Back

API Reference

All endpoints accept and return JSON unless noted. No authentication required.

Rate limits (per IP)

IP checks        60 req / min

DNS queries      30 req / min

CDN detection   20 req / min

TLS scans        10 req / min

Screenshots       5 req / min

My IP

GET /ip/raw

Response — text/plain

203.0.113.42
GET /ip/json

Response — application/json

{"ip": "203.0.113.42",
 "city": "San Francisco",
 "region": "California",
 "country": "US",
 "org": "AS12345 Example ISP",
 "latitude": 37.7749,
 "longitude": -122.4194}

IP Lookup

Rate limited to 60 req / min.

POST /ip/check

Request — application/json

{"ip_address": "8.8.8.8"}

Response — application/json

{"isp": "Google LLC",
 "city": "Mountain View",
 "region": "California",
 "country": "US",
 "latitude": 37.4056,
 "longitude": -122.0775}

DNS Resolver

Rate limited to 30 req / min.

POST /app/dig

Request — application/x-www-form-urlencoded

domain=github.com&record_types=A&record_types=MX

Response — application/json

{"records": {
  "A": ["140.82.121.4"],
  "MX": ["10 aspmx.l.google.com."]}}

CDN Detection

Rate limited to 20 req / min.

POST /cdn/check

Request — application/json

{"domain": "example.com"}

Response — application/json

{"cdn_detected": true,
 "provider": "Cloudflare",
 "confidence": "high",
 "headers_found": ["cf-ray", "cf-cache-status"],
 "features": {
   "compression": "br",
   "http2": true,
   "http3": true,
   "hsts": true,
   "cache_status": "HIT",
   "waf_indicators": ["cf-ray"]},
 "status_code": 200,
 "final_url": "https://example.com/"}

TLS Scan

Rate limited to 10 req / min.

POST /tls/scan

Request — application/json

{"domain": "github.com", "port": 443}

Response — application/json

{"domain": "github.com", "port": 443,
 "tls_version": "TLSv1.3",
 "cipher": {"name": "TLS_AES_128_GCM_SHA256", "protocol": "TLSv1.3", "bits": 128},
 "certificate": {
   "subject": {"commonName": "github.com"},
   "issuer": {"commonName": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
              "organizationName": "DigiCert Inc"},
   "sans": ["github.com", "www.github.com"],
   "not_before": "2024-03-07T00:00:00+00:00",
   "not_after": "2026-03-14T00:00:00+00:00",
   "days_remaining": 347,
   "expired": false,
   "fingerprint_sha256": "AA:BB:CC:...",
   "fingerprint_sha1": "11:22:33:..."},
 "pqc": {
   "pqc_supported": true,
   "pqc_group_id": "0x11ec",
   "pqc_mechanism": "X25519Kyber768",
   "pqc_via_hrr": true,
   "pqc_note": null}}

PQC is probed via a raw ClientHello advertising hybrid groups (X25519MLKEM768, X25519Kyber768, etc.) at highest priority. A HelloRetryRequest or direct ServerHello selecting a PQC group confirms support. If the server accepts the classical X25519 fallback, PQC is reported as not detected.

User Agent Parser

No rate limit for manual queries.

POST /ua/check

Request — application/json

{"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"}

Response — application/json

{"browser": {
  "family": "Chrome",
  "version": "124.0.0",
  "engine": "Blink",
  "client_type": "browser",
  "client_name": "Chrome",
  "client_version": "124.0.0"},
 "os": {
  "family": "Mac OS X",
  "version": "10.15.7",
  "arch": null},
 "device": {
  "type": "desktop",
  "type_ua": "desktop",
  "brand": null,
  "model": null},
 "capabilities": {
  "is_mobile": false,
  "is_tablet": false,
  "is_pc": true,
  "is_bot": false,
  "bot_name": null,
  "is_touch_capable": false,
  "is_email_client": false}}

Parsed using user-agents (ua-parser/uap-core) enriched with device-detector for brand/model, engine, bot identification, and client type classification. Send the raw User-Agent string from any HTTP request; omit the header to parse your own browser.

Screenshot

Rate limited to 5 req / min.

POST /screenshot/capture

Request — application/json

{"url": "example.com",
 "full_page": false,
 "describe": false}

Response — application/json

{"image_base64": "iVBORw0KGgo...",
 "description": null,
 "vision_provider": null,
 "vision_model": null}

CSP Checker

POST /csp/check

Request body

{"url": "https://example.com"}

Response

{
  "url": "https://example.com/",
  "status_code": 200,
  "has_csp": true,
  "has_csp_report_only": false,
  "raw": "default-src 'self'; script-src 'self' 'unsafe-inline'; ...",
  "directives": {
    "default-src": ["'self'"],
    "script-src":  ["'self'", "'unsafe-inline'"]
  },
  "findings": [
    {
      "severity": "high",
      "title": "unsafe-inline in script-src",
      "detail": "Inline <script> blocks and event handlers are permitted..."
    }
  ],
  "grade": { "letter": "C", "color": "warning", "label": "High-risk directives" }
}