AbuseIPDB API

Name: AbuseIPDB API API
Brand: AbuseIPDB API
Availability: InStock

★ Only Publicly Available SpecSecurityThreat DetectionapiKey7 EndpointsREST

For Agents

Score IP addresses for abusive behaviour, pull report histories, download blacklists, and submit abuse reports across 7 AbuseIPDB v2 endpoints authenticated by a Key header.

Quickstart

Get started with AbuseIPDB API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"check ip abuse score"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AbuseIPDB API API.

Score a single IP for abusive behaviour with a 0-100 confidence value via /check

Pull a paginated history of abuse reports for an IP via /reports

Download the blacklist of the most-reported IPs as JSON or plaintext via /blacklist

Submit an abuse report against an IP with a category and comment via /report

GET STARTED

Start building with AbuseIPDB API API

Explore with Jentic

View OpenAPI Spec

Jentic publishes the only available OpenAPI specification for AbuseIPDB API, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for AbuseIPDB API, keeping it validated and agent-ready. AbuseIPDB is a community-driven database of IP addresses reported for malicious behaviour including brute-force attacks, scanners, and spam. The v2 API exposes seven endpoints for scoring single IPs, querying CIDR blocks, downloading blacklists, submitting individual or bulk abuse reports, and clearing your own reports. Authentication is a Key header on every call, and responses include a 0-100 abuse confidence score that is widely used as input to firewall, SIEM, and authentication-risk pipelines.

Use Cases

Patterns agents use AbuseIPDB API API for, with concrete tasks.

★ Firewall blocklist refresh

A scheduled job calls GET /blacklist with a confidenceMinimum threshold to download the top reported IPs and pushes them into a perimeter firewall blocklist. Combine with a daily diff so old, decayed reports drop off and only currently active offenders are blocked.

GET /blacklist with confidenceMinimum=90&limit=10000, parse the JSON, and push each ipAddress into the firewall deny list

SSH brute-force reporting

A fail2ban-style job parses sshd auth logs, detects repeat offenders, and calls POST /report with categories=18,22 and a comment summarising the attempt. This contributes to the AbuseIPDB community feed and gets the IP scored for everyone else.

POST /report with ip=<offender>, categories='18,22', comment='SSH brute force on host X' for each detected offender

Pre-login risk score

Before allowing a login from an unfamiliar IP, an authentication service calls GET /check with verbose=true and uses the abuseConfidenceScore alongside other signals to decide whether to challenge or block. Returns within a few hundred milliseconds and caches well.

GET /check with ipAddress=<login-ip>&verbose=true; if abuseConfidenceScore >= 75 then require MFA challenge

AI agent IOC enrichment via Jentic

A SOC agent enriching IOCs from an EDR queue calls AbuseIPDB through Jentic to attach abuse score and report counts to each suspicious IP. The Key header is held by Jentic, so the agent never sees the raw credential.

For each IP from the EDR feed, GET /check with ipAddress=<ip>&maxAgeInDays=90 and append abuseConfidenceScore and totalReports to the IOC record

Key Endpoints

7 endpoints — jentic publishes the only available openapi specification for abuseipdb api, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

GET

/check

Get the abuse confidence score and report summary for an IP

GET

/reports

Paginated abuse-report history for an IP

GET

/blacklist

Download the most-reported IPs above a confidence threshold

POST

/report

Submit an abuse report against an IP

POST

/bulk-report

Submit bulk abuse reports via CSV

GET

/check-block

Check a CIDR block for abuse reports

DELETE

/clear-address

Clear your own reports for an IP

GET

/check

Get the abuse confidence score and report summary for an IP

GET

/reports

Paginated abuse-report history for an IP

GET

/blacklist

Download the most-reported IPs above a confidence threshold

POST

/report

Submit an abuse report against an IP

POST

/bulk-report

Submit bulk abuse reports via CSV

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

The AbuseIPDB Key is stored encrypted in the Jentic vault and injected as the Key header at execution time. Agents receive scoped access tokens — raw API keys never enter the agent's context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'check ip abuse score', 'download ip blacklist') and Jentic returns the matching AbuseIPDB operation with its input schema, so the agent calls /check, /blacklist, or /report without reading docs.

Time to first call

Direct integration: 4-6 hours for auth, header handling, pagination on /reports, and CSV upload for /bulk-report. Through Jentic: under an hour — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

MalwareBazaar

abuse.ch repository for malware sample lookup, retrieval, and submission

Use AbuseIPDB to score the IP a sample was downloaded from, then use MalwareBazaar to look up the hash hosted at that IP.

Complementary

URLhaus

abuse.ch feed of malicious URLs used for malware distribution

Use URLhaus to identify malicious URLs and AbuseIPDB to score the IPs those URLs resolve to.

Complementary

Shodan

Search engine for internet-exposed services and infrastructure

Use Shodan to inspect what services run on a suspect IP and AbuseIPDB to see whether it has abuse reports.

FAQs

Specific to using AbuseIPDB API API through Jentic.

Why is there no official OpenAPI spec for AbuseIPDB API?

AbuseIPDB documents the API in HTML at docs.abuseipdb.com but does not publish a structured OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call AbuseIPDB API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the AbuseIPDB API use?

A Key header on every request, tied to a free or paid AbuseIPDB account. The Accept: application/json header is also required for JSON responses. Through Jentic the Key is stored encrypted in the vault and injected at execution time.

Can I report an abusive IP with this API?

Yes. POST /report accepts the IP, a comma-separated list of category IDs (e.g. 18,22 for SSH brute force), and an optional comment. Use POST /bulk-report with a CSV payload to submit many reports at once.

What are the rate limits for the AbuseIPDB API?

Free accounts get 1,000 checks and 100 reports per day; paid plans (Basic Subscriber, Premium) raise these to tens of thousands per day. Limits are not encoded in the spec — the response includes X-RateLimit headers showing remaining quota.

How do I score an IP through Jentic?

Search Jentic for 'check ip abuse score', load GET /check on api.abuseipdb.com/api/v2, then execute with ipAddress and maxAgeInDays. Install with pip install jentic and use await client.search, load, execute.

Is the AbuseIPDB API free?

Yes, with a 1,000 check/day free tier. Paid plans (Basic Subscriber, Premium) raise daily quotas, add the bulk-report endpoint at higher volume, and unlock larger blacklist downloads.