown",
"city": "unknown",
"postal_code": "unknown",
"latitude": "unknown",
"longitude": "unknown",
"timezone": "unknown",
"connection_type": "Corporate",
"asn": 13335,
"asn_organization": "CLOUDFLARENET",
"isp": "Cloudflare",
"organization": "Cloudflare",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-10-02 23:55:16",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "2606:4700:4700::1111",
"isocode": "unknown",
"country": "unknown",
"state_code": "unknown",
"state": "unknown",
"city": "unknown",
"postal_code": "unknown",
"latitude": "unknown",
"longitude": "unknown",
"timezone": "unknown",
"connection_type": "Corporate",
"asn": 13335,
"asn_organization": "CLOUDFLARENET",
"isp": "Cloudflare",
"organization": "Cloudflare",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-10-02 23:55:16",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "165.25.3.0",
"isocode": "US",
"country": "United States",
"state_code": "IL",
"state": "Illinois",
"city": "Chicago",
"postal_code": "60602",
"latitude": 41.8835,
"longitude": -87.6305,
"timezone": "America/Chicago",
"connection_type": "unknown",
"asn": 328109,
"asn_organization": "City-of-Cape-Town-AS",
"isp": "City-of-Cape-Town",
"organization": "City-of-Cape-Town",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-10-02 23:55:17",
"threat": "unknown",
"risk_level": "1"
},
{
"ip": "165.25.3.1",
"isocode": "US",
"country": "United States",
"state_code": "IL",
"state": "Illinois",
"city": "Chicago",
"postal_code": "60602",
"latitude": 41.8835,
"longitude": -87.6305,
"timezone": "America/Chicago",
"connection_type": "unknown",
"asn": 328109,
"asn_organization": "City-of-Cape-Town-AS",
"isp": "City-of-Cape-Town",
"organization": "City-of-Cape-Town",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2025-10-02 23:55:18",
"threat": "unknown",
"risk_level": "1"
}
]
HTTP Request
POST https://api.fraudguard.io/api/v3/bulk_lookup
ThreatMap Render
The ThreatMap Render API generates an interactive world map for a set of IP addresses and hostnames using FraudGuard threat intelligence. The returned view and embed URLs can be opened without API credentials until they expire.
Plan Availability
Available today for all Professional, Business, and Enterprise users.
Create a ThreatMap
HTTP Request
POST https://api.fraudguard.io/api/v1/threatmap/render
Authentication
Uses standard HTTP Basic Authentication.
Request Body
Provide a JSON object with an ips array and optional rendering fields.
{
"ips": ["1.20.97.181", "fraudguard.io", "212.102.51.14", "82.25.3.7"],
"theme": "dark",
"summary_panel": true,
"ttl_seconds": 3600
}
Request Fields
| Field | Type | Description |
|---|---|---|
| ips | array | Required. Between 1 and 1,000 IPv4 addresses, IPv6 addresses, and/or hostnames. |
| theme | string | Optional. light or dark; defaults to light. |
| summary_panel | boolean | Optional. Show the summary panel; defaults to false. |
| ttl_seconds | integer | Optional. Retention from 60 to 7,776,000 seconds; defaults to 86,400 and may be reduced by plan limits. |
Limits
- Maximum of 1,000 inputs per request.
- Unsupported themes, invalid TTL values, an empty
ipsarray, and malformed inputs are rejected with a400response.
curl -X POST -u "username:password" \
https://api.fraudguard.io/api/v1/threatmap/render \
-H "Content-Type: application/json" \
-d '{
"ips": ["1.20.97.181", "fraudguard.io", "212.102.51.14", "82.25.3.7"],
"theme": "dark",
"summary_panel": true,
"ttl_seconds": 3600
}'
Example response:
{
"threatmap_id": "tm_GENERATED_ID",
"threatmap_url": "https://api.fraudguard.io/threatmap/tm_GENERATED_ID",
"embed_url": "https://api.fraudguard.io/threatmap/tm_GENERATED_ID/embed",
"expires_at": "2026-01-03T07:06:21+00:00",
"requested_count": 4,
"plotted_count": 4,
"unmapped_count": 0,
"options": {
"theme": "dark",
"summary_panel": true,
"ttl_seconds": 3600
},
"summary": {
"countries": 3,
"top_threats": [
{
"threat": "unknown",
"count": 2
},
{
"threat": "anonymous_tracker",
"count": 1
},
{
"threat": "spam_tracker",
"count": 1
}
],
"policy_counts": {
"whitelisted": 0,
"blacklisted": 0,
"geoblocked": 0
}
}
}
Viewing the Map
Open the returned threatmap_url in any browser to view the interactive map.
Treat both returned URLs as bearer capabilities: anyone who has one can view the map until it expires. Use the shortest practical TTL, do not publish the URL, and do not include sensitive or customer-only IP collections in a publicly embedded map.
Embedding the Map
Use the embed_url in an iframe.
<iframe
src="https://api.fraudguard.io/threatmap/{THREATMAP_ID}/embed"
width="100%"
height="600"
style="border:0"
loading="lazy"
referrerpolicy="no-referrer"
allowfullscreen>
</iframe>
Get Custom Blacklist
This legacy endpoint returns up to 1,000 of the authenticated account's custom blacklist values, newest first, beginning at the requested zero-based offset. Values that are also present in the account's whitelist are omitted from this response.
curl -X GET -u "username:password" "https://api.fraudguard.io/blacklist/0"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/blacklist/0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/blacklist/0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/blacklist/0',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist/0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist/0' -Headers $Headers
Example response:
[
"52.36.72.37",
"144.24.162.232",
"166.13.138.114",
"150.44.117.213",
"51.27.12.17",
"71.157.88.42"
]
HTTP Request
GET https://api.fraudguard.io/blacklist/<offset>
URL Parameters
| Parameter | Description |
|---|---|
| Offset | Zero-based row offset. Each response contains at most 1,000 values, ordered newest first. |
Get Custom Whitelist
This legacy endpoint returns up to 1,000 of the authenticated account's custom whitelist values, newest first, beginning at the requested zero-based offset.
curl -X GET -u "username:password" "https://api.fraudguard.io/whitelist/0"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/whitelist/0','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/whitelist/0', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/whitelist/0',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist/0';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist/0' -Headers $Headers
Example response:
[
"4.55.39.206",
"149.254.117.146",
"29.99.253.192",
"240.183.218.206",
"51.27.12.17",
"71.157.88.42"
]
HTTP Request
GET https://api.fraudguard.io/whitelist/<offset>
URL Parameters
| Parameter | Description |
|---|---|
| Offset | Zero-based row offset. Each response contains at most 1,000 values, ordered newest first. |
Get Custom GeoBlock
This API endpoint allows users to retrieve the list of IP ranges currently blocked based on their custom geoblocking settings. This feature enables users to enforce location-based access restrictions tailored to their specific security needs.
For users who prefer manual management, geoblocking settings can also be adjusted via the GeoControl page in the web app. This page provides an easy-to-navigate list of countries, allowing users to select regions to block directly, with the API reflecting these changes in real-time.
curl -X GET -u "username:password" "https://api.fraudguard.io/geoblock"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/geoblock','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/geoblock', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/geoblock',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/geoblock';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/geoblock' -Headers $Headers
Example response:
[
"24.51.64.0/18",
"24.206.0.0/19",
"24.231.32.0/19",
"64.66.0.0/20",
"64.150.192.0/18"
]
HTTP Request
GET https://api.fraudguard.io/geoblock?limit={limit}&offset={offset}
Query Parameters
| Param | Type | Default | Max | Description |
|---|---|---|---|---|
limit |
integer | 1000 |
1000 |
Maximum number of country geoblock entries to return (each entry may expand into multiple IP ranges in the response). |
offset |
integer | 0 |
— | Skip the first N country geoblock entries (use for pagination). |
Post to Custom Blacklist
This legacy endpoint adds IPv4 addresses or IPv4 CIDR ranges to the authenticated account's custom blacklist.
Blacklist entries are account-specific and are never shared with other customers.
Submit a JSON array of individual IPv4 addresses or IPv4 CIDRs. CIDRs expand to individual addresses, including network and broadcast addresses. Inputs are de-duplicated, and processing stops after 10,000 expanded targets; any remaining targets are silently ignored. Invalid values and IPv6 inputs are skipped by this legacy endpoint.
curl -X POST -u "username:password" "https://api.fraudguard.io/blacklist"
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/blacklist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.post('https://api.fraudguard.io/blacklist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/blacklist',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.post(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist' -Headers $Headers
Example request body:
[
"33.204.31.152",
"22.138.235.67",
"8.8.7.0/24",
"21.10.48.57",
"35.0.177.190"
]
Example response:
{
"deleted": 0,
"inserted": 260,
"errors": 0
}
The example contains four individual addresses plus one /24, which expands to 256 addresses. inserted is the number of unique expanded targets written or refreshed, not necessarily the number of previously absent rows. The legacy errors counter does not report skipped per-item validation failures.
HTTP Request
POST https://api.fraudguard.io/blacklist
Post to Custom Whitelist
This legacy endpoint adds IPv4 addresses or IPv4 CIDR ranges to the authenticated account's custom whitelist.
Entries are account-specific and never shared with other customers. Use whitelisting for trusted infrastructure that must bypass account policy, and review entries regularly to avoid creating a permanent bypass.
Submit a JSON array of individual IPv4 addresses or IPv4 CIDRs. CIDRs expand to individual addresses, including network and broadcast addresses. Inputs are de-duplicated, and processing stops after 10,000 expanded targets; any remaining targets are silently ignored. Invalid values and IPv6 inputs are skipped by this legacy endpoint.
curl -X POST -u "username:password" "https://api.fraudguard.io/whitelist"
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/whitelist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.post('https://api.fraudguard.io/whitelist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/whitelist',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.post(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist' -Headers $Headers
Example request body:
[
"33.204.31.152",
"22.138.235.67",
"8.8.7.0/24",
"21.10.48.57",
"35.0.177.190"
]
Example response:
{
"deleted": 0,
"inserted": 260,
"errors": 0
}
The example contains four individual addresses plus one /24, which expands to 256 addresses. inserted is the number of unique expanded targets written or refreshed, not necessarily the number of previously absent rows. The legacy errors counter does not report skipped per-item validation failures.
HTTP Request
POST https://api.fraudguard.io/whitelist
Delete from Custom Blacklist
This legacy endpoint removes exact IPv4 values from the authenticated account's custom blacklist. It does not expand CIDRs, so delete expanded addresses individually or use the v2 endpoint for CIDR-aware operations.
curl -X DELETE -u "username:password" "https://api.fraudguard.io/blacklist"
require 'net/http'
require 'net/https'
def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts delete_ip('api.fraudguard.io','/blacklist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/blacklist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/blacklist',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.delete(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/blacklist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/blacklist' -Headers $Headers
Example request body:
[
"33.204.31.152",
"22.138.235.67",
"24.51.147.29",
"21.10.48.57",
"35.0.177.190"
]
Example response:
{
"deleted": 5,
"inserted": 0,
"errors": 0
}
deleted is the number of submitted targets processed, not the number of rows that existed or were actually removed. A missing address is still included in this legacy counter.
HTTP Request
DELETE https://api.fraudguard.io/blacklist
Delete from Custom Whitelist
This legacy endpoint removes exact IPv4 values from the authenticated account's custom whitelist. It does not expand CIDRs, so delete expanded addresses individually or use the v2 endpoint for CIDR-aware operations.
curl -X DELETE -u "username:password" "https://api.fraudguard.io/whitelist"
require 'net/http'
require 'net/https'
def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts delete_ip('api.fraudguard.io','/whitelist','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/whitelist', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/whitelist',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.delete(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/whitelist';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/whitelist' -Headers $Headers
Example request body:
[
"33.204.31.152",
"22.138.235.67",
"24.51.147.29",
"21.10.48.57",
"35.0.177.190"
]
Example response:
{
"deleted": 5,
"inserted": 0,
"errors": 0
}
deleted is the number of submitted targets processed, not the number of rows that existed or were actually removed. A missing address is still included in this legacy counter.
HTTP Request
DELETE https://api.fraudguard.io/whitelist
Get User History
User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.
This API retrieves the most recent access event for a specified user, providing insights into location, device, and security recommendations.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/user-history/<user_id>"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/v1/user-history/<user_id>','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/user-history/<user_id>', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/v1/user-history/<user_id>',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/user-history/<user_id>';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/<user_id>' -Headers $Headers
Example response:
{
"user_id": "user_example_001",
"last_activity": {
"ip": "203.0.113.25",
"city": "Tokyo",
"country": "Japan",
"timestamp": "2024-11-14 03:53:25",
"user_agent": "Mozilla/5.0 ... Chrome/124.0 Safari/537.36",
"recommendation": {
"action": "Challenge",
"reason": "New Device"
}
}
}
last_activity is the newest stored event for the requested user. For an unknown user, do not assume its fields are populated; treat missing or null activity values as no stored record.
HTTP Request
GET https://api.fraudguard.io/api/v1/user-history/<user_id>
URL Parameters
| Parameter | Description |
|---|---|
| user_id | Identifier for the user whose most recent activity is being retrieved. |
Get User History List
User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.
This API retrieves the full (last 100 events) history of access events for a specific user, useful for auditing and identifying patterns over time.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/user-history/list/<user_id>"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/v1/user-history/list/<user_id>','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/user-history/list/<user_id>', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/v1/user-history/list/<user_id>',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/user-history/list/<user_id>';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/list/<user_id>' -Headers $Headers
Example response:
{
"user_id": "user_example_001",
"user_history": [
{
"ip": "203.0.113.25",
"city": "Tokyo",
"country": "Japan",
"user_agent": "Mozilla/5.0 ... Chrome/84.0.4280.85 Safari/537.36",
"timestamp": "2024-11-14 03:53:25",
"recommendation": {
"action": "Challenge",
"reason": "New Device"
}
},
{
"ip": "198.51.100.40",
"city": "New Taipei",
"country": "Taiwan",
"user_agent": "Mozilla/5.0 ... Chrome/87.0.4280.85 Safari/537.36",
"timestamp": "2024-11-14 03:49:59",
"recommendation": {
"action": "Block",
"reason": "Bad IP Reputation"
}
}
]
}
HTTP Request
GET https://api.fraudguard.io/api/v1/user-history/list/<user_id>
URL Parameters
| Parameter | Description |
|---|---|
| user_id | Identifier for the user whose newest 100 stored events are being retrieved. |
Post User History Check
User History records account access context so you can investigate location, device, and geographic changes. Use a stable, non-sensitive internal user identifier; do not send an email address, name, or other directly identifying value.
This endpoint records an access event and returns location context plus an advisory recommendation. ip and user_agent are required. user_id is optional; when omitted, FraudGuard generates a 32-character identifier and returns it for use on later calls.
Capture the source IP from a trusted reverse proxy, load balancer, or server connection and the user agent from the actual request. Do not accept either value from an untrusted browser field. Treat the recommendation as one signal in your authentication policy, not as a standalone authorization decision.
| Field | Required | Type | Description |
|---|---|---|---|
| user_id | No | string | Stable, non-sensitive identifier used to correlate this user's events. |
| ip | Yes | string | Valid source IPv4 or IPv6 address observed by your trusted application edge. |
| user_agent | Yes | string | User-Agent value observed on the access request. |
IP addresses, user agents, and stable identifiers can be personal data. Restrict access to these endpoints, set an appropriate retention policy, and disclose the processing required by your application and jurisdiction.
curl -X POST -u "username:password" "https://api.fraudguard.io/api/v1/user-history/check" -d '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/v1/user-history/check','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
ip=requests.post('https://api.fraudguard.io/api/v1/user-history/check', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/v1/user-history/check',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}';
$url = 'https://api.fraudguard.io/api/v1/user-history/check';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'{"user_id":"user_example_001","ip":"203.0.113.25","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36"}'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/user-history/check' -Headers $Headers -Method Post -Body $body
Example request body:
{
"user_id": "user_example_001",
"ip": "203.0.113.25",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4280.85 Safari/537.36"
}
Example response:
{
"user_id": "user_example_001",
"ip": "203.0.113.25",
"city": "Tokyo",
"country": "Japan",
"timestamp": "2024-11-14 03:53:25",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4280.85 Safari/537.36",
"recommendation": {
"action": "Challenge",
"reason": "New Device"
}
}
HTTP Request
POST https://api.fraudguard.io/api/v1/user-history/check
Get API Analytics
Returns API usage and activity for the authenticated account over the previous 30 days.
Response Fields
Totals
total_requests: Total number of API calls over the past 30 days.blacklisted_count: Number of API requests flagged as blacklisted.whitelisted_count: Number of API requests flagged as whitelisted.geoblocked_count: Number of API requests flagged as geoblocked.risk_level_distribution:- Breakdown of requests by assessed risk level (
1lowest through5highest).
- Breakdown of requests by assessed risk level (
threat_distribution:- Count of requests flagged under legacy threat categories such as
anonymous_tracker,botnet_tracker,honeypot_tracker,abuse_tracker, andspam_tracker.
- Count of requests flagged under legacy threat categories such as
Top APIs
api_name: Name of the API endpoint.request_count: Total requests made to the API endpoint.
Geographic Overview
country: The country associated with the IPs queried through the API.request_count: Total number of requests that involved IPs associated with this country.
Daily Breakdown
day: Date of activity.total_requests: Number of requests on that day.
Notes for Developers
- Scope:
- It aggregates data from the past 30 days only.
- Reporting Window:
- This endpoint returns activity from the previous 30 days. It does not expose older records.
- Usage Insights:
- Use this data to monitor API usage patterns, geographic trends, and flagged activity.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/analytics"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/analytics',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/analytics' -Headers $Headers
Example response:
{
"status": "success",
"analytics": {
"totals": {
"total_requests": 108,
"blacklisted_count": 2,
"whitelisted_count": 1,
"geoblocked_count": 2,
"risk_level_distribution": {
"1": 19,
"2": 2,
"3": 8,
"4": 1,
"5": 1
},
"threat_distribution": {
"anonymous_tracker": 8,
"botnet_tracker": 3,
"honeypot_tracker": 1,
"abuse_tracker": 2,
"spam_tracker": 1
}
},
"top_apis": [
{
"api_name": "Rate Limit Enforce",
"request_count": "19"
},
{
"api_name": "Get API Analytics",
"request_count": "16"
},
{
"api_name": "Get Specific IP Reputation v4",
"request_count": "10"
},
{
"api_name": "Get Specific IP Reputation v5",
"request_count": "8"
}
],
"geographic_overview": [
{
"country": "Italy",
"request_count": "10"
},
{
"country": "United States",
"request_count": "8"
},
{
"country": "Ukraine",
"request_count": "3"
},
{
"country": "Russia",
"request_count": "3"
},
{
"country": "Uruguay",
"request_count": "2"
}
],
"daily_breakdown": [
{
"day": "2024-12-03",
"total_requests": "108"
}
]
}
}
HTTP Request
GET https://api.fraudguard.io/api/analytics
Get IP History v1
Returns the last 1,000 IP addresses associated with a risk level (2 through 5) or account policy type (geoblock, whitelist, or blacklist). Results preserve duplicates and reflect the authenticated account's lookup history.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/ip-history/5"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/v1/ip-history/5','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/ip-history/5', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/v1/ip-history/5',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/ip-history/5';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/ip-history/5' -Headers $Headers
Example response:
{
"type": "5",
"data": [
"46.148.112.138",
"34.75.145.155",
"5.188.11.2",
"5.188.11.2",
"14.29.254.1",
"89.248.163.2",
"89.248.163.22",
"1.93.47.149",
"1.93.47.149",
"46.148.112.0"
]
}
HTTP Request
GET https://api.fraudguard.io/api/v1/ip-history/<type>
URL Parameters
| Parameter | Description |
|---|---|
| Type | Risk level 2 through 5, or geoblock, whitelist, or blacklist. |
Rate Limit Rule Creation
This API creates a new rate limit rule for the authenticated user.
Request Fields and Current Semantics
| Field | Required | Description |
|---|---|---|
| identifier | Yes | Non-empty rule name. It must be unique within the authenticated account. |
| limit | Yes | Positive JSON integer representing the allowed units in the window. |
| interval_type | Yes | Send rolling. The create endpoint also accepts calendar, but current enforcement treats both values as rolling windows. |
| interval_value | Yes | Positive integer followed by s, m, h, d, w, or y, such as 10s, 15m, 2h, or 7d. |
| ip | No | Stored and returned as rule metadata. Current enforcement does not use this stored value; counters are scoped by the ip supplied to each enforce request. |
Do not use the accepted mo suffix in production rules: current enforcement interprets a value such as 1mo as one minute. Use an unambiguous day value, such as 30d, until month handling is corrected.
curl -X POST -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules" -d '{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/rate-limits/rules','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}'
ip=requests.post('https://api.fraudguard.io/api/rate-limits/rules', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/rate-limits/rules',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}';
$url = 'https://api.fraudguard.io/api/rate-limits/rules';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules' -Headers $Headers -Method Post -Body $body
Example request body:
{
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": ""
}
Successful response:
{
"status": "success",
"message": "Rate limit rule created successfully."
}
HTTP Request
POST https://api.fraudguard.io/api/rate-limits/rules
Rate Limit Enforce
This API evaluates one identifier and source IP against a stored rule. Your application calls it before the protected action and must enforce the returned decision itself.
Request and Decision Semantics
| Field | Required | Description |
|---|---|---|
| identifier | Yes | Existing rule identifier owned by the authenticated account. |
| ip | Yes | Valid IPv4 or IPv6 address. Each identifier/IP pair has its own rolling counter, regardless of the rule's stored ip metadata. |
| units | No | Numeric work units to consume. Values are converted to an integer with a minimum of 1; default 1. |
The endpoint returns HTTP 200 for allowed, blocked, and application-level error results. Always inspect the JSON status before allowing the protected action. If status is blocked, deny or defer the action and use retry_after for the next attempt. If status is error, fail according to your own security policy rather than treating the request as allowed.
retry_after is measured from the start of the active block and is returned as a compact value such as 58s, 2m, or 1h. Repeated blocked checks do not restart the timer.
curl -X POST -u "username:password" "https://api.fraudguard.io/api/rate-limits/enforce" -d '{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/rate-limits/enforce','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}'
ip=requests.post('https://api.fraudguard.io/api/rate-limits/enforce', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/rate-limits/enforce',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}';
$url = 'https://api.fraudguard.io/api/rate-limits/enforce';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/enforce' -Headers $Headers -Method Post -Body $body
Example request body:
{
"identifier": "form_submission",
"ip": "99.23.5.3",
"units": 5
}
Allowed response:
The remaining value reflects the remaining units after deducting the requested units.
{
"status": "allowed",
"remaining": 95,
"message": "Request allowed."
}
Blocked response:
{
"status": "blocked",
"retry_after": "58s",
"message": "Rate limit exceeded. Please try again later."
}
HTTP Request
POST https://api.fraudguard.io/api/rate-limits/enforce
Rate Limit Rules Retrieve All
Returns every rate-limit rule owned by the authenticated account.
Details About Retrieved Rules
The /api/rate-limits/rules endpoint returns all rate limit rules for the authenticated user.
Each Rule Contains:
identifier: The unique name for the rule (e.g.,"form_submission").limit: The maximum number of allowed requests within the interval.interval_type: Stored value (rollingorcalendar). Current enforcement uses a rolling window for either value.interval_value: The duration of the interval (e.g.,1mor1d).ip: Optional stored metadata. Current enforcement instead scopes counters by the IP in each enforce request.
Usage Notes
- The response includes every rule scoped to the authenticated user.
- There is no rule-update endpoint. Delete and recreate a rule when its configuration must change.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/rate-limits/rules','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/rate-limits/rules', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/rate-limits/rules',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/rules';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules' -Headers $Headers
Example response:
{
"status": "success",
"data": [
{
"id": 1,
"identifier": "form_submission",
"limit": 100,
"interval_type": "rolling",
"interval_value": "1m",
"ip": "99.23.5.3"
}
]
}
HTTP Request
GET https://api.fraudguard.io/api/rate-limits/rules
Rate Limits Analytics
Returns rate-limit usage and block analytics for the authenticated account.
Analytics for Rate Limits
The /api/rate-limits/analytics endpoint provides usage data for rate limits, including:
Total Blocks:
- The total number of times requests were blocked due to exceeding rate limits.
Most Blocked Rules:
- The rules with the highest block counts.
Recent Block Activity:
- The last time each rule was blocked, sorted by recency.
Top Blocked IPs:
- The IP addresses that triggered the most blocks.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/rate-limits/analytics"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/rate-limits/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/rate-limits/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/rate-limits/analytics',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/analytics' -Headers $Headers
Example response:
{
"status": "success",
"data": {
"total_blocks": 25,
"most_blocked_rules": [
{
"identifier": "form_submission",
"block_count": 10
}
],
"recent_blocks": [
{
"identifier": "login_attempts",
"last_block": "2024-11-28 20:45:12"
}
],
"top_blocked_ips": [
{
"ip": "99.23.5.3",
"block_count": 15
}
]
}
}
HTTP Request
GET https://api.fraudguard.io/api/rate-limits/analytics
Rate Limit Rule Delete
This API endpoint deletes a specific rate limit rule for the authenticated user.
Usage Notes
Scope:
- Attempting to delete a rule that does not exist or belongs to another user will result in a
404 Not Founderror.
- Attempting to delete a rule that does not exist or belongs to another user will result in a
Related State:
- Deleting the rule removes the rule record only. Existing usage, block, and analytics records are not deleted by this endpoint.
curl -X DELETE -u "username:password" "https://api.fraudguard.io/api/rate-limits/rules/form_submission"
require 'net/http'
require 'net/https'
def delete_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts delete_ip('api.fraudguard.io','/api/rate-limits/rules/form_submission','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.delete('https://api.fraudguard.io/api/rate-limits/rules/form_submission', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/rate-limits/rules/form_submission',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.delete(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/rate-limits/rules/form_submission';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, DELETE);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/rate-limits/rules/form_submission' -Headers $Headers -Method Delete
Successful response:
{
"status": "success",
"message": "Rate limit rule deleted successfully."
}
Error response:
{
"status": "error",
"message": "Rate limit rule not found or does not belong to the current user."
}
HTTP Request
DELETE https://api.fraudguard.io/api/rate-limits/rules/{identifier}
ThreatWatch Add Monitored IP
This API adds an individual IP address to the ThreatWatch watchlist.
Usage Notes
- Supported Inputs: Only single IP addresses are supported at this time (e.g., 88.25.3.1).
- Duplicate Handling: If an IP already exists in the watchlist, the updated_at timestamp will be refreshed, and no duplicate entry will be created.
- Response Handling: Validation and application errors use a JSON
status: "error"envelope and may still return HTTP200. Inspectstatusbefore treating the operation as successful.
curl -X POST -u "username:password" "https://api.fraudguard.io/api/threatwatch/add" -d '{
"ip": "88.25.3.1"
}'
require 'net/http'
require 'net/https'
def post_ip(server,path,username,password)
body = '{
"ip": "88.25.3.1"
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Post.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts post_ip('api.fraudguard.io','/api/threatwatch/add','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
"ip": "88.25.3.1"
}'
ip=requests.post('https://api.fraudguard.io/api/threatwatch/add', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '{
"ip": "88.25.3.1"
}';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/threatwatch/add',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
"ip": "88.25.3.1"
}';
$url = 'https://api.fraudguard.io/api/threatwatch/add';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'{
"ip": "88.25.3.1"
}'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/add' -Headers $Headers -Method Post -Body $body
Example request body:
{
"ip": "88.25.3.1"
}
Successful response:
{
"status": "success",
"message": "IP added to watchlist."
}
HTTP Request
POST https://api.fraudguard.io/api/threatwatch/add
ThreatWatch Delete Monitored IP
This API endpoint deletes a monitored IP address from the ThreatWatch watchlist.
Usage Notes
- Impact on Analytics: Deleting an IP removes it from the watchlist but does not delete its retained historical alerts.
- Supported Inputs: Single IP addresses only.
- Response Handling: Invalid input or an IP that is not monitored may return a JSON
status: "error"envelope with HTTP200. Inspectstatus.
curl -X DELETE -u "username:password" "https://api.fraudguard.io/api/threatwatch/delete" -d '{
"ip": "88.25.3.1"
}'
require 'net/http'
require 'net/https'
def delete_ip(server,path,username,password)
body = '{
"ip": "88.25.3.1"
}'
http = Net::HTTP.new(server,443)
req = Net::HTTP::Delete.new(path)
http.use_ssl = true
req.basic_auth username, password
req.body = body
response = http.request(req)
return response.body
end
puts delete_ip('api.fraudguard.io','/api/threatwatch/delete','username','password')
import requests
from requests.auth import HTTPBasicAuth
data = '{
"ip": "88.25.3.1"
}'
ip=requests.delete('https://api.fraudguard.io/api/threatwatch/delete', data=data, verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const querystring = require('querystring');
const https = require('https');
const data = '{
"ip": "88.25.3.1"
}';
var options = {
hostname: "api.fraudguard.io",
port: 443,
path: '/api/threatwatch/delete',
method: 'DELETE',
headers: {
'Content-Type': 'application/json',
'Authorization': auth,
'Content-Length': data.length
}
};
var req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write(d);
});
});
req.on('error', (e) => {
console.error(e);
});
req.write(data);
req.end();
<?php
$username = 'username';
$password = 'password';
$jsondata = '{
"ip": "88.25.3.1"
}';
$url = 'https://api.fraudguard.io/api/threatwatch/delete';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsondata);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
$body = @'
'{
"ip": "88.25.3.1"
}'
'@
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/delete' -Headers $Headers -Method Delete -Body $body
Example request body:
{
"ip": "88.25.3.1"
}
Successful response:
{
"status": "success",
"message": "IP removed from watchlist."
}
HTTP Request
DELETE https://api.fraudguard.io/api/threatwatch/delete
ThreatWatch List All Monitored IPs
Returns every IP currently monitored by ThreatWatch for the authenticated account.
Usage Notes
- This endpoint is useful for verifying whether specific IPs are being actively monitored.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/threatwatch/list"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/threatwatch/list','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/threatwatch/list', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/threatwatch/list',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/threatwatch/list';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/list' -Headers $Headers
Example response:
{
"status": "success",
"monitored_ips": [
{
"ip": "12.65.23.1",
"created_at": "2024-11-30 10:00:00",
"updated_at": "2024-11-30 12:00:00"
},
{
"ip": "99.2.23.5",
"created_at": "2024-11-29 14:00:00",
"updated_at": "2024-11-30 11:00:00"
}
]
}
HTTP Request
GET https://api.fraudguard.io/api/threatwatch/list
ThreatWatch Analytics
Returns ThreatWatch activity summaries, including threat, risk, and geographic patterns for monitored IPs.
Usage Notes
total_monitored_ips: current watchlist size.matched_threats: retained alert count for monitored IPs.most_active_threats: up to five IPs with the highest alert counts.top_threat_categories: up to five{threat, count}rows.geographic_overview: up to five{country, count}rows.recent_activity: the ten newest retained alerts.- This endpoint retains a 30-day analytics window; older alerts are removed and do not appear in the response.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/threatwatch/analytics"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/threatwatch/analytics','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/threatwatch/analytics', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/threatwatch/analytics',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/threatwatch/analytics';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/threatwatch/analytics' -Headers $Headers
Example response:
{
"status": "success",
"analytics": {
"total_monitored_ips": 150,
"matched_threats": 320,
"most_active_threats": [
{
"ip": "88.25.3.1",
"threat_count": 25,
"most_recent_threat": "spam_tracker"
},
{
"ip": "25.3.1.1",
"threat_count": 18,
"most_recent_threat": "botnet_tracker"
}
],
"top_threat_categories": [
{"threat": "abuse_tracker", "count": 40},
{"threat": "spam_tracker", "count": 30},
{"threat": "anonymous_tracker", "count": 22}
],
"geographic_overview": [
{"country": "United States", "count": 35},
{"country": "Russia", "count": 25},
{"country": "China", "count": 15}
],
"recent_activity": [
{
"ip": "72.22.51.3",
"threat": "abuse_tracker",
"risk": 4,
"timestamp": "2024-11-30 12:34:56"
},
{
"ip": "98.2.3.2",
"threat": "spam_tracker",
"risk": 3,
"timestamp": "2024-11-30 12:31:15"
}
]
}
}
most_recent_threat is the category value returned by the current aggregate. It is not guaranteed to be the chronologically newest category; use recent_activity when event order matters.
HTTP Request
GET https://api.fraudguard.io/api/threatwatch/analytics
Raw IP Lists by Risk
This API endpoint returns raw IP address lists direct from the FraudGuard.io attack correlation engine by risk level. This dataset is very dynamic and changes constantly.
curl -X GET -u "username:password" "https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false' -Headers $Headers
Example response:
[
"87.246.7.0",
"185.180.143.146",
"94.102.61.0",
"91.191.209.0",
"5.188.206.0"
]
HTTP Request
GET https://api.fraudguard.io/raw-lists-by-risk/5?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false
URL Parameters
| Parameter | Description |
|---|---|
| Risk Level | Integer from 1 (lowest) to 5 (highest). |
| Offset | Offset for Pagination |
| CIDR | true/false for enabling/disabling CIDR notation in JSON Response |
| IPv4 | true/false for enabling/disabling support for IPv4 addresses |
| IPv6 | true/false for enabling/disabling support for IPv6 addresses |
| Limit | Limit for retrieving IP data within the request. We allow values between 1-1000. We share current API total count of results via X-Total-Count response header. |
Raw IP Lists by Threat
This API endpoint returns raw IP address lists direct from the FraudGuard.io attack correlation engine by threat type. This dataset is very dynamic and changes constantly.
curl -X GET -u "username:password" "https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false' -Headers $Headers
Example response:
[
"5.188.210.93",
"199.167.138.22",
"5.188.210.21",
"185.220.101.23",
"185.220.101.21"
]
HTTP Request
GET https://api.fraudguard.io/raw-lists-by-threat/spam_tracker?offset=0&limit=5&cidr=false&ipv4=true&ipv6=false
URL Parameters
| Parameter | Description |
|---|---|
| Threat Type | Legacy tracker name such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker. |
| Offset | Offset for Pagination |
| CIDR | true/false for enabling/disabling CIDR notation in JSON response |
| IPv4 | true/false for enabling/disabling support for IPv4 addresses |
| IPv6 | true/false for enabling/disabling support for IPv6 addresses |
| Limit | Limit for retrieving IP data within the request. We allow values between 1-1000. We share current API total count of results via X-Total-Count response header. |
Advanced Threat Lookup
Searches the ACE dataset with multiple intelligence and network filters for investigation, enrichment, and list building.
Customers can filter results by ASN, ASN Organization, ISP, organization, country, ISO country code, connection type, threat classification, and risk level to analyze and investigate potential threats with precision.
The dataset changes as FraudGuard intelligence and enrichment are updated. Fuzzy search and multi-parameter filtering help customers build targeted investigation and enrichment queries.
curl -X GET -u "username:password" "https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5' -Headers $Headers
Example response:
{
"total_results": 521,
"data": [
{
"id": "18744",
"ip": "5.252.176.20",
"threat": "honeypot_tracker",
"risk": "5",
"asn": "39798",
"asn_organization": "MivoCloud SRL",
"isp": "MivoCloud SRL",
"organization": "MivoCloud SRL",
"isocode": "RU",
"country": "Russia",
"connection_type": "Corporate"
}
]
}
HTTP Request
GET https://api.fraudguard.io/advanced-threat-lookup?isocode=RU&limit=1&offset=0&organization=cloud&risk=4,5
URL Parameters
| Parameter | Description |
|---|---|
| ASN (asn) | Accepts one or multiple Autonomous System Number (comma-separated). |
| ASN Organization (asn_organization) | Accepts a single ASN organization name (fuzzy search supported). |
| ISP (isp) | Search by internet service provider. Accepts a single ISP name (fuzzy search supported). |
| Organization (organization) | Match a company or entity operating the IPs. Accepts a single organization name (fuzzy search supported). |
| Country (country) | Search by country names (fuzzy search supported). |
| ISO Code (isocode) | Accepts one or multiple two-letter country codes (comma-separated). |
| Connection Type (connection_type) | Accepts one or multiple connection types (comma-separated). |
| Threat Type (threat) | One or more comma-separated legacy threat classifications. |
| Risk Level (risk) | One or more comma-separated risk levels from 1 (lowest) to 5 (highest). |
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
LogGuard AI – Top Attackers
Returns the most active and high-risk IPs in the authenticated account's enriched LogGuard dataset, ranked by frequency.
This dataset helps security teams quickly pinpoint recurring threats, update blacklists, tune WAF/firewall rules, and take automated actions based on severity and behavior.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/top-attackers?limit=2"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/top-attackers?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/top-attackers?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/top-attackers?limit=2',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/top-attackers?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/top-attackers?limit=2' -Headers $Headers
Example response:
[
{
"ip": "103.121.39.54",
"attack_count": "19236",
"threat": "honeypot_tracker",
"asn_organization": "Digital Dot Net DDN",
"isp": "Digital Dot Net DDN",
"organization": "Digital Dot Net DDN",
"connection_type": "Cable/DSL",
"country": "Bangladesh",
"last_seen": "2025-03-18 16:15:35"
},
{
"ip": "164.92.75.90",
"attack_count": "635",
"threat": "honeypot_tracker",
"asn_organization": "unknown",
"isp": "unknown",
"organization": "unknown",
"connection_type": "unknown",
"country": "United States",
"last_seen": "2025-03-18 16:13:39"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/top-attackers?limit=2
URL Parameters
| Parameter | Description |
|---|---|
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
Response Fields
| Field | Description |
|---|---|
| IP (ip) | Source IP address. |
| Attack Count (attack_count) | Number of matching attack records, returned as a numeric string. |
| Threat (threat) | Current FraudGuard legacy threat classification. |
| ASN Organization (asn_organization) | Organization associated with the autonomous system. |
| ISP (isp) | Internet service provider associated with the IP. |
| Organization (organization) | Organization associated with the IP. |
| Connection Type (connection_type) | Network connection category. |
| Country (country) | Country associated with the IP. |
| Last Seen (last_seen) | Most recent matching LogGuard timestamp. |
LogGuard AI – Recent Attacks
Returns the most recent LogGuard entries flagged as attacks, including the matched pattern, source IP context, and threat classification.
This data is ideal for real-time alerting, incident response, or security dashboards where visibility into the most current attacker activity is essential.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/recent?limit=2"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/recent?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/recent?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/recent?limit=2',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/recent?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/recent?limit=2' -Headers $Headers
Example response:
[
{
"id": "27409",
"file_name": "access.log.6",
"log_entry": "179.43.188.122 - - [23/Nov/2024:05:02:37 +0000] \"GET /laravel/.env HTTP/1.1\" 403 177 \"-\" \"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"",
"attack_type": "web_recon",
"matched_pattern": "Recon Path Match",
"ip": "179.43.188.122",
"threat": "honeypot_tracker",
"created_at": "2025-03-18 16:21:19"
},
{
"id": "27407",
"file_name": "access.log.6",
"log_entry": "179.43.188.122 - - [23/Nov/2024:05:02:37 +0000] \"GET /core/.env HTTP/1.1\" 403 177 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.41\"",
"attack_type": "web_recon",
"matched_pattern": "Recon Path Match",
"ip": "179.43.188.122",
"threat": "honeypot_tracker",
"created_at": "2025-03-18 16:21:19"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/recent?limit=2
URL Parameters
| Parameter | Description |
|---|---|
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
Response Fields
| Field | Description |
|---|---|
| ID (id) | Unique identifier for the log record. |
| File Name (file_name) | Name of the original log file where the attack was detected. |
| Log Entry (log_entry) | Full raw log line associated with the attack. |
| Attack Type (attack_type) | High-level classification of the attack (e.g., web_recon, credential_stuffing). |
| Matched Pattern (matched_pattern) | The rule or pattern that triggered the detection (e.g., Recon Path Match). |
| IP (ip) | IP address of the source of the attack. |
| Threat (threat) | FraudGuard.io threat classification for this IP (e.g., honeypot_tracker). |
| Created At (created_at) | Timestamp when this attack was recorded. Format: YYYY-MM-DD HH:MM:SS. |
LogGuard AI – Attack Results Search
Searches enriched LogGuard data by URL path, file name, user agent, or other raw-log content for threat hunting and investigation.
The response includes full details about each match, including IP metadata, detection status, AI involvement, and threat classification.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/attack-results/search?limit=2&query=database','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/attack-results/search?limit=2&query=database',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database' -Headers $Headers
Example response:
[
{
"id": "209",
"file_name": "access.log",
"log_entry": "103.121.39.54 - - [12/Feb/2025:09:02:04 +0000] \"GET /config/database.yml HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"",
"attack_type": "web_recon",
"matched_pattern": "Recon Path Match",
"ip": "103.121.39.54",
"threat": "honeypot_tracker",
"country": "Bangladesh",
"asn_organization": "Digital Dot Net DDN",
"isp": "Digital Dot Net DDN",
"organization": "Digital Dot Net DDN",
"blacklisted": "0",
"geoblocked": "0",
"send_to_ai": "1",
"ai_confirmed": "1",
"ai_feedback": null,
"feedback_at": null,
"created_at": "2025-03-18 16:12:28"
},
{
"id": "234",
"file_name": "access.log",
"log_entry": "103.121.39.54 - - [12/Feb/2025:09:02:18 +0000] \"GET /config/database.php HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"",
"attack_type": "web_recon",
"matched_pattern": "Recon Path Match",
"ip": "103.121.39.54",
"threat": "honeypot_tracker",
"country": "Bangladesh",
"asn_organization": "Digital Dot Net DDN",
"isp": "Digital Dot Net DDN",
"organization": "Digital Dot Net DDN",
"blacklisted": "0",
"geoblocked": "0",
"send_to_ai": "1",
"ai_confirmed": "1",
"ai_feedback": null,
"feedback_at": null,
"created_at": "2025-03-18 16:12:28"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/attack-results/search?limit=2&query=database
URL Parameters
| Parameter | Description |
|---|---|
| Query (query) | A required string to search within raw log entries (fuzzy match). |
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
Response Fields
| Field | Description |
|---|---|
| ID (id) | Unique identifier for the log record. |
| File Name (file_name) | Name of the original log file where the match occurred. |
| Log Entry (log_entry) | The full raw log line where a match was found. |
| Attack Type (attack_type) | High-level classification of the attack (e.g., web_recon). |
| Matched Pattern (matched_pattern) | The detection rule or string that triggered the alert. |
| IP (ip) | The source IP address of the request. |
| Threat (threat) | FraudGuard.io threat classification (e.g., honeypot_tracker). |
| Country (country) | Geolocation of the IP address. |
| ASN Organization (asn_organization) | Name of the ASN that owns the IP. |
| ISP (isp) | Internet Service Provider for the IP address. |
| Organization (organization) | Company or entity associated with the IP. |
| Blacklisted (blacklisted) | 1 if the IP is currently blacklisted; otherwise 0. |
| Geoblocked (geoblocked) | 1 if the country is geoblocked; otherwise 0. |
| Send to AI (send_to_ai) | 1 if this log entry was sent to LogGuard AI for deeper analysis. |
| AI Confirmed (ai_confirmed) | 1 if LogGuard AI confirmed this entry as malicious. |
| AI Feedback (ai_feedback) | Manual user feedback on AI decision (if any). |
| Feedback At (feedback_at) | Timestamp when feedback was submitted, if available. |
| Created At (created_at) | Timestamp when this log entry was processed. |
LogGuard AI – Attack Results
This API endpoint returns the most recent AI-flagged attack log entries detected across your infrastructure. It includes full raw log data, matched patterns, threat classification, and AI confirmation status—giving your team clear visibility into what LogGuard AI is catching in real time.
Unlike the search API, this endpoint does not require a query string and instead provides a raw feed of the most recent malicious or suspicious entries, sorted by detection time.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-results?limit=2"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/attack-results?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-results?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/attack-results?limit=2',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-results?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-results?limit=2' -Headers $Headers
Example response:
[
{
"id": "1",
"file_name": "access.log",
"log_entry": "78.153.140.149 - - [12/Feb/2025:00:19:27 +0000] \"GET /.env HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.140 Safari/537.36\"",
"attack_type": "web_recon",
"matched_pattern": "Recon Path Match",
"ip": "78.153.140.149",
"threat": "unknown",
"country": "Russia",
"asn_organization": "LLC Melt-internet",
"isp": "LLC Melt-internet",
"organization": "LLC Melt-internet",
"blacklisted": "0",
"geoblocked": "1",
"send_to_ai": "1",
"ai_confirmed": "1",
"ai_feedback": null,
"feedback_at": null,
"created_at": "2025-03-18 16:12:28"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/attack-results?limit=2
URL Parameters
| Parameter | Description |
|---|---|
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
Response Fields
| Field | Description |
|---|---|
| ID (id) | Unique identifier for the log record. |
| File Name (file_name) | Name of the original log file where the match occurred. |
| Log Entry (log_entry) | The full raw log line where a match was found. |
| Attack Type (attack_type) | High-level classification of the attack (e.g., web_recon). |
| Matched Pattern (matched_pattern) | The detection rule or string that triggered the alert. |
| IP (ip) | The source IP address of the request. |
| Threat (threat) | FraudGuard.io threat classification (e.g., honeypot_tracker). |
| Country (country) | Geolocation of the IP address. |
| ASN Organization (asn_organization) | Name of the ASN that owns the IP. |
| ISP (isp) | Internet Service Provider for the IP address. |
| Organization (organization) | Company or entity associated with the IP. |
| Blacklisted (blacklisted) | 1 if the IP is currently blacklisted; otherwise 0. |
| Geoblocked (geoblocked) | 1 if the country is geoblocked; otherwise 0. |
| Send to AI (send_to_ai) | 1 if this log entry was sent to LogGuard AI for deeper analysis. |
| AI Confirmed (ai_confirmed) | 1 if LogGuard AI confirmed this entry as malicious. |
| AI Feedback (ai_feedback) | Manual user feedback on AI decision (if any). |
| Feedback At (feedback_at) | Timestamp when feedback was submitted, if available. |
| Created At (created_at) | Timestamp when this log entry was processed. |
LogGuard AI – Attack Stats
Aggregates detected attack counts by classification across the authenticated account's enriched LogGuard data.
This endpoint is ideal for dashboards, analytics tools, or security reports where visualizing the breakdown of attack categories is valuable.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/attack-stats"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/attack-stats','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/attack-stats', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/attack-stats',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/attack-stats';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/attack-stats' -Headers $Headers
Example response:
[
{
"attack_type": "web_recon",
"count": "15594"
},
{
"attack_type": "unknown",
"count": "11143"
},
{
"attack_type": "malicious_user_agents",
"count": "600"
},
{
"attack_type": "path_traversal",
"count": "15"
},
{
"attack_type": "rce_attempts",
"count": "10"
},
{
"attack_type": "sql_injection",
"count": "60"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/attack-stats
URL Parameters
| Parameter | Type | Default | Max | Description |
|---|---|---|---|---|
limit |
integer | 50 |
1000 |
Maximum number of classification rows to return. |
offset |
integer | 0 |
— | Number of rows to skip. |
Response Fields
| Field | Description |
|---|---|
| Attack Type (attack_type) | The category of the detected attack (e.g., web_recon, sql_injection, malicious_user_agents, etc.). |
| Count (count) | The total number of log entries associated with this attack type. |
LogGuard AI – Log Files
This API endpoint returns a list of log files uploaded and processed by LogGuard AI. It includes basic metadata such as the file name, file size in bytes, and upload timestamp.
Use this endpoint to audit ingestion activity, build dashboards, or verify which files have been successfully processed.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/logguard/log-files?limit=2"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/logguard/log-files?limit=2','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/logguard/log-files?limit=2', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/logguard/log-files?limit=2',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/logguard/log-files?limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/logguard/log-files?limit=2' -Headers $Headers
Example response:
[
{
"id": "1",
"file_name": "access.log",
"file_size": "1768697",
"uploaded_at": "2025-03-18 16:11:42"
},
{
"id": "2",
"file_name": "access.log.1",
"file_size": "221563",
"uploaded_at": "2025-03-18 16:11:42"
}
]
HTTP Request
GET https://api.fraudguard.io/api/logguard/log-files?limit=2
URL Parameters
| Parameter | Description |
|---|---|
| Limit (limit) | Accepts a single integer to define the number of results (1-1000). |
| Offset (offset) | Accepts a single integer to paginate through results. |
Response Fields
| Field | Description |
|---|---|
| ID (id) | Unique identifier for the uploaded log file. |
| File Name (file_name) | Name of the uploaded log file. |
| File Size (file_size) | Size of the file in bytes. |
| Uploaded At (uploaded_at) | Timestamp of when the file was uploaded and processed. |
Offline Threat Database SQLite
Downloads current FraudGuard threat intelligence as a gzipped SQLite database for local enforcement, enrichment, and analysis.
Use this endpoint to:
- Maintain a local copy of FraudGuard threat intelligence on your plan's refresh cadence
- Integrate with offline analysis tools and security systems
- Support air-gapped environments without direct API calls
Terms and Limitations
By downloading the Offline Threat Database, you acknowledge and agree to the following:
- Acceptance of Terms – All use of this database is subject to the FraudGuard Terms of Use.
- Account-Specific Access – The file is licensed for use only by the account holder and their authorized organization. You may not share, redistribute, use to build competing services or resell the file or its contents outside your organization.
- Refresh Cadence – Business snapshots refresh daily; Enterprise snapshots refresh hourly.
- No Public Redistribution – The data may not be published, mirrored, or made publicly accessible.
Offline Threat Database Schema
| Field | Description |
|---|---|
| ID (id) | Internal record ID. |
| IP Address (ip) | IPv4 or IPv6 address. |
| Threat Classification (threat) | Legacy classification such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker. |
| Risk Score (risk) | Integer from 1 (lowest) to 5 (highest). |
| ASN (asn) | Autonomous System Number. |
| ASN Organization (asn_organization) | Name of the ASN organization. |
| ISP (isp) | Internet Service Provider. |
| Organization (organization) | Registered organization. |
| Country Code (isocode) | ISO-3166 country code. |
| Country (country) | Country name. |
| State / Region (state) | State or region, if available. |
| City (city) | City, if available. |
| Latitude (latitude) | Geographic latitude. |
| Longitude (longitude) | Geographic longitude. |
| Connection Type (connection_type) | Connection type (e.g. Cable/DSL, Cellular, Corporate, Satellite, unknown). |
| Last Updated (updated_at) | Timestamp of the last update (UTC). |
curl -X GET -L -u "username:password" "https://api.fraudguard.io/v1/offline-db/sqlite" --output fg-database.sqlite.gz
Response: a gzipped SQLite database. Follow the
302 Foundredirect to the short-lived signed HTTPS download URL.
Treat the redirect URL as a bearer credential: do not log, share, or place it in client-side code. Send Basic Authentication only to the initial FraudGuard endpoint; do not forward the Authorization header to the signed download host. Stream the response to a temporary file, require a successful HTTP response, and run gzip -t before decompression. Open the extracted database read-only and run SQLite integrity validation before use. Replace the active database atomically only after validation succeeds, and retain the previous known-good snapshot for rollback. Discard expired signed URLs and request the authenticated endpoint again; a 410 Gone response means a new snapshot link is not yet available.
HTTP Request
GET https://api.fraudguard.io/v1/offline-db/sqlite
Offline Threat Database CSV
Downloads current FraudGuard threat intelligence as a gzipped CSV file for local enforcement, enrichment, and analysis.
Use this endpoint to:
- Maintain a local copy of FraudGuard threat intelligence on your plan's refresh cadence
- Integrate with offline analysis tools and security systems
- Support air-gapped environments without direct API calls
Terms and Limitations
By downloading the Offline Threat Database CSV file, you acknowledge and agree to the following:
- Acceptance of Terms – All use of this database is subject to the FraudGuard Terms of Use.
- Account-Specific Access – The file is licensed for use only by the account holder and their authorized organization. You may not share, redistribute, use to build competing services or resell the file or its contents outside your organization.
- Refresh Cadence – Business snapshots refresh daily; Enterprise snapshots refresh hourly.
- No Public Redistribution – The data may not be published, mirrored, or made publicly accessible.
Offline Threat Database Schema
| Field | Description |
|---|---|
| ID (id) | Internal record ID. |
| IP Address (ip) | IPv4 or IPv6 address. |
| Threat Classification (threat) | Legacy classification such as abuse_tracker, anonymous_tracker, botnet_tracker, honeypot_tracker, spam_tracker, or vpn_tracker. |
| Risk Score (risk) | Integer from 1 (lowest) to 5 (highest). |
| ASN (asn) | Autonomous System Number. |
| ASN Organization (asn_organization) | Name of the ASN organization. |
| ISP (isp) | Internet Service Provider. |
| Organization (organization) | Registered organization. |
| Country Code (isocode) | ISO-3166 country code. |
| Country (country) | Country name. |
| State / Region (state) | State or region, if available. |
| City (city) | City, if available. |
| Latitude (latitude) | Geographic latitude. |
| Longitude (longitude) | Geographic longitude. |
| Connection Type (connection_type) | Connection type (e.g. Cable/DSL, Cellular, Corporate, Satellite, unknown). |
| Last Updated (updated_at) | Timestamp of the last update (UTC). |
curl -X GET -L -u "username:password" "https://api.fraudguard.io/v1/offline-db/csv" --output fg-database.csv.gz
Response: a gzipped CSV database. Follow the
302 Foundredirect to the short-lived signed HTTPS download URL.
Treat the redirect URL as a bearer credential: do not log, share, or place it in client-side code. Send Basic Authentication only to the initial FraudGuard endpoint; do not forward the Authorization header to the signed download host. Stream the response to a temporary file, require a successful HTTP response, and run gzip -t before decompression. Validate the CSV header and expected column count before use, then replace the active file atomically. Retain the previous known-good snapshot for rollback. Discard expired signed URLs and request the authenticated endpoint again; a 410 Gone response means a new snapshot link is not yet available.
HTTP Request
GET https://api.fraudguard.io/v1/offline-db/csv
Post Custom Blacklist (v2)
This API creates or updates custom blacklisted IPs using the POST endpoint, returning counters only. Use it to bulk add single IPs or CIDR ranges, attach metadata, and optionally set per-record TTLs. Manual updates can always be managed at Blacklist.
HTTP Request
POST https://api.fraudguard.io/v2/blacklist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An array of objects. Only ip is required. You may send single IPs or CIDR ranges (IPv4). CIDRs are expanded server‑side (with a global cap).
[
{
"ip": "33.204.31.152",
"label": "fraudulent-login",
"tags": ["incident:2025-08-23", "source:siem"],
"ttl_seconds": 604800
},
{ "ip": "8.8.7.0/30",
"label": "test-range"
}
]
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
ip |
string | yes | IPv4 or IPv4 CIDR (e.g., 8.8.7.0/24). CIDRs are expanded to single IP rows (cap 10,000 per request). |
label |
string | no | Up to 100 chars. Replaces the existing label; omission clears the label on an upsert. |
tags |
array<string> | no | Replaces existing tags. Omission clears tags on an upsert. Max 50 items, each ≤ 64 chars. |
ttl_seconds |
integer | no | Recalculates expires_at = now + ttl_seconds. Omission clears the existing TTL and expiry on an upsert. |
Response
Counters only:
{
"inserted": 257,
"updated": 1,
"errors": 0
}
- inserted — number of new IP rows created after CIDR expansion
- updated — existing IP rows that were updated (label/tags/ttl)
- errors — invalid inputs skipped (e.g., malformed IP/CIDR, private/reserved IPs)
Behavior & Limits
- CIDR expansion: IPv4 only. Expansion is capped at 10,000 addresses per request.
- Private/reserved IPs are skipped (not inserted).
- Whitelist wins: IPs already whitelisted are skipped and do not count as errors.
- Upsert replacement: POST replaces
label,tags, and TTL metadata for existing rows. Omitted metadata is cleared; use PATCH when you intend to preserve fields that are not changing. - Idempotent-friendly: Re-posting the same IPs simply updates metadata and timestamps.
Examples
curl -u "username:password" -X POST "https://api.fraudguard.io/v2/blacklist" \
-H "Content-Type: application/json" \
-d '[
{"ip": "33.204.31.152", "label": "fraudulent-login", "tags": ["incident:2025-08-23","source:siem"], "ttl_seconds": 604800},
{"ip": "8.8.7.0/30", "label": "test-range"}
]'
require 'net/http'
require 'net/https'
require 'json'
def post_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Post.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = [
{ ip: "33.204.31.152", label: "fraudulent-login", tags: ["incident:2025-08-23","source:siem"], ttl_seconds: 604800 },
{ ip: "8.8.7.0/30", label: "test-range" }
]
puts post_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = [
{"ip":"33.204.31.152","label":"fraudulent-login","tags":["incident:2025-08-23","source:siem"],"ttl_seconds":604800},
{"ip":"8.8.7.0/30","label":"test-range"}
]
r = requests.post('https://api.fraudguard.io/v2/blacklist',
json=body,
auth=HTTPBasicAuth('username', 'password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify([
{"ip":"33.204.31.152","label":"fraudulent-login","tags":["incident:2025-08-23","source:siem"],"ttl_seconds":604800},
{"ip":"8.8.7.0/30","label":"test-range"}
]);
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/blacklist',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';
$body = json_encode([
["ip"=>"33.204.31.152","label"=>"fraudulent-login","tags"=>["incident:2025-08-23","source:siem"],"ttl_seconds"=>604800],
["ip"=>"8.8.7.0/30","label"=>"test-range"]
]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_POST => 1,
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @(
@{ ip = "33.204.31.152"; label = "fraudulent-login"; tags = @("incident:2025-08-23","source:siem"); ttl_seconds = 604800 },
@{ ip = "8.8.7.0/30"; label = "test-range" }
) | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body
Notes & Tips
- Prefer breaking very large CIDRs into several requests to stay under the expansion cap.
- If you need to change only metadata later, consider PATCH /v2/blacklist to update
label,tags, orttl_secondswithout resending everything.
Get Custom Blacklist (v2)
Retrieve the authenticated account’s blacklist entries. Results exclude any IPs that are whitelisted (whitelist wins), are ordered by newest first, and support simple pagination.
HTTP Request
GET https://api.fraudguard.io/v2/blacklist?limit={limit}&offset={offset}
Authentication: HTTP Basic Auth (-u "username:password")
Accept: application/json
Query Parameters
| Param | Type | Default | Max | Description |
|---|---|---|---|---|
limit |
integer | 1000 |
1000 |
Number of rows to return. |
offset |
integer | 0 |
— | Skip the first N rows (use for pagination). |
Response
An array of objects. Each row represents one blacklisted IP.
[
{
"id": 12345,
"ip": "203.0.113.10",
"label": "abuse:signup-botwave",
"tags": ["incident:2025-08-22","source:waf"],
"ttl_seconds": 604800,
"expires_at": "2025-09-01T12:34:56Z",
"created_at": "2025-08-23T17:04:05Z",
"updated_at": "2025-08-23T17:04:05Z"
}
]
Field reference
| Field | Type | Notes |
|---|---|---|
id |
integer | Internal id. |
ip |
string | Canonicalized IPv4 string. |
label |
string or null | Optional, short human label. |
tags |
array<string> | Optional tags (may be empty). |
ttl_seconds |
integer or null | Per-record TTL seconds, if set. |
expires_at |
string (ISO-8601) or null | Computed from ttl_seconds when present. |
created_at |
string (ISO-8601) | Row creation time (UTC). |
updated_at |
string (ISO-8601) | Last mutation time (UTC). |
Examples
curl -u "username:password" "https://api.fraudguard.io/v2/blacklist?limit=10&offset=0"
require 'net/http'
require 'net/https'
require 'json'
def get_ips(server, path, username, password)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Get.new(path)
req.basic_auth username, password
res = http.request(req)
JSON.parse(res.body)
end
puts JSON.pretty_generate(
get_ips('api.fraudguard.io','/v2/blacklist?limit=10&offset=0','username','password')
)
import requests
from requests.auth import HTTPBasicAuth
r = requests.get('https://api.fraudguard.io/v2/blacklist',
params={'limit': 10, 'offset': 0},
auth=HTTPBasicAuth('username', 'password'),
timeout=30)
print(r.text)
const https = require('https');
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/blacklist?limit=10&offset=0',
method: 'GET',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist?limit=10&offset=0';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds" }
Invoke-RestMethod -Method Get -Uri 'https://api.fraudguard.io/v2/blacklist?limit=10&offset=0' -Headers $Headers
Notes & Tips
- Use
limit/offsetto paginate large lists (maxlimitis 1000). - Results are ordered by newest first (
id DESC). - Whitelisted IPs are excluded automatically to reflect effective enforcement.
Patch Custom Blacklist (v2)
Partially update existing blacklist entries. Use PATCH when you only need to change label, tags, or ttl_seconds without resubmitting the entire record set.
HTTP Request
PATCH https://api.fraudguard.io/v2/blacklist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An object with targets and set.
{
"targets": ["8.8.7.0/30","33.204.31.152"],
"set": {
"label": "suspected-abuse",
"tags": ["owner:soc","playbook:auto"],
"ttl_seconds": 259200
}
}
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
targets |
array<string> | yes | IPs or CIDRs to update. CIDRs are expanded server-side (cap 10,000 per request). |
set.label |
string | no | Replaces existing label if provided (≤100 chars). |
set.tags |
array<string> | no | Replaces existing tags if provided (deduped, capped at 50). |
set.ttl_seconds |
integer | no | Recomputes expires_at = now + ttl_seconds if provided. |
Response
Counters only:
{"updated": 5, "errors": 0}
- updated — existing rows matched and written.
- errors — invalid IPs/CIDRs skipped.
Behavior & Limits
- CIDR expansion: IPv4 only, capped at 10,000 addresses per request.
- Private/reserved IPs are skipped (not updated).
- Whitelist wins: IPs whitelisted are skipped silently.
- Repeat behavior: Repeating a PATCH can still increment
updatedbecause the row's update timestamp is refreshed, even when the supplied metadata is unchanged. - TTL: If
ttl_secondsis provided, recomputed each time; if omitted, TTL/expiry remain unchanged.
Examples
curl -u "username:password" -X PATCH "https://api.fraudguard.io/v2/blacklist" \
-H "Content-Type: application/json" \
-d '{
"targets": ["8.8.7.0/30"],
"set": {
"tags": ["owner:soc", "playbook:auto"],
"ttl_seconds": 259200
}
}'
require 'net/http'
require 'net/https'
require 'json'
def patch_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Patch.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = {
targets: ["8.8.7.0/30"],
set: { tags: ["owner:soc","playbook:auto"], ttl_seconds: 259200 }
}
puts patch_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = {
"targets": ["8.8.7.0/30"],
"set": { "tags": ["owner:soc","playbook:auto"], "ttl_seconds": 259200 }
}
r = requests.patch('https://api.fraudguard.io/v2/blacklist',
json=body,
auth=HTTPBasicAuth('username','password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify({
targets: ["8.8.7.0/30"],
set: { tags: ["owner:soc","playbook:auto"], ttl_seconds: 259200 }
});
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/blacklist',
method: 'PATCH',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';
$body = json_encode([
"targets" => ["8.8.7.0/30"],
"set" => [ "tags" => ["owner:soc","playbook:auto"], "ttl_seconds" => 259200 ]
]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_CUSTOMREQUEST => "PATCH",
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @{
targets = @("8.8.7.0/30")
set = @{ tags = @("owner:soc","playbook:auto"); ttl_seconds = 259200 }
} | ConvertTo-Json
Invoke-RestMethod -Method Patch -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body
Notes & Tips
- PATCH is ideal for automation pipelines that need to extend TTLs or attach tags incrementally.
Delete Custom Blacklist (v2)
Bulk remove blacklist entries by IP or CIDR. DELETE expands any CIDRs server‑side, ignores non‑existent rows (no error), and returns counters only.
HTTP Request
DELETE https://api.fraudguard.io/v2/blacklist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An object with targets.
{
"targets": ["33.204.31.152", "8.8.7.0/31"]
}
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
targets |
array<string> | yes | IPs or CIDRs to delete. CIDRs are expanded server-side (cap 10,000 per request). |
Response
Counters only:
{"deleted": 3, "inserted": 0, "errors": 0}
- deleted — number of rows actually removed.
- inserted — always 0 (included for compatibility with v1 counters).
- errors — invalid inputs skipped (e.g., malformed IP/CIDR).
Behavior & Limits
- CIDR expansion: IPv4 only, capped at 10,000 addresses per request.
- Idempotent-friendly: Repeating the same DELETE calls on already-deleted IPs yields
deleted:0. - Whitelist: Irrelevant for DELETE — rows are removed regardless of whitelist state.
- Non‑existent rows are silently ignored (not counted as errors).
- Private/reserved IPs are skipped during expansion.
Examples
curl -u "username:password" -X DELETE "https://api.fraudguard.io/v2/blacklist" \
-H "Content-Type: application/json" \
-d '{"targets": ["33.204.31.152","8.8.7.0/31"]}'
require 'net/http'
require 'net/https'
require 'json'
def delete_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Delete.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = { targets: ["33.204.31.152","8.8.7.0/31"] }
puts delete_ips('api.fraudguard.io','/v2/blacklist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = { "targets": ["33.204.31.152","8.8.7.0/31"] }
r = requests.delete('https://api.fraudguard.io/v2/blacklist',
json=body,
auth=HTTPBasicAuth('username','password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify({ targets: ["33.204.31.152","8.8.7.0/31"] });
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/blacklist',
method: 'DELETE',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/blacklist';
$body = json_encode([ "targets" => ["33.204.31.152","8.8.7.0/31"] ]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_CUSTOMREQUEST => "DELETE",
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @{ targets = @("33.204.31.152","8.8.7.0/31") } | ConvertTo-Json
Invoke-RestMethod -Method Delete -Uri 'https://api.fraudguard.io/v2/blacklist' -Headers $Headers -Body $body
Post Custom Whitelist (v2)
This API creates or updates custom whitelisted IPs using the POST endpoint, returning counters only. Use it to bulk add single IPs or CIDR ranges, attach metadata, and optionally set per-record TTLs. Manual updates can always be managed at Whitelist.
HTTP Request
POST https://api.fraudguard.io/v2/whitelist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An array of objects. Only ip is required. You may send single IPs or CIDR ranges (IPv4). CIDRs are expanded server‑side (with a global cap).
[
{
"ip": "72.121.15.3",
"label": "vpn-endpoint",
"tags": ["owner:soc"],
"ttl_seconds": 604800
},
{ "ip": "8.8.7.0/30" }
]
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
ip |
string | yes | IPv4 or IPv4 CIDR (e.g., 8.8.7.0/24). CIDRs are expanded to single IP rows (cap 10,000 per request). |
label |
string | no | Up to 100 chars. Replaces the existing label; omission clears the label on an upsert. |
tags |
array<string> | no | Replaces existing tags. Omission clears tags on an upsert. Max 50 items, each ≤ 64 chars. |
ttl_seconds |
integer | no | Recalculates expires_at = now + ttl_seconds. Omission clears the existing TTL and expiry on an upsert. |
Response
Counters only:
{
"inserted": 5,
"updated": 1,
"errors": 0
}
- inserted — number of new IP rows created after CIDR expansion
- updated — existing IP rows that were updated (label/tags/ttl)
- errors — invalid inputs skipped (e.g., malformed IP/CIDR, private/reserved IPs)
Behavior & Limits
- CIDR expansion: IPv4 only. Expansion is capped at 10,000 addresses per request.
- Private/reserved IPs are skipped (not inserted).
- Whitelist wins: Matching blacklist rows are removed on POST.
- Upsert replacement: POST replaces
label,tags, and TTL metadata for existing rows. Omitted metadata is cleared; use PATCH when you intend to preserve fields that are not changing. - Idempotent-friendly: Re-posting the same IPs simply updates metadata and timestamps.
Examples
curl -u "username:password" -X POST "https://api.fraudguard.io/v2/whitelist" \
-H "Content-Type: application/json" \
-d '[
{"ip": "72.121.15.3", "label": "vpn-endpoint", "tags": ["owner:soc"], "ttl_seconds": 604800},
{"ip": "8.8.7.0/30"}
]'
require 'net/http'
require 'net/https'
require 'json'
def post_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Post.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = [
{ ip: "72.121.15.3", label: "vpn-endpoint", tags: ["owner:soc"], ttl_seconds: 604800 },
{ ip: "8.8.7.0/30" }
]
puts post_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = [
{"ip":"72.121.15.3","label":"vpn-endpoint","tags":["owner:soc"],"ttl_seconds":604800},
{"ip":"8.8.7.0/30"}
]
r = requests.post('https://api.fraudguard.io/v2/whitelist',
json=body,
auth=HTTPBasicAuth('username', 'password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify([
{"ip":"72.121.15.3","label":"vpn-endpoint","tags":["owner:soc"],"ttl_seconds":604800},
{"ip":"8.8.7.0/30"}
]);
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/whitelist',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';
$body = json_encode([
["ip"=>"72.121.15.3","label"=>"vpn-endpoint","tags"=>["owner:soc"],"ttl_seconds"=>604800],
["ip"=>"8.8.7.0/30"]
]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_POST => 1,
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @(
@{ ip = "72.121.15.3"; label = "vpn-endpoint"; tags = @("owner:soc"); ttl_seconds = 604800 },
@{ ip = "8.8.7.0/30" }
) | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body
Get Custom Whitelist (v2)
Retrieve the authenticated account’s whitelist entries. Results are ordered by newest first and support simple pagination.
HTTP Request
GET https://api.fraudguard.io/v2/whitelist?limit={limit}&offset={offset}
Authentication: HTTP Basic Auth (-u "username:password")
Accept: application/json
Query Parameters
| Param | Type | Default | Max | Description |
|---|---|---|---|---|
limit |
integer | 1000 |
1000 |
Number of rows to return. |
offset |
integer | 0 |
— | Skip the first N rows (use for pagination). |
Ordering: Results are returned by id DESC (newest first).
Response
An array of objects. Each row represents one whitelisted IP.
[
{
"id": 45678,
"ip": "72.121.15.3",
"label": "vpn-endpoint",
"tags": ["owner:soc"],
"ttl_seconds": 604800,
"expires_at": "2025-09-01T12:34:56Z",
"created_at": "2025-08-23T17:04:05Z",
"updated_at": "2025-08-23T17:04:05Z"
}
]
Field reference
| Field | Type | Notes |
|---|---|---|
id |
integer | Internal row id. |
ip |
string | Canonicalized IPv4 string. |
label |
string or null | Optional, short human label. |
tags |
array<string> | Optional tags (may be empty). Old rows without tags are returned as []. |
ttl_seconds |
integer or null | Per-record TTL seconds, if set. |
expires_at |
string (ISO-8601) or null | Computed from ttl_seconds when present. |
created_at |
string (ISO-8601) | Row creation time (UTC). |
updated_at |
string (ISO-8601) | Last mutation time (UTC). |
Examples
curl -u "username:password" "https://api.fraudguard.io/v2/whitelist?limit=10&offset=0"
require 'net/http'
require 'net/https'
require 'json'
def get_ips(server, path, username, password)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Get.new(path)
req.basic_auth username, password
res = http.request(req)
JSON.parse(res.body)
end
puts JSON.pretty_generate(
get_ips('api.fraudguard.io','/v2/whitelist?limit=10&offset=0','username','password')
)
import requests
from requests.auth import HTTPBasicAuth
r = requests.get('https://api.fraudguard.io/v2/whitelist',
params={'limit': 10, 'offset': 0},
auth=HTTPBasicAuth('username', 'password'),
timeout=30)
print(r.text)
const https = require('https');
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/whitelist?limit=10&offset=0',
method: 'GET',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist?limit=10&offset=0';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds" }
Invoke-RestMethod -Method Get -Uri 'https://api.fraudguard.io/v2/whitelist?limit=10&offset=0' -Headers $Headers
Patch Custom Whitelist (v2)
Partially update existing whitelist entries. Use PATCH when you only need to change label, tags, or ttl_seconds without resubmitting the entire record set. PATCH does not touch blacklist state.
HTTP Request
PATCH https://api.fraudguard.io/v2/whitelist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An object with targets and set.
{
"targets": ["8.8.7.0/30","72.121.15.3"],
"set": {
"label": "trusted-source",
"tags": ["owner:soc","customer-allow"],
"ttl_seconds": 259200
}
}
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
targets |
array<string> | yes | IPs or CIDRs to update. CIDRs are expanded server-side (cap 10,000 per request). |
set.label |
string | no | Replaces existing label if provided (≤100 chars). |
set.tags |
array<string> | no | Replaces existing tags if provided (deduped, capped at 50). |
set.ttl_seconds |
integer | no | Recomputes expires_at = now + ttl_seconds if provided. |
Response
Counters only:
{"updated": 5, "errors": 0}
- updated — existing rows matched and written.
- errors — invalid IPs/CIDRs skipped.
Behavior & Limits
- CIDR expansion: IPv4 only, capped at 10,000 addresses per request.
- Private/reserved IPs are skipped (not updated).
- Repeat behavior: Repeating a PATCH can still increment
updatedbecause the row's update timestamp is refreshed, even when the supplied metadata is unchanged. - TTL: If
ttl_secondsis provided, recomputed each time; if omitted, TTL/expiry remain unchanged.
Examples
curl -u "username:password" -X PATCH "https://api.fraudguard.io/v2/whitelist" \
-H "Content-Type: application/json" \
-d '{
"targets": ["8.8.7.0/30"],
"set": {
"tags": ["owner:soc", "customer-allow"],
"ttl_seconds": 259200
}
}'
require 'net/http'
require 'net/https'
require 'json'
def patch_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Patch.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = {
targets: ["8.8.7.0/30"],
set: { tags: ["owner:soc","customer-allow"], ttl_seconds: 259200 }
}
puts patch_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = {
"targets": ["8.8.7.0/30"],
"set": { "tags": ["owner:soc","customer-allow"], "ttl_seconds": 259200 }
}
r = requests.patch('https://api.fraudguard.io/v2/whitelist',
json=body,
auth=HTTPBasicAuth('username','password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify({
targets: ["8.8.7.0/30"],
set: { tags: ["owner:soc","customer-allow"], ttl_seconds: 259200 }
});
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/whitelist',
method: 'PATCH',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';
$body = json_encode([
"targets" => ["8.8.7.0/30"],
"set" => [ "tags" => ["owner:soc","customer-allow"], "ttl_seconds" => 259200 ]
]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_CUSTOMREQUEST => "PATCH",
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @{
targets = @("8.8.7.0/30")
set = @{ tags = @("owner:soc","customer-allow"); ttl_seconds = 259200 }
} | ConvertTo-Json
Invoke-RestMethod -Method Patch -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body
Delete Custom Whitelist (v2)
Bulk remove whitelist entries by IP or CIDR. DELETE expands any CIDRs server‑side, ignores non‑existent rows (no error), and returns counters only.
HTTP Request
DELETE https://api.fraudguard.io/v2/whitelist
Authentication: HTTP Basic Auth (-u "username:password")
Content-Type: application/json
Request Body
An object with targets.
{
"targets": ["72.121.15.3", "8.8.7.0/31"]
}
Field reference
| Field | Type | Required | Notes |
|---|---|---|---|
targets |
array<string> | yes | IPs or CIDRs to delete. CIDRs are expanded server-side (cap 10,000 per request). |
Response
Counters only:
{"deleted": 3, "inserted": 0, "errors": 0}
- deleted — number of rows actually removed.
- inserted — always 0 (included for compatibility with v1 counters).
- errors — invalid inputs skipped (e.g., malformed IP/CIDR).
Behavior & Limits
- CIDR expansion: IPv4 only, capped at 10,000 addresses per request.
- Idempotent-friendly: Repeating the same DELETE calls on already-deleted IPs yields
deleted:0. - Non‑existent rows are silently ignored (not counted as errors).
- Private/reserved IPs are skipped during expansion.
Examples
curl -u "username:password" -X DELETE "https://api.fraudguard.io/v2/whitelist" \
-H "Content-Type: application/json" \
-d '{"targets": ["72.121.15.3","8.8.7.0/31"]}'
require 'net/http'
require 'net/https'
require 'json'
def delete_ips(server, path, username, password, body)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Delete.new(path, { 'Content-Type' => 'application/json' })
req.basic_auth username, password
req.body = body.to_json
res = http.request(req)
res.body
end
body = { targets: ["72.121.15.3","8.8.7.0/31"] }
puts delete_ips('api.fraudguard.io','/v2/whitelist','username','password', body)
import requests
from requests.auth import HTTPBasicAuth
body = { "targets": ["72.121.15.3","8.8.7.0/31"] }
r = requests.delete('https://api.fraudguard.io/v2/whitelist',
json=body,
auth=HTTPBasicAuth('username','password'),
timeout=30)
print(r.text)
const https = require('https');
const data = JSON.stringify({ targets: ["72.121.15.3","8.8.7.0/31"] });
const options = {
hostname: 'api.fraudguard.io',
port: 443,
path: '/v2/whitelist',
method: 'DELETE',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(data),
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64')
}
};
const req = https.request(options, (res) => {
let body = '';
res.on('data', (d) => { body += d; });
res.on('end', () => { console.log(body); });
});
req.on('error', (e) => { console.error(e); });
req.write(data);
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/v2/whitelist';
$body = json_encode([ "targets" => ["72.121.15.3","8.8.7.0/31"] ]);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => "$login:$password",
CURLOPT_CUSTOMREQUEST => "DELETE",
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => $body,
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
$Headers = @{ Authorization = "Basic $encodedCreds"; "Content-Type" = "application/json" }
$body = @{ targets = @("72.121.15.3","8.8.7.0/31") } | ConvertTo-Json
Invoke-RestMethod -Method Delete -Uri 'https://api.fraudguard.io/v2/whitelist' -Headers $Headers -Body $body
Random ACE IP
This endpoint supports quick troubleshooting and validation by returning one random IP from the FraudGuard ACE dataset. You may filter by one risk level, one exact threat classification, both, or neither.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker"
require 'net/http'
require 'net/https'
def get_ip(server,path,username,password)
http = Net::HTTP.new(server,443)
req = Net::HTTP::Get.new(path)
http.use_ssl = true
req.basic_auth username, password
response = http.request(req)
return response.body
end
puts get_ip('api.fraudguard.io','/api/v1/random-ip?risk=5&threat=botnet_tracker','username','password')
import requests
from requests.auth import HTTPBasicAuth
ip=requests.get('https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker', verify=True, auth=HTTPBasicAuth('username', 'password'))
print (ip.text)
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/v1/random-ip?risk=5&threat=botnet_tracker',
headers: {
'Authorization': 'Basic ' + new Buffer(username + ':' + password).toString('base64')
}
};
request = https.get(options, function(res){
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
})
res.on('error', function(e) {
console.log("Got error: " + e.message);
});
});
}
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker' -Headers $Headers
Example response:
{
"ip": "192.35.53.235",
"risk": "5",
"threat": "botnet_tracker"
}
HTTP Request
GET https://api.fraudguard.io/api/v1/random-ip?risk=5&threat=botnet_tracker
Query Parameters
| Parameter | Description |
|---|---|
| Threat Type (threat) | Optional single legacy threat classification, such as botnet_tracker. Comma-separated values are not supported. |
| Risk Level (risk) | Optional single risk level from 1 (lowest) to 5 (highest). Comma-separated values are not supported. |
ip is a response field, not a request parameter.
Geo Threat API
Returns nearby attacker intelligence for one IP using geographic, ASN, ISP, and organization context. Candidate results are limited to the same country, risk 2 or higher, and the requested geographic area.
GeoThreat leverages the same geographic, ASN, and threat data that powers our IP reputation APIs, but focuses specifically on nearby attackers within a configurable radius.
Response Fields
At the top level, the response mirrors our IP Reputation v2 API with geographic and organizational data for the queried IP:
isocode: The two-letter country code representing the country associated with the IP address. Example:"BR"for Brazil.country: The full name of the country where the IP address is located. Example:"Brazil".state_code: The abbreviated code for the state or region within the country. Example:"SP"for São Paulo.state: The full name of the state or region corresponding to thestate_code. Example:"São Paulo".city: The city associated with the IP address. Example:"Carapicuíba".postal_code: The postal or ZIP code for the location. Example:"06300".latitude: The geographic latitude of the IP address's location. Example:-23.5257.longitude: The geographic longitude of the IP address's location. Example:-46.8288.timezone: The time zone identifier for the location. Example:"America/Sao_Paulo".connection_type: The type of internet connection used. Possible values include:"Corporate","Cable/DSL","Mobile". Example:"Cable/DSL".asn: The Autonomous System Number associated with the IP address. Example:27699.asn_organization: The organization that owns the ASN. Example:"TELEFONICA BRASIL S.A".isp: The Internet Service Provider providing connectivity for the IP address. Example:"Vivo".organization: The specific organization associated with the IP address, which may differ from the ISP. Example:"Vivo".discover_date: The date and time when the IP address was first identified or observed, formatted as"YYYY-MM-DD HH:MM:SS". Example:"2025-12-03 04:40:32".threat: The primary threat classification for the queried IP, as determined by FraudGuard.io’s Attack Correlation Engine (ACE). Example:"unknown".risk_level: A numeric value (1–5) representing the assessed threat level of the IP address, as determined by ACE. Example:"1".
In addition, the response contains a nested geo_threat object, which describes the nearby attackers:
geo_threat.query_ip: The IP address that was queried. Example:"187.34.26.2".geo_threat.radius_km: The search radius in kilometers used for this query. Example:100.geo_threat.page: The current page of the paginated results. Example:1.geo_threat.limit: The number of attacker records returned per page. Example:2.geo_threat.total_attackers: Count of same-country, risk-2+candidates inside the preliminary latitude/longitude bounding box. This count is not filtered by exact Haversine distance and can therefore be higher than the number actually insideradius_km. Example:2430.geo_threat.results: An array of nearby attacker records. Each object in this array represents a single attacker IP with similar fields above plus:distance_km: The distance in kilometers between the queried IP and the attacker IP, computed from latitude/longitude. Example:"22.85584792284798".
geo_threat.results applies the exact distance filter and orders matching rows by:
- Same ISP as the queried IP
- Same ASN
- Same city
- Higher risk
- Shorter
distance_km - More recent
updated_at
curl -X GET -u "username:password" "https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2"
require 'net/http'
require 'net/https'
def get_geo_threat(server, path, username, password)
http = Net::HTTP.new(server, 443)
http.use_ssl = true
req = Net::HTTP::Get.new(path)
req.basic_auth username, password
response = http.request(req)
response.body
end
puts get_geo_threat(
'api.fraudguard.io',
'/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2',
'username',
'password'
)
import requests
from requests.auth import HTTPBasicAuth
response = requests.get(
'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2',
params={
'radius_km': 100,
'page': 1,
'limit': 2,
},
verify=True,
auth=HTTPBasicAuth('username', 'password')
)
print(response.text)
var username = 'username';
var password = 'password';
var auth = 'Basic ' + Buffer.from(username + ':' + password).toString('base64');
const https = require('https');
var options = {
host: 'api.fraudguard.io',
port: 443,
path: '/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2',
method: 'GET',
headers: {
'Authorization': auth
}
};
var req = https.request(options, function(res) {
var body = "";
res.on('data', function(data) {
body += data;
});
res.on('end', function() {
console.log(body);
});
});
req.on('error', function(e) {
console.error(e);
});
req.end();
<?php
$login = 'username';
$password = 'password';
$url = 'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
}
Invoke-WebRequest -Uri 'https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2' -Headers $Headers
Example response:
{
"isocode": "BR",
"country": "Brazil",
"state_code": "SP",
"state": "São Paulo",
"city": "Carapicuíba",
"postal_code": "06300",
"latitude": -23.5257,
"longitude": -46.8288,
"timezone": "America/Sao_Paulo",
"connection_type": "Cable/DSL",
"asn": 27699,
"asn_organization": "TELEFONICA BRASIL S.A",
"isp": "Vivo",
"organization": "Vivo",
"discover_date": "2025-12-03 04:40:32",
"threat": "unknown",
"risk_level": "1",
"geo_threat": {
"query_ip": "187.34.26.2",
"radius_km": 100,
"page": 1,
"limit": 2,
"total_attackers": 2430,
"results": [
{
"ip": "177.139.130.157",
"threat": "anonymous_tracker",
"risk": "3",
"asn": "27699",
"asn_organization": "TELEFONICA BRASIL S.A",
"isp": "Vivo",
"organization": "Vivo",
"isocode": "BR",
"country": "Brazil",
"state": "São Paulo",
"city": "São Paulo",
"latitude": "-23.629300",
"longitude": "-46.635100",
"connection_type": "Corporate",
"updated_at": "2025-12-03 04:19:18",
"distance_km": "22.85584792284798"
},
{
"ip": "179.111.216.102",
"threat": "anonymous_tracker",
"risk": "3",
"asn": "27699",
"asn_organization": "TELEFONICA BRASIL S.A",
"isp": "Vivo",
"organization": "Vivo",
"isocode": "BR",
"country": "Brazil",
"state": "São Paulo",
"city": "São Paulo",
"latitude": "-23.629300",
"longitude": "-46.635100",
"connection_type": "Cable/DSL",
"updated_at": "2025-12-03 03:56:40",
"distance_km": "22.85584792284798"
}
]
}
}
HTTP Request
GET https://api.fraudguard.io/api/v1/geo-threat/187.34.26.2?radius_km=100&page=1&limit=2
URL and Query Parameters
| Parameter | Type | Default | Accepted values | Description |
|---|---|---|---|---|
| IP (ip) | string | — | Valid IPv4 or IPv6 address | Address supplied in the URL path. |
| radius_km | integer | 100 |
1–500 |
Exact result radius in kilometers. An out-of-range value uses the default. |
| page | integer | 1 |
1 or greater |
One-based result page. Values below 1 use the default. |
| limit | integer | 25 |
1–100 |
Results per page. An out-of-range value uses the default. |
If the queried IP has no usable latitude and longitude, geo_threat.results is empty and the radius, page, and limit fields are returned as null.
IP Dispute Manager API
IP Dispute Manager provides a structured workflow for handling blocked IP disputes. Use these endpoints to generate a public dispute link, review submissions, and apply an allowlist, blocklist, or dismiss decision with full IP context.
Get Dispute Form Link
Returns the unique, BotGuard-protected public dispute URL for your account. This link is designed to be shared on WAF 403 pages, support flows, or "access denied" screens so users can request an exception.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-dispute/form"
{
"public_id": "dispute_example_id",
"public_url": "https://api.fraudguard.io/ip-dispute-form?id=dispute_example_id",
"customer_id": "12345",
"customer_email": "security-team@example.com",
"created_at": "2026-02-03 21:22:41",
"updated_at": "2026-02-03 21:22:41"
}
The response contains account information and a public form identifier. Return it only to authorized backend or administrative callers, and do not log the full response.
HTTP Request
GET https://api.fraudguard.io/api/ip-dispute/form
URL Parameters
None.
List IP Disputes
Returns a list of disputes for the authenticated customer. Use filters to review pending items or audit past decisions.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-disputes?status=pending&limit=100&offset=0"
[
{
"id": 101,
"ip": "203.0.113.14",
"submitter_name": "Jane Doe",
"submitter_email": "jane@example.com",
"status": "pending",
"created_at": "2026-02-03 20:41:12",
"decision_at": null
}
]
HTTP Request
GET https://api.fraudguard.io/api/ip-disputes
Query Parameters
| Parameter | Description |
|---|---|
| status | Optional. Filter by pending, allowlisted, blocklisted, or dismissed. |
| limit | Optional. Max results to return (1-500). Default 100. |
| offset | Optional. Pagination offset. Default 0. |
Get IP Dispute by ID
Fetch a single dispute with the full IP reputation snapshot captured at submission time. The ip_context field mirrors the v5 IP reputation response so you can review risk, threat, ASN/ISP, geo, and list membership.
curl -X GET -u "username:password" "https://api.fraudguard.io/api/ip-disputes/101"
{
"id": "117",
"fg_user_id": "1142",
"public_id": "H3xkL9qZ0pB7nM4tR2sV8wQ1",
"ip": "203.0.113.14",
"submitter_name": "Jane Doe",
"submitter_email": "jane@example.com",
"customer_email": "customer@example.com",
"status": "allowlisted",
"decision_notes": "Verified customer traffic",
"decision_by": "customer_username",
"decision_at": "2026-02-03 21:12:45",
"list_action": "allowlist",
"ip_context_json": "{\"isocode\":\"US\",\"country\":\"United States\",\"state_code\":\"FL\",\"state\":\"Florida\",\"city\":\"Brooksville\",\"postal_code\":\"34601\",\"latitude\":28.5651,\"longitude\":-82.3755,\"timezone\":\"America/New_York\",\"connection_type\":\"Cable/DSL\",\"asn\":33363,\"asn_organization\":\"BHN-33363\",\"isp\":\"Spectrum\",\"organization\":\"Spectrum\",\"ip_in_whitelist\":\"false\",\"ip_in_blacklist\":\"false\",\"ip_in_geoblock\":\"false\",\"discover_date\":\"2026-02-03 21:06:40\",\"threat\":\"unknown\",\"risk_level\":\"1\"}",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"referrer": "https://api.fraudguard.io/ip-dispute-form?id=H3xkL9qZ0pB7nM4tR2sV8wQ1",
"customer_notified_status": "sent",
"customer_notified_at": "2026-02-03 21:06:40",
"customer_notified_error": null,
"created_at": "2026-02-03 21:06:40",
"updated_at": "2026-02-03 21:12:45",
"ip_context": {
"isocode": "US",
"country": "United States",
"state_code": "FL",
"state": "Florida",
"city": "Brooksville",
"postal_code": "34601",
"latitude": 28.5651,
"longitude": -82.3755,
"timezone": "America/New_York",
"connection_type": "Cable/DSL",
"asn": 33363,
"asn_organization": "BHN-33363",
"isp": "Spectrum",
"organization": "Spectrum",
"ip_in_whitelist": "false",
"ip_in_blacklist": "false",
"ip_in_geoblock": "false",
"discover_date": "2026-02-03 21:06:40",
"threat": "unknown",
"risk_level": "1"
}
}
HTTP Request
GET https://api.fraudguard.io/api/ip-disputes/{id}
URL Parameters
| Parameter | Description |
|---|---|
| id | The dispute ID. |
Decide IP Dispute (Allowlist, Blocklist, or Dismiss)
Submit a decision for a dispute. Decisions update your custom lists automatically.
Send parameters as form-encoded data (application/x-www-form-urlencoded).
- allow: adds the IP to your custom allowlist and removes it from the blacklist if present
- block: adds the IP to your custom blacklist and removes it from the allowlist if present
- dismiss: records the decision without changing list membership
curl -X POST -u "username:password" \
-d "action=allow¬es=Verified customer traffic" \
"https://api.fraudguard.io/api/ip-disputes/101/decision"
{
"id": 101,
"status": "allowlisted",
"list_action": "allowlist"
}
HTTP Request
POST https://api.fraudguard.io/api/ip-disputes/{id}/decision
POST Parameters
| Parameter | Description |
|---|---|
| action | Required. allow, block, or dismiss. |
| notes | Optional. Decision notes for internal tracking. |
Send these fields as application/x-www-form-urlencoded and URL-encode each value. Never concatenate untrusted notes directly into a form body.
BotGuard API (Human Verification)
BotGuard is FraudGuard's human-verification layer. It adds a mobile challenge to help deter automated browsers and abusive workflows on sensitive routes such as login, signup, password reset, checkout, account changes, contact forms, and high-cost API operations. Treat it as one control in a layered abuse-prevention strategy, not proof that all automation has been stopped.
At a high level:
- Your page loads the BotGuard JavaScript.
- You attach BotGuard to a form or action.
- When a human completes the challenge, BotGuard produces a
botguard_token. - Your server verifies the token using the BotGuard Verify API.
- If valid, you proceed with your protected business logic.
Client-Side Integration
Load the BotGuard client:
<script src="https://api.fraudguard.io/js/botguard.js?v=1"></script>
Create an instance and attach it to a form. BotGuard will intercept the submit, run a verification flow, and then populate a hidden form field named botguard_token before allowing the POST to continue.
<form id="myProtectedForm" method="POST" action="">
<input type="hidden" name="botguard_token" id="botguard_token" value="" />
<button type="submit">Continue</button>
</form>
<script>
var bg = BotGuard.create({
apiBase: "https://api.fraudguard.io"
});
bg.attachToForm({
formSelector: "#myProtectedForm"
});
</script>
What the client produces
After a successful human verification, BotGuard provides:
botguard_token: A token representing a successful challenge completion.
Your backend must verify this token before doing anything protected. The current API does not consume a token after successful verification; tokens and session tokens remain reusable until their returned expires_at time. Do not use client-side challenge state as authorization.
Hosted Client Session and QR Behavior
The hosted client stores the returned session token in browser localStorage under botguard_session. On later form submissions, it sends that session token to FraudGuard's session-verification endpoint; a valid session can skip a new challenge, but your server must still verify the resulting botguard_token before processing the form.
The hosted client currently renders the desktop QR code through api.qrserver.com. The complete BotGuard mobile challenge URL, including its challenge identifier, is sent to that third-party QR service. Disclose this transfer in your privacy notice and confirm that it meets your security, privacy, and vendor-review requirements before deployment.
Verify a BotGuard Token
Use this endpoint from your backend to validate a botguard_token.
HTTP Request
GET https://api.fraudguard.io/botguard/token/verify?token=<TOKEN>
Query Parameters
| Parameter | Description |
|---|---|
| token | The botguard_token produced by the BotGuard JS client. |
Authentication
This endpoint uses HTTP Basic Authentication with your FraudGuard API credentials. Call it only from your backend; never expose those credentials in browser code.
Example
curl -u "username:password" \
"https://api.fraudguard.io/botguard/token/verify?token=YOUR_BOTGUARD_TOKEN"
Success Response
{
"valid": true,
"token": "bg_...",
"session_token": "bg_sess_...",
"expires_at": "YYYY-MM-DD HH:MM:SS"
}
Failure Response
{
"valid": false,
"error": "expired"
}
An unknown or missing token returns {"valid":false}. An expired token also includes "error":"expired".
Required Backend Behavior
- If the form token is missing, return
403from your application. - If FraudGuard returns
valid: false, return403from your application and prompt for a new challenge. - If
validistrue: proceed with the protected workflow. - Fail closed if the verification request times out or returns an unexpected response.
The 403 status above is the status your protected application should return. It is separate from the HTTP status returned by the FraudGuard verification endpoint.
Backend Integration Pattern
This is the recommended flow BotGuard is designed for:
- Your public page renders a normal HTML form.
- BotGuard JS attaches to the form and injects
botguard_tokenon successful verification. - Your server checks the token on POST and blocks requests without it.
- Your server verifies the token using the Verify API.
- You run your actual protected code only after BotGuard verification passes.
Session Trust
The hosted client persists session_token in localStorage; the BotGuard API does not set a cookie. The first successful session-verification call can extend the associated expires_at value to as much as 72 hours, and later valid checks reuse that session token until it expires.
If you build a server-managed session instead, store trust in a Secure, HttpOnly cookie with an appropriate SameSite policy, a narrow Path, and an expiry no later than the returned expires_at. A custom client is required if you do not want the hosted script to use localStorage.
Token and Privacy Hygiene
BotGuard verification values are sent in GET query strings, including token, session_token, and challenge_id. Redact the entire query string from application, reverse-proxy, CDN, WAF, APM, analytics, and support logs. Do not log verification responses because they can contain both the challenge token and reusable session token.
BotGuard processes challenge identifiers, tokens, session state, and the source IP associated with a challenge. Keep your privacy notice and retention controls aligned with your use of the service.
Common Integration Notes
- Keep BotGuard server-side verification mandatory: client-side verification alone is not sufficient.
- Protect the most abused routes: login, signup, password reset, checkout, coupon redemption, contact forms, and high-cost API endpoints.
- Token lifetime: honor the returned
expires_at; if validation fails, prompt the user to run a new challenge. - Rate limits: BotGuard endpoints use the limits assigned to your account. Handle
429responses as described in Errors.
Troubleshooting
- 403 “verification required”: your form POST is missing
botguard_token. - 403 “invalid or expired token”: the token is unknown, expired, missing, or malformed.
- Token present but always invalid: confirm your backend is verifying with the correct credentials and that the server can reach
api.fraudguard.io. - Token present but verification still fails: ensure your server reads the token from the POST body field named
botguard_token.
Rotating Proxy (RRP) Detection API
The Rotating Proxy (RRP) Detection API identifies browser sessions whose source IP changes repeatedly while a browser fingerprint remains stable. This pattern can be consistent with rotating proxies used for scraping, credential attacks, account abuse, or rate-limit evasion, but it can also occur during legitimate network changes.
Use RRP as a risk signal for step-up verification or review. Do not hard-block solely on an RRP result without accounting for mobile roaming, carrier-grade NAT, VPN transitions, and normal network switching.
The RRP Detection system consists of:
- A lightweight JavaScript snippet embedded on customer pages
- A secure ingestion endpoint
- Event retrieval endpoints for reporting and automation
Plan Availability
| Plan | Availability |
|---|---|
| Starter | Not included |
| Professional | Included |
| Business | Included |
| Enterprise | Included |
JavaScript Integration
Customers must embed the FraudGuard RRP detection script on protected pages.
<script src="https://api.fraudguard.io/js/fg-rrp.js?key=YOUR_PUBLIC_KEY"></script>
Replace YOUR_PUBLIC_KEY with the public site key generated in your FraudGuard dashboard. This key is intentionally browser-visible and identifies the active RRP site configuration; it is not a substitute for the Basic Auth credentials used by the reporting endpoints.
The script sends initial detection pings, then heartbeat samples while the page remains visible for up to 180 seconds. It emits a browser event named fg:rrp_detected when the API confirms rotation.
Telemetry and Client Storage
The hosted script:
- Persists
fg_rrp_client_idinlocalStorageuntil site data is cleared and writes the same value to aSameSite=Laxcookie with a one-yearMax-Age. - Creates a new
page_load_idfor each page load. - Hashes a fingerprint derived from user agent, platform, languages, timezone, screen dimensions and color depth, hardware concurrency, device memory, and the browser automation flag.
- Sends the hashed fingerprint, persistent client ID, page-load ID, sampling metadata, and client timestamp to FraudGuard. FraudGuard also derives and stores the request's source IP and user agent.
IP addresses, persistent identifiers, user agents, and browser/device characteristics can be personal data. Limit the script to workflows where this signal is needed, disclose the collection and client-side persistence, and apply your consent, retention, access-control, and deletion requirements.
RRP Ping Endpoint
This browser-facing endpoint is used by the embedded JavaScript snippet to report session observations. Most integrations should let the hosted script call it.
HTTP Request
POST https://api.fraudguard.io/api/rrp/ping
Authentication and Headers
| Header | Required | Description |
|---|---|---|
| X-FG-KEY | Yes | Public RRP site key. The hosted script reads it from its own ?key= parameter and sends it in this header. |
| Content-Type | Yes | Must be application/json. |
Request Body
{
"client_id": "string",
"page_load_id": "string",
"fingerprint_hash": "string",
"t_submit_ms": 1771480000000,
"sampling": false,
"sample_phase": "detect"
}
Field Descriptions
| Field | Required | Type | Description |
|---|---|---|---|
| client_id | Yes | string | Persistent client identifier generated by the hosted script. |
| page_load_id | Yes | string | Identifier generated for the current page load. Rotation is evaluated within this page-load scope. |
| fingerprint_hash | Yes | string | SHA-256 browser-fingerprint hash generated by the hosted script. |
| t_submit_ms | No | integer | Client submission time as Unix epoch milliseconds from Date.now(). Server observation time, not this value, determines the detection window. |
| sampling | No | boolean | false for initial detection pings and true for heartbeat or post-detection sampling. |
| sample_phase | No | string | Hosted-client phase: detect, heartbeat, or harvest. |
| event_id | No | integer | Existing event identifier attached by the hosted client to harvest pings after detection. |
Response Example
{
"rotation_detected": true,
"confidence": 90,
"distinct_ips_window": 3,
"window_seconds": 120,
"event_id": 4812,
"reasons": [
"rrp_3plus_ips_window",
"fingerprint_stable"
]
}
Response Fields
| Field | Type | Description |
|---|---|---|
| rotation_detected | boolean | true only when at least three distinct source IPs are observed with one stable fingerprint in the current window. |
| confidence | integer | Detection confidence from 0 to 100 for the current window. |
| distinct_ips_window | integer | Distinct source IPs observed for the same customer, client, and page load during the window. |
| window_seconds | integer | Detection lookback window; currently 120. |
| event_id | integer | RRP event record identifier. An event record is created even when rotation is not detected. |
| reasons | array | Machine-readable reasons for the current result. |
| Reason | Meaning |
|---|---|
| rrp_3plus_ips_window | At least three distinct source IPs were observed in the window. |
| rrp_4plus_ips_window | At least four distinct source IPs were observed in the window. |
| rrp_5plus_ips_window | At least five distinct source IPs were observed in the window. |
| fingerprint_stable | The submitted fingerprint stayed constant across the observations. |
| fingerprint_changed | More than one submitted fingerprint was observed; rotation_detected remains false. |
Get RRP Events
Retrieve RRP page-load event records for your account, newest first. The response includes observations where rotation was not detected; inspect distinct_ip_count_window, confidence, and the detail record before enforcement.
HTTP Request
GET https://api.fraudguard.io/api/rrp/events
Authentication
Basic Authentication required.
Query Parameters
| Parameter | Description |
|---|---|
| limit | Optional. Number of rows to return (1–200). Default 50; larger values are clamped to 200. |
| offset | Optional. Pagination offset. Default 0. |
Response Example
{
"limit": 50,
"offset": 0,
"rows": [
{
"id": "101",
"client_id": "fgc_1234567890123456789012345678901234567890",
"page_load_id": "pl_987654321098765432109876543210987654321_1771480000000",
"first_seen_at": "2026-02-19 12:00:01",
"last_seen_at": "2026-02-19 12:00:21",
"distinct_ip_count_window": "1",
"confidence": "0",
"blacklist_action": "none",
"blacklist_ip_added": null,
"created_at": "2026-02-19 12:00:01",
"updated_at": "2026-02-19 12:00:21"
}
]
}
The list response does not include a total count. Continue by increasing offset until rows is empty or contains fewer than limit records.
Get RRP Event Detail
Retrieve full details for a specific RRP event record.
HTTP Request
GET https://api.fraudguard.io/api/rrp/events/<id>
Replace <id> with the event ID returned from the RRP Ping response.
Authentication
Basic Authentication required.
Response Example
{
"id": "102",
"customer_id": "cust_AbC123xYz",
"client_id": "fgc_1234567890123456789012345678901234567890",
"page_load_id": "pl_987654321098765432109876543210987654321_1771480000000",
"fingerprint_hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"first_seen_at": "2026-02-19 11:55:00",
"last_seen_at": "2026-02-19 11:57:30",
"distinct_ip_count_window": "4",
"time_window_seconds": "120",
"ip_list_json": "[\"203.0.113.10\", \"198.51.100.22\", \"192.0.2.44\", \"198.51.100.55\"]",
"reasons_json": "[\"rrp_3plus_ips_window\", \"rrp_4plus_ips_window\", \"fingerprint_stable\"]",
"confidence": "97",
"blacklist_action": "none",
"blacklist_ip_added": null,
"created_at": "2026-02-19 11:55:00",
"updated_at": "2026-02-19 11:57:30"
}
The /api/rrp/events/<id> endpoint returns the full stored event record, including the account identifier, observed IP list, detection reasons, fingerprint hash, and highest stored confidence score. It returns 400 for an invalid ID and 404 when the event does not exist for the authenticated account.
ip_list_json and reasons_json are JSON-encoded strings, so parse each value once more after decoding the top-level response. Treat event details as sensitive security telemetry and restrict access to authorized backend and investigation workflows.
Detection Logic Overview
An RRP event is confirmed when:
- At least three distinct source IP addresses are observed for the same client and page load.
- Every observation in the current 120-second window has the same submitted fingerprint hash.
With a stable fingerprint, confidence is 90 for three distinct IPs, 97 for four, and 100 for five or more. If the fingerprint changes, rotation_detected is false even when three or more IPs are present.
Customers may optionally enable account-specific enforcement policies that add high-confidence RRP IP addresses to their FraudGuard custom blacklist. To discuss automated enforcement, email hello@fraudguard.io.
Attack Stream
Attack Stream provides live access to raw FraudGuard honeypot telemetry. It is powered by the ACE v2 engine, but delivers live-forward events instead of a single-IP verdict; optional enrich=ace responses add ACE decision context to each attacker. That shared engine is why Attack Stream appears in the ACE v2 IP Intelligence documentation group.
It is designed for SIEM, SOAR, threat hunting, blocking, enrichment, alerting, and customer-owned detection pipelines that need to consume attacker activity as FraudGuard observes it.
Attack Stream v1 is a live-forward pull API. The first request returns the latest events and a cursor; subsequent requests use that cursor to receive newer events. Historical backfill is not included.
Attack Stream Delivery Model
| Delivery | Status | Description |
|---|---|---|
| Pull API | Available | Poll api.fraudguard.io for live events using cursor-based pagination. |
Read Attack Stream Events
Use this endpoint for the initial read and every cursor-based follow-up request.
Attack Stream HTTP Request
GET https://api.fraudguard.io/attackstream/v1/events
Attack Stream Authentication
Basic Authentication is required for every request.
curl -u "username:password" \
"https://api.fraudguard.io/attackstream/v1/events?limit=10"
require 'json'
require 'net/http'
uri = URI('https://api.fraudguard.io/attackstream/v1/events?limit=10')
request = Net::HTTP::Get.new(uri)
request.basic_auth('username', 'password')
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(request)
end
puts response.body
import requests
from requests.auth import HTTPBasicAuth
response = requests.get(
'https://api.fraudguard.io/attackstream/v1/events',
params={'limit': 10},
auth=HTTPBasicAuth('username', 'password'),
timeout=30
)
print(response.text)
const response = await fetch('https://api.fraudguard.io/attackstream/v1/events?limit=10', {
method: 'GET',
headers: {
'Authorization': 'Basic ' + Buffer.from('username:password').toString('base64'),
'Accept': 'application/json'
}
});
console.log(await response.json());
<?php
$ch = curl_init('https://api.fraudguard.io/attackstream/v1/events?limit=10');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
CURLOPT_USERPWD => 'username:password',
CURLOPT_HTTPHEADER => ['Accept: application/json'],
]);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
$user = 'username'
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
Authorization = $basicAuthValue
Accept = 'application/json'
}
Invoke-WebRequest `
-Uri 'https://api.fraudguard.io/attackstream/v1/events?limit=10' `
-Headers $Headers `
-Method Get
Attack Stream Polling Flow
- Make a first request without a cursor.
- Process the returned
eventsin array order. - Store the returned
next_cursor. - Poll again with
cursor=<next_cursor>. - Repeat forever, waiting at least
poll_after_secondsbefore the next request.
First request:
curl -u "username:password" \
"https://api.fraudguard.io/attackstream/v1/events?limit=100"
Follow-up request:
curl -u "username:password" \
"https://api.fraudguard.io/attackstream/v1/events?limit=100&cursor=eyJ2IjoxLCJsYXN0X2lkIjoxMjM0NTY3ODkwLCJpc3N1ZWRfYXQiOjE3ODM1MzkxNjN9.example"
Important cursor behavior:
- Cursors are opaque. Do not parse, edit, or generate them client-side.
- Store the full
next_cursorvalue exactly as returned. - A cursor represents the stream position after the last event returned.
- A request with a cursor returns events newer than that cursor.
- When
countis0, keep the returned cursor and poll again afterpoll_after_seconds. - If a cursor is malformed, corrupted in customer-side storage, or fails signature validation, the API returns
400 invalid_cursor.
Attack Stream Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| limit | integer | 100 |
Number of events to return. Must be between 1 and 100. |
| cursor | string | none | Opaque cursor returned by the previous response. |
| format | string | json |
Response format. Use json for the normal envelope or jsonl for newline-delimited event objects. |
| enrich | string | none |
Use ace to include FraudGuard ACE context for each attacker IP when available. |
Unsupported query parameters return 400 unsupported_parameter.
Attack Stream Response Order
Events are returned oldest-to-newest inside each response. Process events in array order.
The stream_sequence field is a monotonically increasing stream position for Attack Stream. It is useful for deduplication, logging, and debugging, but customers should use next_cursor rather than building their own sequence query.
Attack Stream JSON Response
Example response:
{
"success": true,
"api": "FraudGuard Attack Stream",
"api_version": "1.0.0",
"delivery": "pull",
"count": 2,
"limit": 2,
"next_cursor": "eyJ2IjoxLCJsYXN0X2lkIjo1MDYxNzcxMzEsImlzc3VlZF9hdCI6MTc4MzUzOTE2M30.example",
"poll_after_seconds": 5,
"rate_limit": {
"requests_per_minute": 60,
"requests_per_day": 50000,
"request_minute_remaining": 59,
"request_day_remaining": 49994,
"events_per_day": 1000000,
"event_day_remaining": 999688
},
"events": [
{
"schema": "fraudguard.attackstream.event.v1",
"event_id": "74b960fc-c49d-4c81-9248-a725209c7ef3",
"stream_sequence": 506162682,
"observed_at": "2026-07-08T17:29:24+00:00",
"received_at": "2026-07-08T17:29:41+00:00",
"attacker": {
"ip": "45.112.149.170",
"port": 40918
},
"target": {
"port": 11434,
"protocol": "http",
"service": "ollama"
},
"event": {
"type": "ai_model_enumeration"
},
"http": {
"method": "GET",
"path": "/api/tags",
"user_agent": "Go-http-client/1.1"
}
},
{
"schema": "fraudguard.attackstream.event.v1",
"event_id": "89942c3b-0f2e-4442-8441-6854c57dd17b",
"stream_sequence": 506177131,
"observed_at": "2026-07-08T17:33:58+00:00",
"received_at": "2026-07-08T17:34:19+00:00",
"attacker": {
"ip": "45.112.149.170",
"port": 60878
},
"target": {
"port": 11434,
"protocol": "http",
"service": "ollama"
},
"event": {
"type": "ai_model_enumeration"
},
"http": {
"method": "GET",
"path": "/api/tags",
"user_agent": "Go-http-client/1.1"
}
}
],
"generated_at": "2026-07-08T19:32:43+00:00"
}
Attack Stream Top-Level Fields
| Field | Type | Description |
|---|---|---|
| success | boolean | true for successful JSON envelope responses. |
| api | string | API product name. |
| api_version | string | Attack Stream API version. |
| delivery | string | Delivery mode. Current value is pull. |
| count | integer | Number of events returned in this response. |
| limit | integer | Requested page size after validation. |
| next_cursor | string/null | Opaque cursor for the next polling request. |
| poll_after_seconds | integer | Minimum suggested wait before the next poll. |
| rate_limit | object | Current request and delivered-event rate limit state. |
| events | array | Attack Stream event objects. |
| generated_at | string | API response generation timestamp in ISO 8601 format. |
poll_after_seconds is never lower than 2 seconds in Attack Stream v1. Clients that are caught up should normally receive a longer wait time, such as 5 seconds.
rate_limit
| Field | Type | Description |
|---|---|---|
| requests_per_minute | integer | Request limit per minute. |
| requests_per_day | integer | Request limit per day. |
| request_minute_remaining | integer | Remaining requests in the current minute window. |
| request_day_remaining | integer | Remaining requests in the current day window. |
| events_per_day | integer | Delivered-event limit per day. |
| event_day_remaining | integer | Remaining delivered events in the current day window. |
Attack Stream Event Fields
| Field | Type | Description |
|---|---|---|
| schema | string | Event schema identifier. Current value is fraudguard.attackstream.event.v1. |
| event_id | string | Unique event identifier. |
| stream_sequence | integer | Monotonically increasing stream sequence. |
| observed_at | string/null | Timestamp from the honeypot event observation. |
| received_at | string/null | Timestamp when FraudGuard received/stored the event. |
| attacker | object | Source IP and source port observed by the honeypot. |
| target | object | Target service, protocol, and target port. |
| event | object | Event metadata, including the public event type. |
| http | object | HTTP request fields when applicable. |
| ace | object | Present only when enrich=ace is requested and ACE data exists for the attacker IP. |
attacker
| Field | Type | Description |
|---|---|---|
| ip | string/null | Source IP address observed by FraudGuard honeypots. |
| port | integer/null | Source port observed by the honeypot. |
target
| Field | Type | Description |
|---|---|---|
| port | integer/null | Target port associated with the observed service. |
| protocol | string/null | Observed protocol. |
| service | string/null | Observed or inferred honeypot service. |
event
| Field | Type | Description |
|---|---|---|
| type | string/null | Public event type, such as ai_model_enumeration, smb_negotiation_probe, sip_register_attempt, ssh_login_attempt, or waf_attack. |
Event type values are intentionally extensible. FraudGuard may add new honeypot detections, services, protocols, and event types over time. Integrations should parse known values but tolerate new strings.
http
| Field | Type | Description |
|---|---|---|
| method | string/null | HTTP method for HTTP-based attacks, such as GET, POST, or HEAD. |
| path | string/null | HTTP request path observed by the honeypot. |
| user_agent | string/null | HTTP user agent observed by the honeypot. |
For non-HTTP events, these fields may be null.
Attack Stream ACE Enrichment
Add enrich=ace to include FraudGuard ACE context for each attacker IP when available.
curl -u "username:password" \
"https://api.fraudguard.io/attackstream/v1/events?limit=10&enrich=ace"
When ACE enrichment exists for an attacker IP, the event includes:
{
"ace": {
"risk": 5,
"action": "block",
"confidence": 88,
"classification": "scanner_tracker",
"trend": "rising",
"events_24h": 123,
"events_7d": 940,
"events_30d": 4120,
"first_seen": "2026-06-12T14:22:10+00:00",
"last_seen": "2026-07-08T17:34:19+00:00"
}
}
ACE enrichment does not change which Attack Stream events are returned. It adds FraudGuard's current risk, recommended action, confidence, classification, trend, recent event counts, and first/last seen context for the source IP.
| Field | Type | Description |
|---|---|---|
| risk | integer | ACE risk level from 1 (lowest) to 5 (highest). |
| action | string | allow for risk 1-2, challenge for 3-4, or block for 5. |
| confidence | integer | Confidence from 0 to 99. |
| classification | string/null | clean or a tracker classification such as scanner_tracker, botnet_tracker, or honeypot_tracker. |
| trend | string/null | rising, cooling, or stable. |
| events_24h, events_7d, events_30d | integer | Observed event counts for each window. |
| first_seen, last_seen | string/null | ISO 8601 timestamps when available. |
Attack Stream JSONL Format
Use format=jsonl for newline-delimited JSON.
curl -u "username:password" \
"https://api.fraudguard.io/attackstream/v1/events?limit=100&format=jsonl"
JSONL responses use application/x-ndjson and emit one Attack Stream event object per line. The normal JSON envelope is not included. Cursor, count, and rate-limit metadata are returned in response headers.
Attack Stream Response Headers
| Header | Description |
|---|---|
| X-AttackStream-Limit | Validated request limit. |
| X-AttackStream-Count | Number of events returned. |
| X-AttackStream-Next-Cursor | Cursor for the next polling request. |
| X-AttackStream-Poll-After-Seconds | Minimum suggested wait before polling again. |
| X-AttackStream-Min-Poll-Seconds | Minimum enforced poll interval per customer. |
| X-RateLimit-Requests-Minute-Limit | Request limit per minute. |
| X-RateLimit-Requests-Minute-Remaining | Remaining requests in the current minute window. |
| X-RateLimit-Requests-Day-Limit | Request limit per day. |
| X-RateLimit-Requests-Day-Remaining | Remaining requests in the current day window. |
| X-RateLimit-Events-Day-Limit | Delivered-event limit per day. |
| X-RateLimit-Events-Day-Remaining | Remaining delivered events in the current day window. |
| Retry-After | Returned on 429 rate limit responses. |
Attack Stream Rate Limits
Attack Stream uses separate request and delivered-event limits.
| Limit | Value | Notes |
|---|---|---|
| Maximum page size | 100 events |
Larger limit values return 400 invalid_limit. |
| Minimum poll interval | 2 seconds |
Enforced per API customer. More than one accepted request inside the interval returns 429 rate_limit_exceeded. |
| Requests per minute | 60 |
Enforced per API customer. |
| Requests per day | 50,000 |
Enforced per API customer. |
| Delivered events per day | 1,000,000 |
Counts events returned to the customer. |
Every request, including requests rejected for polling too quickly, counts against the request rate limits. Only events delivered in a response count against the delivered-event limit.
Clients should respect poll_after_seconds and the X-AttackStream-Poll-After-Seconds header. Parallel pollers or polling faster than the advertised cadence can cause 429 rate_limit_exceeded responses. Attack Stream v1 will not ask clients to poll faster than once every 2 seconds; polling every 2 seconds for a full day is 43,200 requests, below the documented 50,000 request/day limit.
Attack Stream Errors
| Status | Code | Description |
|---|---|---|
| 400 | invalid_limit | limit is outside the allowed 1..100 range. |
| 400 | invalid_cursor | Cursor is malformed or fails signature validation. |
| 400 | invalid_format | format is not json or jsonl. |
| 400 | invalid_enrich | enrich is not none or ace. |
| 400 | unsupported_parameter | A query parameter other than limit, cursor, format, or enrich was submitted. |
| 400 | invalid_parameter | A supported query parameter was submitted more than once or as a non-scalar value. |
| 401 | Bad Authentication | Missing or invalid Basic Authentication credentials. |
| 429 | rate_limit_exceeded | Request rate limit or minimum poll interval exceeded. |
| 429 | event_limit_exceeded | Delivered-event limit exceeded. |
| 429 | Enterprise plan required | The credentials are valid but are not authorized for Enterprise-only Attack Stream access. |
| 503 | rate_limit_unavailable | Rate limiting could not be enforced, so the API failed closed. |
| 500 | attackstream_error | Temporary Attack Stream service error. |
JSON-formatted errors use this shape:
{
"success": false,
"error": {
"code": "invalid_limit",
"message": "The limit parameter must be between 1 and 100.",
"details": []
},
"generated_at": "2026-07-08T19:32:43+00:00"
}
Authentication and plan-gating errors may be returned as plain text by shared FraudGuard authentication middleware.
Attack Stream Integration Guidance
- Store cursors durably after successful event processing.
- Process events in response order.
- Deduplicate with
event_idorstream_sequenceif your collector retries a request. - Respect
poll_after_seconds. - Use
format=jsonlfor streaming collectors and line-oriented ingestion. - Use
enrich=acewhen your pipeline needs FraudGuard risk/action context in the same event. - Keep parsers tolerant of new services, protocols, event types, and ACE classifications.
- Treat Attack Stream v1 as live-forward rather than historical backfill.
Errors
FraudGuard uses standard HTTP status codes. Always branch on the status code before parsing a success response; individual products may also return a machine-readable error code and message.
| Error Code | Meaning |
|---|---|
| 200 | OK — request completed successfully. |
| 201 | Created — a resource was created successfully. |
| 204 | No Content — request completed successfully with no response body. |
| 400 | Bad Request — malformed input or an unsupported parameter. |
| 401 | Unauthorized — credentials are missing or invalid. |
| 403 | Forbidden — credentials are valid, but the account cannot access this resource. |
| 404 | Not Found — the resource does not exist or is outside the account’s scope. |
| 409 | Conflict — the request conflicts with an existing resource. |
| 422 | Unprocessable Entity — the request is valid JSON but fails field validation. |
| 429 | Too Many Requests — a rate limit was reached, or a product uses 429 for an account-access gate. Inspect the response before retrying and honor Retry-After when present. |
| 500 | Internal Server Error — an unexpected server error occurred. Retry a safe request with backoff. |
| 503 | Service Unavailable — the service is temporarily unavailable. Retry a safe request with backoff. |
Do not retry 400, 401, 403, 404, 409, or 422 without changing the request or account state. Retry a 429 only when the response identifies a temporary rate limit; a plan or access-gate response will not recover through backoff. For retryable 429, 500, and 503 responses, use exponential backoff with jitter and a maximum retry count. Never log credentials or the Authorization header.