AffGuard
...
AffGuard
Log in Get Started
shield
AffGuard
Get Started Sign In
Developer Documentation

API Documentation

Integrate enterprise-grade IP intelligence into your applications with our powerful REST API.

rocket_launch Quick Start
1
Get API Key

Generate your API key from the dashboard

2
Make Request

Send HTTP requests to our endpoints

3
Get Results

Receive JSON response with threat data

key Authentication

All API requests require authentication using your API key. Include it in the request header:

X-API-KEY: YOUR_API_KEY
warning
Security Note: Never expose your API key in client-side code or public repositories. Keep it secure on your server.
language Base URL 
https://affguard.ai/api/v1

electrical_services API Endpoints

IP Lookup GET

Analyze an IP address for VPN, proxy, Tor, and datacenter detection.

bolt
< 20ms
Cache HIT response
Known IP, instant return
database
50–120ms
DB lookup response
IP in database, not yet cached
smart_toy
800ms–1.5s
AI Engine (if enabled)
Live heuristic scan on new IP
info
Latency tiers explained

Cache HIT (<20ms) applies to previously-seen IPs served from Redis. DB lookup (50–120ms) runs a range query against the intelligence database. AI Engine adds ~800ms–1.5s only when enabled on your key and the IP is brand new to our system.

Endpoint
GET /api/v1/ip/lookup?ip={ip}
Parameters
Parameter Type Required Description
ip string Yes IPv4 or IPv6 address to analyze
Example Request
curl -X GET "https://affguard.ai/api/v1/ip/lookup?ip=8.8.8.8" \
     -H "X-API-KEY: YOUR_API_KEY"
Example Response
{
    "ip": "8.8.8.8",
    "country": "US",
    "is_vpn": "no",
    "is_proxy": "no",
    "is_tor": "no",
    "is_bot": "no",
    "is_hosting": "yes",
    "is_blacklist": "no",
    "is_residential": "no",
    "risk_score": 40,
    "fraud_score": 30,
    "confidence": 80,
    "threat_categories": ["datacenter_hosting"],
    "subnet_risk": 12.50,
    "is_abusive": "no",
    "abuse_reports": 0,
    "is_market_research_flagged": "no",
    "market_research_reports": 0
}
Response Field Dictionary
Field Format Description
ip string The IP address queried in the request.
country string Two-letter ISO 3166-1 country code (e.g., "US", "GB").
is_vpn yes/no Returns "yes" if identified as a Virtual Private Network.
is_proxy yes/no Returns "yes" if identified as a non-anonymous or commercial proxy.
is_tor yes/no Returns "yes" if identified as an active Tor Exit Node.
is_bot yes/no Returns "yes" if the IP belongs to a known crawler or bot.
is_hosting yes/no Returns "yes" if the IP is from a cloud provider or data center.
is_blacklist yes/no Returns "yes" if the IP is found on global threat/spam blacklists.
risk_score int (0–100) Technical risk score based on the connection nature.
fraud_score int (0–100) Behavioral risk score based on historical abuse.
confidence int (0–100) | null Data confidence score. Higher values indicate more trusted provider sources. Returns null when no provider data is available.
threat_categories array Classified threat labels for this IP, ordered by severity. Possible values: tor_exit_node, vpn, proxy, datacenter_hosting, bot, blacklisted, cpa_fraud, survey_fraud, geo_asn_mismatch, dns_inconsistency, contaminated_subnet, residential. Returns an empty array when no threats are detected.
subnet_risk float (0–100) | null Percentage of flagged IPs within the same /24 subnet. Higher values indicate a contaminated network neighbourhood. Returns null for IPv6 addresses.
is_residential yes/no Returns "yes" if identified as a residential proxy or ISP connection. Residential IPs receive a lower risk score.
is_abusive yes/no Returns "yes" if flagged for advertising/CPA fraud behavior.
abuse_reports int Number of unique CPA fraud reports associated with this IP.
is_market_research_flagged yes/no Returns "yes" if flagged for survey/panel market research fraud (fake traffic, incentivized clicks).
market_research_reports int Number of unique market research fraud reports associated with this IP.
coronavirus GPT & Offerwall Integration

When a user attempts to open an offer from your Ad Network or Offerwall partners, check their IP first. If the risk_score is above 40, we recommend blocking the redirect to protect your advertiser reputation.

// Example Logic
if ($data['risk_score'] > 40) {
    die("VPN/Proxy detected. Please disable it to continue to offers.");
}
category Threat Categories

The threat_categories field returns a structured array of detected threat types, ordered by severity. Use these labels to build routing rules, auto-block policies, or dashboard visualizations.

Category Trigger Description
tor_exit_node is_tor = yes Active Tor exit node, anonymized traffic
vpn is_vpn = yes Commercial or personal VPN service
proxy is_proxy = yes HTTP/SOCKS proxy detected
datacenter_hosting is_hosting = yes Cloud provider or data center IP
bot is_bot = yes Known crawler or automated bot
blacklisted is_blacklist = yes Found on global threat or spam blacklists
cpa_fraud is_abusive = yes Flagged for CPA or advertising fraud
survey_fraud is_market_research_flagged = yes Flagged for survey or panel fraud
geo_asn_mismatch Network anomaly detected IP geolocation does not match ASN registration country
dns_inconsistency Network anomaly detected PTR hostname does not resolve back to the original IP
contaminated_subnet subnet_risk ≥ 20% High concentration of flagged IPs in the /24 network block
residential is_residential = yes, no threats Clean residential ISP connection (informational only)
info
Tip: An IP can have multiple categories at once (e.g., ["vpn", "blacklisted", "cpa_fraud"]). An empty array [] means no threat signals were detected.
shield Understanding Scores

Our IP Intelligence system provides multiple scoring dimensions to help you make informed security decisions.

Risk Score

Technical threat level based on VPN, Proxy, Tor, and hosting indicators. 0-100

Fraud Score

Behavioral risk combining historical abuse, provider data, and recency. 0-100

Confidence

How much we trust the data, based on provider quality. 0-100 or null

Subnet Risk

Percentage of flagged IPs in the same /24 network block. 0-100

Score Interpretation Guide
Range Level Recommended Action
0–25 Low Safe for most transactions. High confidence in residential origin.
26–55 Medium Moderate risk. Recommended: Extra verification (e.g., OTP or Email confirmation).
56–85 High Significant risk. High probability of VPN/Proxy abuse. Recommended: Manual review.
86–100 Critical Extreme fraud risk. Blacklisted or multi-flagged IP. Recommended: Immediate rejection.
info Response Codes
Code Status Description
200 OK Request successful
400 Bad Request Invalid IP address or parameters
401 Unauthorized Invalid or missing API key
402 Payment Required Insufficient balance
429 Too Many Requests Rate limit exceeded
500 Server Error Internal server error
speed Rate Limits

Rate limits vary by plan tier:

Free
10/min
Starter
60/min
Pro
300/min
Enterprise
1000/min
code Code Examples 
<?php
$apiKey = 'YOUR_API_KEY';
$ip = '8.8.8.8';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://affguard.ai/api/v1/lookup/$ip");
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Authorization: Bearer $apiKey"
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$data = json_decode($response, true);

echo "Risk Score: " . $data['risk_score'];
?>
import requests

api_key = 'YOUR_API_KEY'
ip = '8.8.8.8'

headers = {'Authorization': f'Bearer {api_key}'}
response = requests.get(f'https://affguard.ai/api/v1/lookup/{ip}', headers=headers)

data = response.json()
print(f"Risk Score: {data['risk_score']}")
const apiKey = 'YOUR_API_KEY';
const ip = '8.8.8.8';

fetch(`https://affguard.ai/api/v1/lookup/${ip}`, {
    headers: {
        'Authorization': `Bearer ${apiKey}`
    }
})
.then(response => response.json())
.then(data => {
    console.log('Risk Score:', data.risk_score);
});
curl -X GET "https://affguard.ai/api/v1/lookup/8.8.8.8" \
     -H "Authorization: Bearer YOUR_API_KEY"
headset_mic

Need Help?

Our support team is here to assist you with integration and technical questions.

mail Contact Support