API Documentation

REST API for IP reputation lookup, threat intelligence, blocklist generation, and community threat reporting. Powered by a global honeypot network. See pricing & quotas or read the FAQ.

Base URL

https://api.sikkerapi.com

Authentication

Authorization: Bearer sk_...

Response Format

application/json

Version

Endpoints

Five API endpoints covering IP reputation lookup, blocklist generation, individual and bulk threat reporting, and a STIX 2.1 / TAXII 2.1 feed for SIEM integration. Each endpoint has its own daily quota tracked independently.

GET/v1/key/check/{ip}

IP Check

Look up reputation for any IPv4 or IPv6 address. Returns confidence level, attack timeline, behavioral labels, geolocation, and community reports.

GET/v1/key/blacklist

Blacklist

Generate blocklists of observed IPs filtered by country, ASN, protocol, and severity. Export as JSON or plaintext for iptables, CSF, Fail2Ban, or any firewall.

POST/v1/key/report

Report IP

Submit a report for a suspicious IP with one of 16 attack categories. Reports contribute to community threat intelligence and confidence scoring.

POST/v1/key/bulk-report

Bulk Report

Submit up to 10,000 reports in a single request via JSON array or CSV file upload. Per-row error handling with partial success support.

GET/taxii2/collections/{id}/objects/

TAXII 2.1 Feed

STIX 2.1 threat intelligence feed over TAXII 2.1. Every observed IP is published as a STIX Indicator with confidence scores, behavioral labels, and MITRE ATT&CK references. Connect Splunk, Microsoft Sentinel, Elastic Security, or QRadar.

Authentication

All API requests require a valid API key passed in the Authorization header as a Bearer token. Keys are prefixed with sk_ followed by the tier name. Generate one from the dashboard.

Authorization header

Authorization: Bearer sk_free_a1b2c3d4e5f6...

API key prefixes by tier

sk_free_Free tier — no credit card required. Create free key

sk_tier_*_Paid tiers — higher quotas. See pricing for details.

Rate Limits & Quotas

Each endpoint has its own daily quota tracked independently per API key. Quotas are tier-based and reset at midnight UTC. Rate limit headers are included on every response.

Response headers

X-Daily-LimitYour daily lookup quota for the endpoint.

X-Daily-UsedUnits consumed today.

X-Daily-RemainingUnits remaining in today's quota.

Retry-AfterSeconds until quota resets (429 only). Resets at midnight UTC.

Endpoint-specific headers

IP CheckX-Daily-Limit / X-Daily-Remaining — per lookup. Details

BlacklistX-Blacklist-Limit / X-Blacklist-Remaining — per IP returned. Details

ReportX-Report-Limit / X-Report-Remaining — per report. Details

TAXII FeedX-TAXII-Limit / X-TAXII-Remaining — per indicator. Details

Error Codes

Errors return a JSON object with an error field. TAXII endpoints return errors as TAXII error messages.

Common error codes across all endpoints

400Invalid request — bad IP, parameter, or body format.check payload

401Missing or invalid API key.check header

403API key disabled or expired.regenerate

404Resource not found (IP Check returns this for unknown IPs).IP has no activity

429Daily quota exhausted.upgrade or resets at midnight UTC

503Service temporarily unavailable.retry later

401 — Example error response

{ "error": "Valid API key required. Use Authorization: Bearer sk_..." }

Scoring & Methodology

How threat data is collected, scored, and retained. Understanding the confidence level algorithm helps you set appropriate thresholds for blocking and alerting.

Reference documentation

Confidence LevelHow IP reputation scores (0–100) are calculated from sensor observations, behavioral analysis, and community reports.

Data RetentionHow long threat intelligence data is stored, when scores decay, and when records are purged.

Integrations

Integrate SikkerAPI with your security infrastructure to automatically report and block suspicious IPs. See how it works for the full data flow from honeypots to your firewall.

Firewall & server integrations

SikkerGuardDocker container that automatically blocks known malicious IPs using iptables and ipset. Zero-config firewall protection. Install guide

Fail2BanAutomatically report banned IPs from Fail2Ban jails to the community threat database.

CSF FirewallPre-emptive IP blocking and automatic attack reporting with ConfigServer Firewall.

iptables / ipsetImport blocklists directly into iptables or ipset for kernel-level IP blocking.

NginxBlock or rate-limit suspicious IPs at the reverse proxy layer using deny directives.

sikker-cliCommand-line tool for IP lookups, blocklist downloads, and reporting from your terminal.

Dashboard Features

Manage your API keys, configure alerts, and export blocklists from the SikkerAPI dashboard. No code required for these features.

Alerting & monitoring

IP AlertsGet notified when a specific IP is seen by the honeypot network.

Range AlertsMonitor CIDR ranges for new attacker activity. Ideal for watching your own IP space.

Username AlertsGet notified when a username is used in credential-based attacks across the honeypot network.

Email AlertsConfigure email notification preferences and delivery settings for all alert types.

Data export

Blacklist ExportFilter and download blocklists directly from the dashboard. No API required.

Get started — Create a free API key for 1,000 daily lookups, 1,000 reports, 5,000 blacklist IPs, and 1,000 TAXII indicators. No credit card required. Create free API key →

API Documentation

REST API for IP reputation lookup, threat intelligence, blocklist generation, and community threat reporting. Powered by a global honeypot network. See pricing & quotas or read the FAQ.

Base URL

https://api.sikkerapi.com

Authentication

Authorization: Bearer sk_...

Response Format

application/json

Version

Endpoints

GET/v1/key/check/{ip}

IP Check

Look up reputation for any IPv4 or IPv6 address. Returns confidence level, attack timeline, behavioral labels, geolocation, and community reports.

GET/v1/key/blacklist

Blacklist

Generate blocklists of observed IPs filtered by country, ASN, protocol, and severity. Export as JSON or plaintext for iptables, CSF, Fail2Ban, or any firewall.

POST/v1/key/report

Report IP

Submit a report for a suspicious IP with one of 16 attack categories. Reports contribute to community threat intelligence and confidence scoring.

POST/v1/key/bulk-report

Bulk Report

Submit up to 10,000 reports in a single request via JSON array or CSV file upload. Per-row error handling with partial success support.

GET/taxii2/collections/{id}/objects/

TAXII 2.1 Feed

Authentication

All API requests require a valid API key passed in the Authorization header as a Bearer token. Keys are prefixed with sk_ followed by the tier name. Generate one from the dashboard.

Authorization header

Authorization: Bearer sk_free_a1b2c3d4e5f6...

API key prefixes by tier

sk_free_Free tier — no credit card required. Create free key

sk_tier_*_Paid tiers — higher quotas. See pricing for details.

Rate Limits & Quotas

Each endpoint has its own daily quota tracked independently per API key. Quotas are tier-based and reset at midnight UTC. Rate limit headers are included on every response.

Response headers

X-Daily-LimitYour daily lookup quota for the endpoint.

X-Daily-UsedUnits consumed today.

X-Daily-RemainingUnits remaining in today's quota.

Retry-AfterSeconds until quota resets (429 only). Resets at midnight UTC.

Endpoint-specific headers

IP CheckX-Daily-Limit / X-Daily-Remaining — per lookup. Details

BlacklistX-Blacklist-Limit / X-Blacklist-Remaining — per IP returned. Details

ReportX-Report-Limit / X-Report-Remaining — per report. Details

TAXII FeedX-TAXII-Limit / X-TAXII-Remaining — per indicator. Details

Error Codes

Errors return a JSON object with an error field. TAXII endpoints return errors as TAXII error messages.

Common error codes across all endpoints

400Invalid request — bad IP, parameter, or body format.check payload

401Missing or invalid API key.check header

403API key disabled or expired.regenerate

404Resource not found (IP Check returns this for unknown IPs).IP has no activity

429Daily quota exhausted.upgrade or resets at midnight UTC

503Service temporarily unavailable.retry later

401 — Example error response

{ "error": "Valid API key required. Use Authorization: Bearer sk_..." }

Scoring & Methodology

How threat data is collected, scored, and retained. Understanding the confidence level algorithm helps you set appropriate thresholds for blocking and alerting.

Reference documentation

Confidence LevelHow IP reputation scores (0–100) are calculated from sensor observations, behavioral analysis, and community reports.

Data RetentionHow long threat intelligence data is stored, when scores decay, and when records are purged.

Integrations

Integrate SikkerAPI with your security infrastructure to automatically report and block suspicious IPs. See how it works for the full data flow from honeypots to your firewall.

Firewall & server integrations

SikkerGuardDocker container that automatically blocks known malicious IPs using iptables and ipset. Zero-config firewall protection. Install guide

Fail2BanAutomatically report banned IPs from Fail2Ban jails to the community threat database.

CSF FirewallPre-emptive IP blocking and automatic attack reporting with ConfigServer Firewall.

iptables / ipsetImport blocklists directly into iptables or ipset for kernel-level IP blocking.

NginxBlock or rate-limit suspicious IPs at the reverse proxy layer using deny directives.

sikker-cliCommand-line tool for IP lookups, blocklist downloads, and reporting from your terminal.

Dashboard Features

Manage your API keys, configure alerts, and export blocklists from the SikkerAPI dashboard. No code required for these features.

Alerting & monitoring

IP AlertsGet notified when a specific IP is seen by the honeypot network.

Range AlertsMonitor CIDR ranges for new attacker activity. Ideal for watching your own IP space.

Username AlertsGet notified when a username is used in credential-based attacks across the honeypot network.

Email AlertsConfigure email notification preferences and delivery settings for all alert types.

Data export

Blacklist ExportFilter and download blocklists directly from the dashboard. No API required.

Get started — Create a free API key for 1,000 daily lookups, 1,000 reports, 5,000 blacklist IPs, and 1,000 TAXII indicators. No credit card required. Create free API key →