Lookup endpoint

The core /lookup endpoint — request, response, and every field it returns.

The Lookup endpoint takes a batch of indicators and returns a per-indicator classification with optional enrichment. It's the only endpoint you need to integrate Reput.io into a detection pipeline.

POST/lookupAPI key or JWT

Request

POST https://api.reput.io/lookup
Content-Type: application/json
X-Api-Key: rpt_your_api_key_here

{
  "indicators": [
    "8.8.8.8",
    "cloudflare.com",
    "https://bit.ly/xyz"
  ]
}

Parameters

Field	Type	Description
`indicators`	`string[]`	IPs, domains, hostnames, or URLs. Max per request depends on plan (see below).

Supported indicator types

Type	Examples
IPv4 / IPv6	`8.8.8.8`, `2001:4860:4860::8888`
Domain	`google.com`, `api.reput.io`
Hostname	`www.example.com`, `mail01.corp.acme.com`
URL	`https://bit.ly/xyz`, `http://example.com/path?q=1`

Indicator type is auto-detected — you don't tag them.

Batch size limits

Plan	Indicators per request
Free	10
Starter	10
Pro	50
Team	100
Enterprise	100

Response

{
  "results": [
    {
      "indicator": "cloudflare.com",
      "status": "whitelisted",
      "type": "domain",
      "confidence_score": 100,
      "confidence_level": "very_high",
      "source_count": 8,
      "risk_level": "info",
      "risk_context": "CDN Security",
      "risk_description": "Cloudflare is a major CDN and security provider …",
      "verdict": "likely_benign",
      "recommendation": {
        "action": "allow_with_logging",
        "false_positive_likelihood": "very_high",
        "investigation_hint": "Check the HTTP Host header or SNI to identify the actual website being accessed."
      },
      "provider": {
        "name": "Cloudflare",
        "type": "cdn_security",
        "services": ["CDN", "WAF", "DDoS Protection", "DNS", "Zero Trust"]
      },
      "categories": ["CDN", "Enterprise", "Security Service", "Top 50K"]
    }
  ]
}

Core fields (all plans)

Field	Values	Meaning
`indicator`	original string	Echoed back exactly as you sent it
`type`	`ip`, `domain`, `url`	Auto-detected
`status`	`whitelisted`, `enrichment`, `unknown`	Classification bucket
`verdict`	`benign`, `likely_benign`, `context_only`, `investigate`, `malicious`	Recommended interpretation
`confidence_level`	`very_low`, `low`, `medium`, `high`, `very_high`	How sure we are
`risk_level`	`info`, `low`, `medium`, `high`, `critical`	Ambient risk of letting this through
`risk_context`	short label	e.g. `"CDN"`, `"Public DNS"`, `"Dynamic DNS Subdomain"`
`source_count`	integer	How many independent feeds back this classification
`categories`	`string[]`	Tags like `"CDN"`, `"Fortune 500"`, `"Banking"`

Provider detection (Starter+)

When the indicator resolves to a known provider, you also get:

Field	Type	Example
`provider.name`	string	`"Cloudflare"`
`provider.type`	string	`"cdn_security"`, `"public_dns"`, `"cloud_provider"`
`provider.services`	`string[]`	`["CDN", "WAF", "DDoS Protection"]`
`recommendation.action`	`allow`, `allow_with_logging`, `investigate`, `block`	Operational recommendation
`recommendation.false_positive_likelihood`	`very_low` .. `very_high`	Chance this is a false positive in alerting

Investigation context (Pro+)

Pro, Team, and Enterprise additionally receive:

Field	Type	Meaning
`confidence_score`	0–100	Numeric score behind `confidence_level`
`risk_description`	string	Full paragraph explaining the risk context
`recommendation.investigation_hint`	string	Analyst guidance, e.g. `"Check the HTTP Host header"`
`rationale`	`string[]`	Why each matching source trusts this indicator
`matching_cidr`	string	For IPs, the CIDR block that matched
`vpn_service` / `tor_node` / `public_proxy` / `anonymity_service`	bool	Informational flags
`high_risk_parent`	string	Parent domain when the indicator is a risky subdomain

Geo enrichment

Every plan gets geo data on IPs, with level of detail increasing by tier:

Plan	Fields
Free	`geo.country_code`
Starter	`geo.country_code`, `geo.country`, `geo.asn`, `geo.asn_org`
Pro+	Everything above plus `geo.city`, `geo.region`, `geo.latitude`, `geo.longitude`

URL analysis

URLs are parsed and the response includes:

extracted_hostname, extracted_domain
url_scheme, url_port, url_path, url_query, url_fragment
url_path_risky: true when the destination is a known shortener / pastebin / file-share (see Trust inheritance)

Trust inheritance

By default a result for foo.bar.com inherits the trust of bar.com. We break that inheritance in three cases:

Dynamic DNS providers (duckdns.org, no-ip.com, …) — status stays whitelisted for the parent, but the subdomain is marked trust_inheritance_blocked and risk_level: high
URL shorteners (bit.ly, tinyurl, …) — domain is whitelisted, individual URLs are flagged url_path_risky
Free-hosting + pastebin + IPFS gateways — parent is recognized, subdomain / path is unverified

The response includes a parent_domain_info block explaining the block:

{
  "indicator": "evil.duckdns.org",
  "status": "whitelisted",
  "trust_inheritance_blocked": true,
  "parent_domain_info": {
    "domain": "duckdns.org",
    "categories": ["Dynamic DNS"]
  },
  "risk_level": "high",
  "risk_context": "Dynamic DNS Subdomain"
}

Rate limits

Every response includes headers:

X-RateLimit-Limit-Daily: 25000
X-RateLimit-Remaining-Daily: 24987
X-RateLimit-Limit-Burst: 120
X-RateLimit-Remaining-Burst: 118

See Rate limits for the full rules, including how limits are shared across a team.

Errors

See Error codes for the complete list. Common ones:

400 — invalid indicator or batch exceeds your plan
401 — invalid or missing API key
403 — feature not available on your plan (e.g. webhooks on Free/Starter)
429 — daily or burst limit exceeded

PreviousAuthentication Next Plan-based features