Single IP lookup
Provides a single endpoint for retrieving detailed information about an IPv4 or IPv6 address. The default response returns essential metadata, such as geolocation, organization, and basic security indicators. Additional data, including abuse contacts, reverse DNS hostnames, and open-port details, is included when the optional ?mode=full query parameter is present.
Request parameters
{host}: Represents the IPv4 or IPv6 address for which information is requested.?mode=fullreturns an extended set of data in the response, including additional fields. If this parameter is omitted, a default set of information is returned.
Example Response
Response keys
The table below describes each field returned by the IP lookup endpoint. These fields cover geolocation details, associated host and ASN information, network contact data, and various security indicators that help assess the IP’s reputation.
| Field | Description |
|---|---|
| success | Boolean flag that shows whether the lookup completed without error. |
| meta | Reserved container for pagination, rate-limit, or other response metadata; empty for single-IP requests. |
| payload | Root object that holds the IP-specific data returned by the service. |
| asn | Autonomous System Number to which the queried IP is announced. |
| contacts | List of abuse-contact e-mail addresses associated with the ASN or subnet. Requires ?mode=full |
| hostnames | Reverse-DNS hostnames currently resolving to the IP address. Requires ?mode=full |
| ip | The IPv4 or IPv6 address that was queried, in canonical form. |
| ip_type | Address family of the queried IP; either ipv4 or ipv6. |
| location | Geolocation object that provides country, region, city, and timezone information. |
| city | City name inferred for the IP; null when unavailable. |
| continent_name | Name of the continent where the IP is registered. |
| coordinates | Comma-separated latitude and longitude (“lat,lon”). |
| country_code | ISO 3166-1 alpha-2 country code. |
| country_name | Full country name corresponding to country_code. |
| currency | ISO 4217 currency code used in the country. |
| is_eu | Indicates whether the country is a member of the European Union. |
| latitude | Decimal latitude; rounded to at most four fractional digits. |
| longitude | Decimal longitude; rounded to at most four fractional digits. |
| phone_code | International dialing code prefixed with “+”. |
| postal_code | Postal or ZIP code for the location; null when unavailable. |
| region_code | ISO 3166-2 region or state code; null when unavailable. |
| region_name | Human-readable name of the region or state; null when unavailable. |
| time_zone | IANA timezone identifier for the location. |
| organisation | Readable name of the organisation that owns the ASN or subnet. |
| probe | Object containing results of active scanning (open ports and detected services). Requires ?mode=full |
| ports | Map in which protocol names (tcp, udp) group service detections by port number. Requires ?mode=full |
| tcp | Sub-map under ports; keys are TCP port numbers, values are identified services. Requires ?mode=full |
| udp | Sub-map under ports; keys are UDP port numbers, values are identified services. Requires ?mode=full |
| security | Object containing reputation and risk indicators for the IP address. |
| is_datacenter | true when the IP belongs to a known hosting, cloud, or data-centre range. |
| is_known_abuser | true when the IP or subnet has a history of abuse reports. |
| is_proxy | true when the IP operates as an open or commercial proxy. |
| is_threat | true when recent malicious activity has been observed from the address. |
| is_threat_or_known_abuser | Logical OR of is_threat and is_known_abuser; simplifies rule checks. |
| is_tor | true when the IP is a Tor exit node. |
| is_tor_or_proxy | Logical OR of is_tor and is_proxy. |
| subnet | CIDR block that contains the queried IP (for example, 8.8.8.0/24). |
Batch IP lookup
Information for up to 50 IP addresses can be retrieved in a single request using the Batch IP lookup method via POST. The response includes data similar to the Single IP lookup, such as ASN, location, security details, and other available keys. Additional information is provided when ?mode=full is appended to the request URL.