API Documentation

Integrate Reput.io Whitelist Intelligence into your SOC

🚀 Quick Start

REST API to identify legitimate infrastructure (CDNs, cloud providers, corporate domains).

Avg Latency
<100ms
Sources
180+ trusted
Providers
50+ detected
Format
JSON REST

Authentication

All API requests require an API key in the X-Api-Key header:

X-Api-Key: rpt_your_api_key_here

Getting Your API Key

Your API key is automatically generated when you sign up and log in to the dashboard. You can find it on your Dashboard page. API keys never expire — no need to handle token refresh flows.

API Key Format
# API key format: rpt_ + 64 hex characters
# Example: rpt_a1b2c3d4e5f6...

# The key is shown once when generated.
# Store it securely — it cannot be retrieved later.
# You can rotate your key from the Dashboard at any time.

Code Examples

Python

import requests

API_KEY = "rpt_your_api_key_here"

result = requests.post("https://api.reput.io/lookup",
    headers={"X-Api-Key": API_KEY},
    json={"indicators": ["8.8.8.8", "google.com"]}
)
print(result.json())

curl

curl -X POST https://api.reput.io/lookup \
  -H "X-Api-Key: rpt_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"indicators": ["8.8.8.8"]}'

API Key Security: Your API key does not expire. Keep it secret — treat it like a password. If compromised, rotate it immediately from the Dashboard.

Main Endpoint

POST/lookup

Query up to 100 indicators simultaneously (depending on plan).

Request:

POST https://api.reput.io/lookup
Content-Type: application/json
X-Api-Key: rpt_your_api_key_here

{
  "indicators": [
    "8.8.8.8",
    "google.com",
    "cloudflare.com"
  ]
}

Response:

{
  "results": [
    {
      "indicator": "104.16.132.229",
      "status": "enrichment",
      "type": "ip",
      "verdict": "likely_benign",
      "confidence_score": 85,
      "confidence_level": "high",
      "source_count": 2,
      "risk_level": "low",
      "risk_context": "CDN Security Provider",
      "risk_description": "Cloudflare CDN/WAF edge IP. This IP serves content for millions of websites through Cloudflare's anycast network.",
      "provider": {
        "name": "Cloudflare",
        "type": "cdn_security",
        "services": ["CDN", "WAF", "DDoS Protection", "DNS"]
      },
      "recommendation": {
        "action": "allow_with_logging",
        "false_positive_likelihood": "very_high",
        "investigation_hint": "Check HTTP Host header to identify actual site"
      },
      "categories": ["CDN", "Cloud Provider", "Corporate"],
      "reasons": ["IPv4 ranges used by Cloudflare infrastructure"]
    },
    {
      "indicator": "google.com",
      "status": "whitelisted",
      "type": "domain",
      "verdict": "likely_benign",
      "confidence_score": 95,
      "confidence_level": "very_high",
      "risk_level": "info",
      "risk_context": "FAANG Infrastructure",
      "provider": {
        "name": "Google",
        "type": "faang_infrastructure"
      },
      "recommendation": {
        "action": "allow",
        "false_positive_likelihood": "very_low"
      },
      "categories": ["FAANG", "Google", "Corporate"]
    }
  ]
}

Plan-Based Features

Response fields vary based on your subscription plan. Free plan includes whitelist intelligence only. Pro, Team, and Enterprise plans unlock enrichment data and advanced features.

Free Plan

Whitelist intelligence only

✓ Included:

  • • Whitelist status (status="whitelisted")
  • • Basic confidence level (high/medium/low)
  • • Short risk context labels
  • • Categories for whitelisted items
  • • Verified TLD detection

✗ Not included:

  • • Enrichment data (CDN, VPN, Cloud)
  • • VPN/Tor/Proxy detection flags
  • • Detailed risk descriptions
  • • Confidence scoring (0-100)
  • • Rationale field

Pro / Team / Enterprise

Full features unlocked

✓ Everything in Free, plus:

  • Enrichment data (status="enrichment")
  • Provider detection (50+ providers: Cloudflare, AWS, Google...)
  • Actionable verdict (likely_benign, investigate, malicious)
  • Smart recommendation (action + false_positive_likelihood)
  • VPN/Tor/Proxy flags (vpn_service, tor_node, etc.)
  • Detailed risk_description field
  • Full confidence_score (0-100)
  • Investigation hints for analyst guidance

Free Plan Enrichment Response: When a Free plan user queries an indicator that only exists in enrichment sources, the API returns status: "enrichment" withupgrade_required: true and a message prompting upgrade to Pro.

Response Fields

Core Fields (All Plans)

indicator

The indicator that was queried (IP, domain, hostname, or URL)

status

"whitelisted" - Safe to auto-allow (FAANG, banks, government, critical infrastructure)
"enrichment" - Context provided, analyst review recommended (CDNs, VPNs, cloud providers)
"unknown" - Not found in any source

type

ip | ipv6 | domain | hostname | url

confidence_score

0-100 based on source type, category trust tier, corroboration, verified TLD, and institutional recognition

confidence_level

very_low | low | medium | high | very_high

source_count

Number of different data sources that identified this indicator

risk_level

info | low | medium | high

risk_context

Short classification label (e.g., "CDN Security Provider", "Anonymity Network")

risk_description

Detailed explanation with specific context about why this indicator has its risk level.

New: Provider Detection & Verdicts (Pro+)

verdict

⭐ Instant Decision Support: Clear verdict for quick analyst decisions.
Values: likely_benign |investigate |suspicious |malicious

provider

⭐ Infrastructure Identification: Object identifying the provider (50+ supported).
Contains: name (e.g., "Cloudflare"),type (e.g., "cdn_security"),services (array of services offered)

recommendation

⭐ Actionable Guidance: What to do with this indicator.
Contains: action (allow | allow_with_logging | investigate | block),false_positive_likelihood (very_low to very_high),investigation_hint (guidance for analysts)

Optional Fields (When Available)

categories

Array of category strings: FAANG, CDN, Cloud Provider, Banking, Government, VPN Service, Tor Node, Dynamic DNS, URL Shortener, etc.

reasons

Array of human-readable strings explaining why this indicator was identified (e.g., "Known FAANG mega-corp infrastructure")

rationale

String or array explaining the source's rationale for whitelist/enrichment classification. Useful for understanding data provenance.

matched_via

How the match was found: "direct" | "derived_domain" | "hostname" | "domain" | "cidr"

matching_cidr

The CIDR block that matched (for IP addresses). Example: "8.8.8.0/24"

derived_domain

The registered domain extracted from a hostname. Example: "google.com" from "mail.google.com"

verified_tld

Object present for .gov, .edu, .mil domains and government TLDs worldwide. Contains: pattern, name,trust_level (absolute | very_high | high),authority

Trust Inheritance

Not all domains propagate trust to their subdomains. Our API uses category-based trust inheritance to prevent false negatives from abused services like Dynamic DNS or URL shorteners.

Full Inheritance (default)

Subdomains inherit trust from parent domain.
Example: mail.google.com inherits trust from google.com

No Inheritance (Dynamic DNS, Free Hosting)

Subdomains do NOT inherit trust. User-created subdomains are untrusted.
Example: malware.duckdns.org returns status: "unknown" with detailed risk context:

{
  "indicator": "malware.duckdns.org",
  "status": "unknown",
  "type": "hostname",
  "confidence_score": 10,
  "confidence_level": "very_low",
  "risk_level": "high",
  "risk_context": "Dynamic DNS Subdomain",
  "risk_description": "This is a user-created subdomain of duckdns.org, a Dynamic DNS provider. Dynamic DNS subdomains are commonly abused for C2 infrastructure, phishing, and malware distribution. The parent domain is legitimate, but subdomains are unverified and high-risk. Requires immediate investigation.",
  "trust_inheritance_blocked": true,
  "parent_domain_info": {
    "domain": "duckdns.org",
    "categories": ["Dynamic DNS"],
    "trust_inheritance": "none"
  }
}

Domain Only (URL Shorteners, Pastebins)

Domain is recognized, but URLs with paths are risky.
Example: https://bit.ly/abc123 shows moderate risk with path warning:

{
  "indicator": "https://bit.ly/abc123",
  "status": "enrichment",
  "type": "url",
  "confidence_score": 35,
  "confidence_level": "low",
  "risk_level": "medium",
  "risk_context": "URL Shortener Link",
  "risk_description": "This is a shortened URL from bit.ly. While the URL shortener service is legitimate, shortened links can redirect to malicious destinations including phishing pages, malware downloads, or credential harvesting sites. The final destination should be verified before allowing access.",
  "url_path_risky": true,
  "trust_inheritance": "domain_only",
  "extracted_hostname": "bit.ly",
  "extracted_domain": "bit.ly",
  "url_scheme": "https",
  "url_path": "/abc123",
  "categories": ["URL Shortener", "Link Service"]
}

Trust Inheritance Fields:

trust_inheritance_blocked

true when subdomain trust inheritance was blocked (e.g., Dynamic DNS subdomains)

parent_domain_info

Object with parent domain details when inheritance is blocked: {domain, categories, trust_inheritance}

url_path_risky

true for URLs where the domain is known but the path/redirect is potentially malicious

trust_inheritance

The inheritance type applied: "full", "domain_only", or "none"

URL Analysis

Submit full URLs for comprehensive analysis. The API extracts and analyzes all components.

URL Response Fields:

extracted_hostname

The hostname extracted from the URL (e.g., "www.example.com")

extracted_domain

The registered domain (e.g., "example.com")

url_scheme

Protocol used (http, https, ftp)

url_path

URL path component

url_query

Query string parameters (if present), without the '?' prefix

url_fragment

URL fragment/anchor (if present), without the '#' prefix. Example: "section" from "#section"

url_port

Port number (if present and non-standard). Example: 8080

// Example: Complete URL with all extracted components
{
  "indicator": "https://pastebin.com/raw/abc123def?format=json#section",
  "status": "enrichment",
  "type": "url",
  "confidence_score": 40,
  "confidence_level": "low",
  "risk_level": "medium",
  "risk_context": "Pastebin/Code Share URL",
  "risk_description": "This URL points to content on pastebin.com, a code/text sharing service. While the platform is legitimate, shared content can include malicious scripts, encoded payloads, or sensitive data exfiltration. Review the content carefully.",
  "url_path_risky": true,
  "trust_inheritance": "domain_only",
  "extracted_hostname": "pastebin.com",
  "extracted_domain": "pastebin.com",
  "url_scheme": "https",
  "url_path": "/raw/abc123def",
  "url_query": "format=json",
  "url_fragment": "section",
  "categories": ["Pastebin Service", "Code Sharing"],
  "matched_via": "hostname"
}

Informational Flags

When an indicator is categorized as a VPN, Tor node, proxy, or anonymity service, the API includes boolean flags to help you identify these services quickly. These are particularly useful for detecting data exfiltration, C2 traffic, or policy violations.

vpn_service

true when the indicator is identified as a VPN service endpoint. Useful for detecting VPN usage which may indicate data exfiltration or policy violations.

tor_node

true when the indicator is a Tor exit node or related to the Tor anonymity network. Tor traffic is commonly used for C2 communication and data exfiltration.

public_proxy

true when the indicator is a public or open proxy service. Public proxies can be used to bypass security controls or hide malicious traffic.

anonymity_service

true when the indicator is associated with general anonymity services. These services are designed to hide user identity and are high-risk for security operations.

// Example: VPN Service Detection
{
  "indicator": "198.51.100.5",
  "status": "enrichment",
  "type": "ip",
  "confidence_score": 75,
  "confidence_level": "high",
  "risk_level": "low",
  "risk_context": "VPN Service Infrastructure",
  "risk_description": "This IP belongs to NordVPN infrastructure. VPN services provide legitimate privacy but can also be used for data exfiltration, bypassing security controls, or hiding malicious activity. Review context and user behavior.",
  "categories": ["VPN Service", "Privacy Network"],
  "vpn_service": true,
  "matched_via": "cidr",
  "matching_cidr": "198.51.100.0/24"
}

// Example: Tor Exit Node Detection
{
  "indicator": "203.0.113.50",
  "status": "enrichment",
  "type": "ip",
  "confidence_score": 70,
  "confidence_level": "high",
  "risk_level": "medium",
  "risk_context": "Tor Exit Node",
  "risk_description": "This IP is identified as a Tor exit node. Tor is an anonymity network commonly used for legitimate privacy but also frequently abused for C2 communication, data exfiltration, and evading detection. Requires investigation.",
  "categories": ["Tor Node", "Privacy Network", "Anonymity Service"],
  "tor_node": true,
  "anonymity_service": true
}

Rate Limits

PlanDailyBurstIndicators
Free ($0)100/day20/min5/request
Pro ($79)20,000/day120/min20/request
Team ($249)100,000/day300/min50/request
Enterprise (Custom)Unlimited1,000/min100/request

Responses include headers: X-RateLimit-Limit-Daily, X-RateLimit-Remaining-Daily

Error Codes

400Bad Request - Invalid indicators or exceeds limit
401Unauthorized - Invalid or missing API key
429Too Many Requests - Rate limit exceeded (daily or burst)
500Internal Server Error