API Documentation

Query IP reputation scores and export threat feeds via a simple REST API. All responses are JSON unless otherwise noted.

https://threatintel.furkandanis.com/api/v1

🔑 Authentication

All API endpoints require a valid API key. Keys are provisioned from the admin dashboard and follow the format ti_<64hex>.

Pass your key using one of two methods (header is recommended):

Header (recommended)

X-API-Key: ti_your_api_key_here

Query parameter

?key=ti_your_api_key_here

Requests without a valid key return 401 Unauthorized.

⚡ Rate Limits

Each API key has a daily request quota (default: 100 requests/day, configurable by the admin). When the limit is exceeded, the API returns:

429 Too Many Requests
"error": "Daily API limit exceeded"

The daily counter resets at midnight UTC. Contact the admin to request a higher quota.

🛡 Threat Levels

IP reputation is expressed as a score from 0 to 100, mapped to four threat levels:

Clean

score < 25

Suspicious

25 – 59

Malicious

60 – 89

Critical

≥ 90

🔎 Endpoints

GET /api/v1/check

Look up the threat reputation of a single IP address. Returns a weighted score aggregated from up to 11 independent threat intelligence sources.

Parameter	Type	Description
iprequired	string	IPv4 or IPv6 address to check
keyoptional	string	API key (alternative to X-API-Key header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/check?ip=8.8.8.8" \
  -H "X-API-Key: ti_your_key"

Example response

{
  "ok": true,
  "ip": "8.8.8.8",
  "score": 0,
  "threatLevel": 0,
  "threatLevelLabel": "CLEAN",
  "sources": ["abuseipdb", "greynoise", "virustotal"],
  "cached": false,
  "lastChecked": "2026-03-15T12:00:00.000Z",
  "hitCount": 1,
  "checkedAt": "2026-03-15T12:00:00.000Z"
}

GET /api/v1/feed/blocklist

Plain-text list of blocked IPs, one per line. Designed for direct ingestion by firewalls, iptables, or network appliances.

Parameter	Type	Description
thresholdoptional	integer	Minimum score to include (default: 60)
keyoptional	string	API key (alternative to header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/feed/blocklist?threshold=60" \
  -H "X-API-Key: ti_your_key"

Example response

# Content-Type: text/plain
192.168.1.100
10.0.0.50
203.0.113.42

GET /api/v1/feed/csv

CSV export with headers. Suitable for spreadsheets, SIEM imports, and data analysis tools.

Parameter	Type	Description
thresholdoptional	integer	Minimum score to include (default: 60)
keyoptional	string	API key (alternative to header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/feed/csv?threshold=60" \
  -H "X-API-Key: ti_your_key"

Example response

ip,score,threat_level,source,type,added_at,reason
192.168.1.100,85,MALICIOUS,multi,blocked,2026-03-15T10:30:00Z,high-risk
203.0.113.42,92,CRITICAL,multi,blocked,2026-03-15T11:00:00Z,botnet-c2

GET /api/v1/feed/json

Structured JSON feed with metadata and entries array. Best for programmatic consumption and API integrations.

Parameter	Type	Description
thresholdoptional	integer	Minimum score to include (default: 60)
keyoptional	string	API key (alternative to header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/feed/json?threshold=60" \
  -H "X-API-Key: ti_your_key"

Example response

{
  "generated": "2026-03-15T12:00:00.000Z",
  "threshold": 60,
  "count": 2,
  "entries": [
    {
      "ip": "192.168.1.100",
      "score": 85,
      "threatLevel": "MALICIOUS",
      "source": "multi",
      "addedAt": "2026-03-15T10:30:00Z"
    }
  ]
}

GET /api/v1/badge

Returns an SVG shield badge showing the IP's threat level. No API key required. Useful for embedding in dashboards or README files.

Parameter	Type	Description
iprequired	string	IPv4 or IPv6 address to check

Example request

curl "https://threatintel.furkandanis.com/api/v1/badge?ip=8.8.8.8"

Response: image/svg+xml — cached for 5 minutes.

GET /api/v1/feed/cef

Common Event Format (CEF) export for SIEM integration. Returns recent threat events formatted as CEF lines.

Parameter	Type	Description
hoursoptional	integer	Time window in hours (1–168, default: 24)
limitoptional	integer	Max events to return (1–10000, default: 1000)
keyoptional	string	API key (alternative to header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/feed/cef?hours=12&limit=500" \
  -H "X-API-Key: ti_your_key"

GET /api/v1/feed/syslog

Syslog format export for SIEM integration. Same parameters and authentication as the CEF endpoint.

Parameter	Type	Description
hoursoptional	integer	Time window in hours (1–168, default: 24)
limitoptional	integer	Max events to return (1–10000, default: 1000)
keyoptional	string	API key (alternative to header)

Example request

curl "https://threatintel.furkandanis.com/api/v1/feed/syslog?hours=24" \
  -H "X-API-Key: ti_your_key"

📈 Rate Limit Headers

All authenticated API responses include rate limit headers so clients can track their quota usage:

Header	Description
X-RateLimit-Limit	Daily request limit for your API key
X-RateLimit-Remaining	Requests remaining today
X-RateLimit-Reset	Seconds until limit resets (UTC midnight)

▶ Try It

Test the IP reputation endpoint directly from your browser. Enter your API key and an IP address below.

Learn more about how the threat intelligence pipeline works.

🔎 About Threat Intel