API Documentation
Updated: May 6, 2025
Making requests
GET https://api.iocscout.com/v1?apiKey=YOUR_API_KEY&ip=101.132.168.206
Input parameters
| Name | Type | Description |
|---|---|---|
| apiKey Required | String | Your personal API key. |
| ip Required | String | IPv4 or IPv6 address to look up. |
| realTimeData | Integer | Retrieve real-time data instead of potentially cached data. These requests take longer to process. Acceptable values: 0 or 1. Default: 0. |
Request limits
The request rate limits vary. The free plan allows for a maximum of 5 requests per day. The professional plan allows for a maximum of 50 requests per day. If you exceed these limits, the API will return a 429 HTTP error code.
Authentication
To authenticate with the API, include your personal API key in the request using the required apiKey query parameter.
Response format
- Name
detection- Type
- object
- Description
IP address threat activity detection timestamps, both are
nullunless thestatusfield value isthreat.- Name
first- Type
- nullable
- timestamp
- Description
First occurrence timestamp.
- Name
last- Type
- nullable
- timestamp
- Description
Last occurrence timestamp.
- Name
status- Type
- string
- Description
Detected threat type.
safe– recognized legitimate scanner/crawler, more details in theknown.scannerobjectsuspicious– further investigation requiredthreat– should be regarded as malicious, consider restricting accessunknown– no activity detected, manual inspection advised
- Name
threat- Type
- object
- Description
Threat classification details.
- Name
score- Type
- integer
- Description
IoC threat level,
0(not a threat) to100(threat with high confidence). Non-zero only forthreatorsuspiciousstatusfield values.
- Name
class- Type
- nullable
- string[]
- Description
IoC threat types,
nullunless thestatusfield value isthreat.attack– malicious activity detectedc2– known command & control servermalware– malicious software distributionphishing– phishing activityspam– unsolicited bulk messagingsuspicious– suspicious activity, e.g. web scraping
- Name
known- Type
- object
- Description
- Name
service- Type
- object
- Description
Recognized services not performing infrastructure scans, e.g. GitHub.
- Name
name- Type
- string
- Description
Service name.
- Name
description- Type
- string
- Description
Service description.
- Name
info- Type
- string[]
- Description
Additional information.
- Name
scanner- Type
- object[]
- Description
Legitimate infrastructure scanning services, e.g. Googlebot. Omitted unless the
statusfield value isbenign.- Name
name- Type
- string
- Description
Service name.
- Name
description- Type
- string
- Description
Service description.
- Name
info- Type
- string[]
- Description
Additional information.
- Name
location- Type
- object
- Description
IP geolocation data.
- Name
country- Type
- string
- Description
Country name.
- Name
region- Type
- string
- Description
Region name.
- Name
city- Type
- string
- Description
City name.
- Name
net- Type
- object
- Description
Network details.
- Name
vpn- Type
- object
- Description
Details on the public VPN service the IP belongs to, if applicable.
- Name
detected- Type
- boolean
- Description
Truefor addresses belonging to a VPN pool.
- Name
name- Type
- string
- Description
Service provider.
- Name
tor- Type
- boolean
- Description
Truefor TOR exit nodes.
- Name
ptr- Type
- object
- Description
PTR DNS record data.
- Name
value- Type
- nullable
- string
- Description
Record value,
nullif absent.
- Name
iprev- Type
- boolean
- Description
Trueif forward and reverse DNS entries match.
- Name
as- Type
- object
- Description
Autonomous system details, if available.
- Name
number- Type
- integer
- Description
Autonomous system number.
- Name
name- Type
- string
- Description
Autonomous system name.
- Name
url- Type
- string
- Description
Autonomous system web page.
- Name
route- Type
- object
- Description
Network registration data.
- Name
score- Type
- integer
- Description
IP range threat level, from
0(no threat) to100(all addresses to be considered malicious).
- Name
source- Type
- string
- Description
Organization managing the address range.
- Name
netname- Type
- string
- Description
IP range name.
- Name
update- Type
- string
- Description
Last registry range modification in the ISO 8601 format.
- Name
inetnum- Type
- string
- Description
First and last addresses.
- Name
org- Type
- object
- Description
Registering organization details, if available.
- Name
id- Type
- string
- Description
Organization ID.
- Name
name- Type
- string
- Description
Organization name.
- Name
email- Type
- string
- Description
Contact email.
- Name
phone- Type
- string
- Description
Contact phone.
- Name
address- Type
- string[]
- Description
Organization address.
- Name
contact- Type
- object
- Description
Contact information, if any.
- Name
admin- Type
- object
- Description
Administrative contact.
- Name
id- Type
- string
- Description
Contact ID.
- Name
name- Type
- string
- Description
Contact name.
- Name
email- Type
- string
- Description
Contact email.
- Name
phone- Type
- string
- Description
Contact phone number.
- Name
address- Type
- string[]
- Description
Contact address.
- Name
tech- Type
- object
- Description
Technical contact.
- Name
abuse- Type
- object
- Description
Abuse contact.
{
"detection": {
"first": 1643720870,
"last": 1738415270
},
"status": "threat",
"threat": {
"score": 75,
"class": [
"malware",
"phishing"
]
},
"known": {
"service": [
{
"name": "Example",
"description": "Example",
"info": [
"https://example.com"
]
}
],
"scanner": [
{
"name": "Example",
"description": "Example web service scanner",
"info": [
"https://example.net"
]
}
]
},
"location": {
"country": "United States of America",
"region": "California",
"city": "Los Angeles"
},
"net": {
"vpn": {
"detected": true,
"name": "Example VPN provider"
},
"tor": false,
"ptr": {
"value": "test.example.org.",
"iprev": true
},
"as": {
"number": 64496,
"name": "Reserved",
"url": "https://www.iana.org"
},
"route": {
"score": 31,
"source": "arin",
"netname": "TEST-NET-1",
"update": "2024-05-23T10:19:53-04:00",
"inetnum": "192.0.2.0 - 192.0.2.255",
"org": {
"id": "IANA",
"name": "Internet Assigned Numbers Authority",
"email": "",
"phone": "",
"address": [
"12025 Waterfront Drive",
"Suite 300",
"Los Angeles",
"CA",
"90292",
"United States"
]
},
"contact": {
"admin": {
"id": "IANA-IP-ARIN",
"name": "ICANN",
"email": "abuse@iana.org",
"phone": "+1-310-301-5820",
"address": [
"12025 Waterfront Drive",
"Suite 300",
"Los Angeles",
"CA",
"90292",
"United States"
]
},
"tech": {
"id": "IANA-IP-ARIN",
"name": "ICANN",
"email": "abuse@iana.org",
"phone": "+1-310-301-5820",
"address": [
"12025 Waterfront Drive",
"Suite 300",
"Los Angeles",
"CA",
"90292",
"United States"
]
},
"abuse": {
"id": "IANA-IP-ARIN",
"name": "ICANN",
"email": "abuse@iana.org",
"phone": "+1-310-301-5820",
"address": [
"12025 Waterfront Drive",
"Suite 300",
"Los Angeles",
"CA",
"90292",
"United States"
]
}
}
}
}
}Error codes
You can determine if your request was successful by checking the status code in the API response. Since 99% of reported errors are user errors, please review your code thoroughly before reaching out to support.
| 2xx | Successful response. |
| 400 | Invalid input parameters. |
| 401 | Unauthorized. Verify your API key or check your subscription limits. |
| 429 | Too many requests. Try your call again later. |
| 500 | Server error. Please try your call again later or contact support." |