API Documentation

Integrate threat intelligence lookups into your security workflows.

GET /api/lookup

Automatically detects the caller's IP address from the CF-Connecting-IP header and returns threat intelligence data.

Response

{
  "ip": "203.0.113.45",
  "subnet": "203.0.113.0/24",
  "timestamp": "2024-01-15T10:30:00.000Z",
  "cloudflare": {
    "asn": 13335,
    "asOrganization": "Cloudflare, Inc.",
    "country": "US",
    "city": "San Francisco",
    "region": "California",
    "colo": "SJC",
    "timezone": "America/Los_Angeles",
    "latitude": "37.7749",
    "longitude": "-122.4194"
  },
  "threatIntel": {
    "riskScore": 25,
    "threatTypes": ["None Detected"],
    "lastSeen": "2024-01-10T00:00:00.000Z",
    "firstSeen": "2023-06-15T00:00:00.000Z",
    "isTor": false,
    "isProxy": false,
    "isVpn": false,
    "isBot": false,
    "isKnownAttacker": false
  },
  "enrichment": null
}

POST /api/lookup

Lookup threat intelligence for a specific IP address.

Request Body

{
  "ip": "192.168.1.100"
}

Example cURL

curl -X POST https://your-domain.pages.dev/api/lookup \
  -H "Content-Type: application/json" \
  -d '{"ip": "192.168.1.100"}'

KV Enrichment Schema

Subnet enrichment data is stored in Cloudflare KV with the subnet as the key (e.g., 192.168.1.0/24).

JSON Schema

{
  "isp": "Example ISP Inc.",
  "regionPolicy": "GDPR Compliant",
  "riskScore": 15,
  "notes": "Corporate network range",
  "tags": ["enterprise", "trusted", "internal"]
}

Error Responses

400 Bad Request

{"error": "Invalid IP address provided"}

500 Internal Server Error

{"error": "Internal server error"}