API Reference

Base URL https://api.netbait.org

The Netbait API returns an abuse score for any IPv4 address. A single number between 0 and 1 that measures how malicious that address is, computed in real time from our continuously updated dataset.

Public lookups require no authentication and are available at 10 requests per second per client IP. Authenticated requests use a token for higher rate limits.

Get a token

Tokens are issued on request. Send an email to [email protected] with the following information:

FieldDescription
Rate per secondHow many requests per second you need
Use caseWhat you are building and why you need the higher limit

Requests without both pieces of information will not be processed.

No token is required to use Netbait. Public lookups work out of the box at 10 requests per second. A token is only needed if that limit is not enough for your use case.

Authentication

Pass your token in the Authorization header on every request that requires it.

Authorization: Bearer nb_live_...

The score endpoint is accessible without a token for public use. A token unlocks higher rate limits.

Never expose a token in browser-side JavaScript. If you are querying the API from a frontend, route requests through your own backend.

Rate limiting

Unauthenticated requests are limited to 10 per second per client IP. Authenticated tokens carry their own configured limit. Counters are per-second only. There are no per-minute or daily quotas.

Every authenticated response includes the following headers:

HeaderDescription
RateLimit-LimitMaximum requests per second for this token
RateLimit-RemainingRequests remaining in the current window
RateLimit-ResetUnix timestamp when the counter resets

When the limit is exceeded, the server returns HTTP 429 with a Retry-After header indicating how many seconds to wait.

Score an IP address

Returns the abuse score for a single IPv4 address.

GET /v1/score/{ip}

No authentication required. A token increases your rate limit.

Example

curl https://api.netbait.org/v1/score/8.8.8.8
Response
0.0412

The response body is the raw score as a plain decimal number. No JSON envelope, no metadata. Designed to be dropped directly into a comparison without parsing.

Score values

The score measures the severity of an address's threat level, not a probability. A low score does not mean the address is safe by intent: a 0.20 may be a compromised machine whose owner has no idea it is generating malicious traffic. A 0.99 is a confirmed, deliberate bad actor. The thresholds below reflect how we use the score on our own routers, but you are free to set your own.

RangeMeaningRecommended action
0.00 to 0.30Low threat level. May include compromised machines with limited known activity.Allow
0.30 to 0.65Moderate threat. Associated with scanning, noise or grey-area operations.Review or throttle
0.65 to 1.00High threat. Confirmed malicious activity, deliberate and sustained.Block

Our own network blocks anything above 0.30. At that threshold, 80% of inbound traffic is eliminated before touching any service.

Errors

StatusMeaning
400The address provided is not a valid IPv4 address
401Missing or invalid token
429Rate limit exceeded. Check Retry-After
500Internal error on our side

Integration pattern

Do not block incoming traffic while waiting for the API response. Query asynchronously and correlate the result after the fact. This keeps your application fast regardless of network conditions and avoids adding latency to every connection.

A practical approach: let the request through, fire the score lookup in a background thread or job, then act on the result. For most use cases (rate limiting, signup protection, logging), a few hundred milliseconds of delay between the connection and the decision has no practical impact. For hard blocking at the network edge, a local cache (see below) removes the need to wait at all.

Local cache

Querying the API on every single connection is rarely necessary and will consume your rate limit quickly. A local lookup table with expiring entries solves both problems at once.

The recommended approach is to maintain two separate lists:

ListTTLRationale
Allowed6 hoursLegitimate IPs change rarely. Six hours avoids repeat queries without keeping stale entries too long.
Blocked24 hoursHostile addresses stay hostile. A longer TTL means a repeat offender never burns your rate limit a second time that day.

On each incoming connection, check your local table first. If the IP is there and the entry has not expired, apply the cached decision immediately without touching the API. If it is not in the table, query the API, store the result with the appropriate TTL, and apply the decision.

This pattern keeps your tables small enough to stay in memory, protects your rate limit from being exhausted by a single persistent attacker, and adds zero latency on repeat visits.