aid: abuseipdb name: AbuseIPDB description: >- AbuseIPDB is a community-driven project to help system administrators, webmasters, and security analysts check the reputation of IP addresses and report malicious activity. The free APIv2 surface lets developers query a single IP, check a CIDR block, retrieve paginated reports, download a curated blacklist, submit single or bulk abuse reports, and clear their own past reports for an address. AbuseIPDB underpins fail2ban, UFW, Cloudflare WAF, Wazuh, Splunk SOAR, and dozens of other firewall and SIEM integrations across the security community. url: https://docs.abuseipdb.com/ humanURL: https://www.abuseipdb.com/ baseURL: https://api.abuseipdb.com/api/v2/ image: https://www.abuseipdb.com/img/abuseipdb-logo.svg specificationVersion: '0.20' type: Index access: 3rd-Party created: '2026-05-28' modified: '2026-05-30' x-source: public-apis/public-apis x-category: Anti-Malware x-tier: 3 x-tier-reason: bulk-registered-from-public-apis tags: - Anti Malware - Blacklist - Cyber Security - IP Reputation - Network Security - Public APIs - Threat Intelligence apis: - aid: abuseipdb:apiv2 name: AbuseIPDB APIv2 description: >- AbuseIPDB APIv2 is a REST API that exposes the AbuseIPDB community blacklist, IP report ingest, IP and CIDR reputation lookups, and self-service report cleanup. Authentication is via an API key delivered in a `Key:` HTTP header; responses are returned as JSON (or plaintext for the blacklist). The API is HTTPS only and enforces per-endpoint daily rate limits that scale by subscription tier. humanURL: https://docs.abuseipdb.com/ baseURL: https://api.abuseipdb.com/api/v2/ tags: - Blacklist - IP Reputation - REST - Threat Intelligence properties: - type: Documentation url: https://docs.abuseipdb.com/ - type: APIReference url: https://docs.abuseipdb.com/#check-endpoint name: CHECK Endpoint description: GET /check — look up the abuse data for a single IPv4 or IPv6 address, optionally with verbose recent reports. - type: APIReference url: https://docs.abuseipdb.com/#reports-endpoint name: REPORTS Endpoint description: GET /reports — retrieve a paginated list of recent reports for a given IP address. - type: APIReference url: https://docs.abuseipdb.com/#blacklist-endpoint name: BLACKLIST Endpoint description: GET /blacklist — download the AbuseIPDB blacklist, with optional confidence, country, IP version, and limit filters. - type: APIReference url: https://docs.abuseipdb.com/#report-endpoint name: REPORT Endpoint description: POST /report — submit an abuse report for a single IP address with category IDs, optional comment and timestamp. - type: APIReference url: https://docs.abuseipdb.com/#bulk-report-endpoint name: BULK-REPORT Endpoint description: POST /bulk-report — submit many IPs in a single CSV multipart upload. - type: APIReference url: https://docs.abuseipdb.com/#check-block-endpoint name: CHECK-BLOCK Endpoint description: GET /check-block — query abuse data for a CIDR network range (subscriber tiers can query larger ranges up to /16). - type: APIReference url: https://docs.abuseipdb.com/#clear-address-endpoint name: CLEAR-ADDRESS Endpoint description: DELETE /clear-address — remove your own past reports for a specific IP address. - type: Authentication url: https://docs.abuseipdb.com/#authentication description: API key authentication. Pass the key in the `Key:` HTTP header (recommended) or as a `?key=` query parameter. - type: RateLimits url: https://docs.abuseipdb.com/#rate-limit-headers description: Per-endpoint daily quotas scaled by plan. 429 responses include `Retry-After`, `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` headers. - type: Errors url: https://docs.abuseipdb.com/#error-handling description: JSON API compliant error structure with HTTP status code as the primary error indicator. - type: CodeExamples url: https://docs.abuseipdb.com/#api-clients description: Code samples in cURL, Python (requests), PHP (Guzzle), C# (RestSharp), and VBScript. - type: OpenAPI url: openapi/abuseipdb-apiv2-openapi.yml - type: JSONSchema url: json-schema/abuseipdb-check-response-schema.json - type: JSONSchema url: json-schema/abuseipdb-report-schema.json - type: JSONSchema url: json-schema/abuseipdb-blacklist-entry-schema.json - type: JSONStructure url: json-structure/abuseipdb-check-response-structure.json - type: JSONStructure url: json-structure/abuseipdb-report-structure.json - type: JSONStructure url: json-structure/abuseipdb-blacklist-entry-structure.json - type: JSONLD url: json-ld/abuseipdb-context.jsonld - type: Example url: examples/abuseipdb-check-example.json - type: Example url: examples/abuseipdb-report-example.json - type: Example url: examples/abuseipdb-blacklist-example.json - type: Example url: examples/abuseipdb-check-block-example.json - type: Example url: examples/abuseipdb-reports-example.json - type: Example url: examples/abuseipdb-bulk-report-example.json - type: NaftikoCapability url: capabilities/ip-reputation-lookup.yaml - type: NaftikoCapability url: capabilities/abuse-reporting.yaml - type: NaftikoCapability url: capabilities/blacklist-management.yaml common: - type: Website url: https://www.abuseipdb.com/ - type: Documentation url: https://docs.abuseipdb.com/ - type: SignUp url: https://www.abuseipdb.com/register - type: Login url: https://www.abuseipdb.com/login - type: DeveloperPortal url: https://www.abuseipdb.com/account/api name: API Key Dashboard description: Account-level UI for issuing, rotating, and revoking AbuseIPDB API keys. - type: Pricing url: https://www.abuseipdb.com/pricing description: >- Four tiers — Individual (free, 1,000 checks/day), Basic ($25/mo or $228/yr, 10,000 checks/day), Premium ($99/mo or $1,068/yr, 50,000 checks/day), and Enterprise (custom direct-data access). - type: Plans url: plans/abuseipdb-plans-pricing.yml - type: RateLimits url: rate-limits/abuseipdb-rate-limits.yml - type: SpectralRules url: rules/abuseipdb-rules.yml - type: Vocabulary url: vocabulary/abuseipdb-vocabulary.yml - type: FinOps url: finops/abuseipdb-finops.yml - type: Plans url: https://www.abuseipdb.com/account/plans name: Account Plans - type: Blog url: https://www.abuseipdb.com/blog - type: FAQ url: https://www.abuseipdb.com/faq.html - type: Support url: https://www.abuseipdb.com/contact - type: Contact url: https://www.abuseipdb.com/contact - type: TermsOfService url: https://www.abuseipdb.com/terms-of-service - type: PrivacyPolicy url: https://www.abuseipdb.com/privacy-policy - type: GitHubOrganization url: https://github.com/AbuseIPDB description: Official AbuseIPDB org. Hosts `laravel` (Laravel AbuseIPDB middleware package) and `ip-lib` (forked PHP IPv4/IPv6 range library). - type: SDK url: https://github.com/AbuseIPDB/laravel name: AbuseIPDB Laravel Package description: Official Laravel middleware that scores incoming requests against AbuseIPDB. - type: SDK url: https://github.com/nickurt/laravel-abuseipdb name: laravel-abuseipdb (community) description: Community Laravel 11.x/12.x/13.x plugin for AbuseIPDB. - type: SDK url: https://github.com/falegk/abuseipdb-rb name: abuseipdb-rb (Ruby gem) description: Community Ruby client gem for the AbuseIPDB API. - type: SDK url: https://github.com/meatyite/python-abuseipdb name: python-abuseipdb description: Object-oriented Python wrapper for AbuseIPDB v2 API. - type: SDK url: https://github.com/streanger/abuseipdb-wrapper name: abuseipdb-wrapper (Python) description: Python wrapper for the AbuseIPDB API. - type: CLI url: https://github.com/kristuff/abuseipdb-cli name: abuseipdb-cli description: CLI tool to check, report, and download the AbuseIPDB blacklist from the command line. - type: Integrations data: - name: Fail2Ban description: Pre-packaged AbuseIPDB action ships with fail2ban; reports banned offenders directly to AbuseIPDB. - name: UFW (Uncomplicated Firewall) description: Multiple community projects (sefinek/UFW-AbuseIPDB-Reporter, jseutens/ufw-abuseipdb) ingest UFW logs and report or ingest the AbuseIPDB blacklist. - name: Cloudflare WAF description: sefinek/Cloudflare-WAF-To-AbuseIPDB streams Cloudflare WAF events into AbuseIPDB reports. - name: Splunk SOAR description: Official splunk-soar-connectors/abuseipdb connector enriches Splunk SOAR playbooks with AbuseIPDB reputation. - name: Wazuh description: marciuscosta/abuseipdb-wazuh-integration wires AbuseIPDB enrichment into Wazuh with a local cache and multi-key support. - name: CrowdSec description: goremykin/crowdsec-abuseipdb-blocklist converts CrowdSec data into AbuseIPDB blocklists. - name: Endlessh description: elhenro/endlessh-auto-report-abuseipdb auto-reports SSH tarpit visitors to AbuseIPDB. - name: Nginx description: tmiland/abuseipdb-php-nginx-blacklist-create generates an Nginx-ready blocklist file from AbuseIPDB. - name: Zen Cart description: CcMarc/AbuseIPDB plugs AbuseIPDB into the Zen Cart e-commerce platform. - name: TheHive description: AbuseIPDB enrichment is used by SOAR/IR pipelines like malwarekid/SOAR-Flow alongside Wazuh and TheHive. - name: IPinfo description: AbuseIPDB sources its IP geolocation, ISP, usage type, and domain data from IPinfo. - type: Features data: - name: IP Reputation Lookups description: Query any IPv4 or IPv6 address for its abuse confidence score, total reports, distinct reporters, and country/ISP metadata. - name: Community-Sourced Blacklist description: Downloadable daily blacklist of high-confidence abusive IPs, with configurable confidence threshold, country filters, IP version, and result limit. - name: Abuse Reporting description: Submit single or bulk abuse reports tagged with one or more standard category IDs (e.g. SSH Brute-Force, DDoS, Web App Attack). - name: CIDR Block Checking description: Score whole subnets in one call via the CHECK-BLOCK endpoint, with subscriber tiers supporting up to /16 networks. - name: Categorised Abuse Taxonomy description: 23 standard report categories (DNS Compromise, Open Proxy, Brute-Force, Phishing, etc.) for consistent classification. - name: Self-Service Report Clearing description: Remove your own reports for a given IP via the CLEAR-ADDRESS endpoint if a report was made in error. - name: Standard Rate-Limit Headers description: Every response carries X-RateLimit-Limit / Remaining / Reset and Retry-After, simplifying back-off in clients. - name: Whitelist Awareness description: Responses include an `isWhitelisted` flag so consumers can avoid blocking known-good infrastructure. - type: UseCases data: - name: SSH / RDP Brute-Force Defence description: Auto-block and report SSH/RDP brute-force sources via fail2ban, UFW, or endlessh integrations. - name: WAF Augmentation description: Enrich Cloudflare / Nginx / custom WAF rulesets with the AbuseIPDB blacklist for IP-based pre-filtering. - name: SIEM / SOC Enrichment description: Add AbuseIPDB context to Splunk SOAR, Wazuh, and TheHive alerts for analyst triage. - name: Bot and Crawler Filtering description: Score request source IPs before serving e-commerce or login pages to block known-abusive infrastructure. - name: Threat Hunting and OSINT description: Combine AbuseIPDB with VirusTotal, Shodan, GreyNoise and similar feeds (e.g. malwoverview) during incident response. - name: Bulk Reporting from Edge Logs description: Convert nightly access logs into CSV bulk reports to feed the AbuseIPDB community blacklist. - type: Solutions data: - name: Individual (Free) description: 1,000 checks/day, 100 block checks, 5 blacklist downloads. Aimed at hobby admins and home labs. - name: Basic description: $25/mo. 10,000 checks/day, 1,000 block checks, 100 bulk reports, customisable blacklist up to 100,000 IPs. - name: Premium description: $99/mo. 50,000 checks/day, 5,000 block checks, 500 bulk reports, customisable blacklist up to 500,000 IPs. - name: Enterprise description: Custom-priced direct data access for ISPs and large security organisations. maintainers: - FN: Kin Lane email: kin@apievangelist.com