Loading
Generate a blacklist of observed IP addresses. Returns IPs ordered by confidence level (highest first), with extensive filtering options for country, ASN, protocol, and severity.
Use the plaintext=true parameter to get a newline-separated list suitable for direct import into firewalls and blocklists.
curl "https://api.sikkerapi.com/v1/key/blacklist?scoreMinimum=70" \
-H "Authorization: Bearer sk_free_..."curl "https://api.sikkerapi.com/v1/key/blacklist?plaintext=true&scoreMinimum=70" \
-H "Authorization: Bearer sk_free_..." \
> blocklist.txtAll parameters are optional. The default returns up to your tier's limit of IPs with score ≥ 50.
| Parameter | Type | Description |
|---|---|---|
| scoreMinimum | integer | Minimum confidence level (1-100). Default: 50. |
| limit | integer | Maximum IPs to return. Capped by your tier's blacklist limit. |
| plaintext | boolean | If true, returns newline-separated IPs only (no JSON). |
| ignoreWhitelist | boolean | If true, uses raw confidence levels without whitelist discounting. Known-benign scanners (Googlebot, Censys, etc.) will appear at their undiscounted scores. Default: false. |
| Parameter | Type | Description |
|---|---|---|
| onlyCountries | string | Comma-separated ISO country codes to include (e.g. CN,RU,IR). |
| exceptCountries | string | Comma-separated ISO country codes to exclude (e.g. US,GB,DE). |
| onlyAsn | string | Comma-separated ASNs to include (e.g. AS12345,AS67890). |
| exceptAsn | string | Comma-separated ASNs to exclude. |
| Parameter | Type | Description |
|---|---|---|
| ipVersion | string | 4, 6, or mixed (default). |
| protocols | string | Comma-separated protocols (e.g. ssh,http,ftp). Only IPs with activity on these protocols. |
| minSeverity | string | Minimum behavior severity: very_high, high, medium, or low. |
# High-confidence SSH IPs only
curl "https://api.sikkerapi.com/v1/key/blacklist?scoreMinimum=80&protocols=ssh&minSeverity=high" \
-H "Authorization: Bearer sk_..."
# Exclude US IPs
curl "https://api.sikkerapi.com/v1/key/blacklist?exceptCountries=US,CA" \
-H "Authorization: Bearer sk_..."
# IPv4 only, very high severity
curl "https://api.sikkerapi.com/v1/key/blacklist?ipVersion=4&minSeverity=very_high" \
-H "Authorization: Bearer sk_..."By default, returns a JSON object with metadata and an array of blacklist entries.
| Field | Type | Description |
|---|---|---|
| generatedAt | long | Timestamp when the list was generated (epoch ms). |
| scoreMinimum | integer | The minimum score filter applied. |
| limit | integer | The effective limit used. |
| count | integer | Number of IPs returned. |
| Field | Type | Description |
|---|---|---|
| ip | string | The IP address. |
| confidenceLevel | integer | Confidence level (0-100). Includes whitelist discounting by default. |
| lastSeen | long? | Most recent activity (epoch ms). |
| sessions | integer | Total honeypot sessions. |
| protocols | array | List of protocols with activity. |
| countryCode | string? | ISO country code. |
| asn | string? | Autonomous System Number. |
| asnOrg | string? | ASN organization name. |
When plaintext=true, returns a newline-separated list of IP addresses with Content-Type: text/plain. Ideal for direct import into firewalls, fail2ban, or other security tools.
{
"meta": {
"generatedAt": 1706108532000,
"scoreMinimum": 70,
"limit": 10000,
"count": 3
},
"data": [
{
"ip": "203.0.113.42",
"confidenceLevel": 95,
"lastSeen": 1706108532000,
"sessions": 128,
"protocols": ["ssh", "http"],
"countryCode": "CN",
"asn": "AS12345",
"asnOrg": "Example Network"
},
{
"ip": "198.51.100.17",
"confidenceLevel": 82,
"lastSeen": 1706100000000,
"sessions": 45,
"protocols": ["ssh"],
"countryCode": "RU",
"asn": "AS67890",
"asnOrg": "Another ISP"
}
]
}203.0.113.42 198.51.100.17 192.0.2.99 ...
Use plaintext=true to get a firewall-ready list. Refresh daily or on-demand to keep your blocklist current.
Higher scoreMinimum values reduce false positives but may miss some threats:
| Score | Use Case |
|---|---|
| 90+ | Very high confidence. Suitable for hard-blocking in most environments. Always review your logs periodically for false positives. |
| 70-89 | High confidence. Good default for most setups. Review your logs periodically for false positives. |
| 50-69 | Moderate confidence. Consider rate limiting or challenging instead of hard-blocking. |
Each IP returned counts against your daily blacklist quota (separate from your lookup quota). For example, pulling 5,000 IPs uses 5,000 of your blacklist quota. Daily refreshes stay well within limits for all tiers. Check response headers X-Blacklist-Limit, X-Blacklist-Used, and X-Blacklist-Remaining to monitor usage.
Ready-made guides for popular tools: iptables / ipset, Nginx, CSF Firewall, Fail2Ban.
Get started — Generate blocklists for your firewall with a free API key. Free tier includes up to 5,000 IPs per blacklist request. Create free API key →