IP Risk API
Validate IP addresses and assess risk factors including fraud detection, network information, and anonymity indicators
The Beltic IP Risk API provides comprehensive IP address validation and risk assessment to help identify fraudulent users, proxy connections, VPNs, Tor networks, and other suspicious network activity. Our API analyzes IP addresses for fraud indicators, geographic location, network type, and anonymity services to help protect your platform from malicious users.
What is IP Risk Analysis?
IP risk analysis evaluates the reputation and characteristics of IP addresses to identify potential threats. Our system analyzes network information, geographic data, anonymity indicators, and historical abuse patterns to provide comprehensive risk scoring for any IP address.
How Does IP Risk Analysis Work?
Our IP risk analysis technology performs comprehensive checks that examine IP addresses from multiple angles. It features advanced network verification checks for issues like proxy detection, VPN identification, Tor network analysis, bot detection, and geographic risk assessment.
IP Risk Analysis API Use Cases
Fraud Prevention: Identify high-risk IP addresses associated with fraudulent activity, chargebacks, and malicious behavior to prevent financial losses.
Proxy & VPN Detection: Detect users hiding behind proxy servers, VPNs, and Tor networks to identify potential fraudsters and anonymous users.
Bot Traffic Filtering: Filter out automated bot traffic and crawlers to ensure only legitimate human users access your platform.
Geographic Risk Assessment: Analyze geographic location data to identify high-risk countries and regions for enhanced security.
Account Takeover Prevention: Detect IP addresses associated with credential stuffing attacks and account takeover attempts.
Endpoint
POST https://api.beltic.com/v1/ips/riskParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
ip_address | string | Yes | The IP address to validate (e.g., "1.1.1.1") |
Authentication
Include your API key in the request header:
X-Api-Key: your_api_key_hereExample Request
curl --location 'https://api.beltic.com/v1/ips/risk' \
--header 'X-Api-Key: ApiKey' \
--header 'Content-Type: application/json' \
--data '{
"ip_address": "1.1.1.1"
}'Example Response
{
"risk": {
"fraud_score": 0,
"recent_abuse": false
},
"network": {
"isp": "Cloudflare",
"asn": 13335,
"organization": "Cloudflare",
"host": "one.one.one.one",
"timezone": "America/Denver",
"mobile": false
},
"anonymity": {
"proxy": false,
"vpn": false,
"tor": false,
"active_vpn": false,
"active_tor": false
},
"bot": {
"is_crawler": false,
"bot_status": false
},
"address": {
"formatted_address": "Denver, Colorado, US",
"country": "US",
"city": "Denver",
"state_or_province": "Colorado",
"postal_code": null,
"latitude": -33.86000061,
"longitude": 151.21000671
}
}Response Field Definitions
The Beltic IP Risk API returns comprehensive data with each lookup to help your development team make informed decisions in your business logic. The "Fraud Score" provides valuable insights to identify high-risk IP addresses and network characteristics.
Fraud Score Risk Assessment
| Fraud Score | Risk Level | Description |
|---|---|---|
| ≥75 | Suspicious | Has had previous reputation issues or is using a low risk proxy/VPN |
| ≥85 | High Risk | Has suspicious behavior signals |
| ≥90 | Frequent Abusive Behavior | Has demonstrated frequent abusive behavior over the past 24-72 hours |
Consider results as high risk when:
fraud_scoreis at least 90
Analyzing the overall Fraud Score is usually the best way to determine the user's overall risk. Fraud Scores >= 75 are suspicious and likely to be a proxy, VPN, or TOR connection, but not necessarily a fraudulent user. This could indicate that users are protecting their privacy online by browsing anonymously with a proxy connection or VPN service. Fraud Scores >= 90 are high-risk users likely to engage in malicious behavior. Scores in this threshold indicate recent or excessive abuse and fit the profile of a typical risky user.
We recommend also using additional risk data points such as bot_status, frequent_abuser, high_risk_attacks, recent_abuse, and abuse_velocity in your decision-making for further granularity. The connection_type, shared_connection, and dynamic_connection variables also play an important role in determining the best business logic for your audience.
Complete Field Reference
The API response is organized into the following main objects:
Risk Object
| Field | Data Types | Explanation |
|---|---|---|
fraud_score | float | The overall fraud score of the user based on the IP, user agent, language, and any other optionally passed variables. Fraud Scores >= 75 are suspicious, but not necessarily fraudulent. We recommend flagging or blocking traffic with Fraud Scores >= 90, but you may find it beneficial to use a higher or lower threshold. |
recent_abuse | boolean | This value will indicate if there has been any recently verified abuse across our network for this IP address. Abuse could be a confirmed chargeback, account takeover attack, compromised device, fake application or registration, digital impersonation (stolen user data), bot attack, or similar malicious behavior within the past few days. |
Network Object
| Field | Data Types | Explanation |
|---|---|---|
isp | string | ISP if one is known. Otherwise null. |
organization | string | Organization if one is known. Can be parent company or sub company of the listed ISP. Otherwise null. |
asn | integer | Autonomous System Number if one is known. Null if nonexistent. |
host | string | Hostname of the IP address if one is available. |
timezone | string | Timezone of IP address if available or null if unknown. |
mobile | boolean | Is this user agent a mobile browser? (will always be false if the user agent is not passed in the API request) |
Anonymity Object
| Field | Data Types | Explanation |
|---|---|---|
proxy | boolean | Is this IP address suspected to be a proxy? (SOCKS, Elite, Anonymous, VPN, Tor, etc.) |
vpn | boolean | Is this IP suspected of being a VPN connection? This can include data center ranges which can become active VPNs at any time. The "proxy" status will always be true when this value is true. |
tor | boolean | Is this IP suspected of being a TOR connection? This can include previously active TOR nodes and exits which can become active TOR exits at any time. The "proxy" status will always be true when this value is true. |
active_vpn | boolean | Identifies active VPN connections used by popular VPN services and private VPN servers. |
active_tor | boolean | Identifies active TOR exits on the TOR network. |
Bot Object
| Field | Data Types | Explanation |
|---|---|---|
is_crawler | boolean | Is this IP associated with being a confirmed crawler from any of the following search engines, based on hostname or IP address verification: Baidu, Google, Bing, Yahoo, Yandex, Sogou, Exabot, DuckDuckGo, Facebook, Twitter, Pinterest, Naver, UptimeRobot, AppleBot, ArchiveBot, CoccocBot, YisouBot, PetalBot, ByteDance, and MailRU. |
bot_status | boolean | Indicates if bots or non-human traffic has recently used this IP address to engage in automated fraudulent behavior. Provides stronger confidence that the IP address is suspicious. |
Address Object
| Field | Data Types | Explanation |
|---|---|---|
formatted_address | string | Complete formatted address string |
country | string | The two-character country code for this IP address |
city | string | City of IP address if available or null if unknown |
state_or_province | string | Region (state) of IP address if available or null if unknown |
postal_code | string | Postal code of IP address if available or null if unknown |
latitude | float | Latitude of IP address if available or null if unknown |
longitude | float | Longitude of IP address if available or null if unknown |
Error Responses
400 Bad Request
{
"error": "Invalid IP address format",
"message": "IP address must be in valid IPv4 or IPv6 format"
}401 Unauthorized
{
"error": "Unauthorized",
"message": "Invalid or missing API key"
}