Skip to content

Developer API · v1 stable

SipRadar REST API

Bearer-token auth, predictable JSON, generous rate limits, and 99.95% uptime SLA on paid tiers. Wire IP reputation, live threat feeds, and PBX audits into your stack this afternoon.

Quick start

Authenticate and make your first request

All API requests require a Bearer token. Generate keys from your dashboard after signing up. Base URL is stable across all v1 endpoints.

Base URL

https://api.sipradar.net

Authentication

Authorization: Bearer sk_live_...
Content-Type: application/json

First request

$ curl -H "Authorization: Bearer sk_live_..." \
     https://api.sipradar.net/v1/ip/185.243.115.84

Endpoints

API reference

Five stable v1 endpoints. OpenAPI 3.1 schema available in your dashboard.

GET/v1/ip/{addr}

IP reputation lookup

Returns honeypot reputation, threat score, attack pattern, geo, and ASN for a single IPv4 address.

Parameters

NameInTypeDescription
addr *pathstringIPv4 address to look up.

Request

curl -H "Authorization: Bearer sk_live_..." \
     https://api.sipradar.net/v1/ip/185.243.115.84

Response

{
  "ip": "185.243.115.84",
  "malicious": true,
  "score": 98,
  "first_seen": "2026-05-02T11:14:07Z",
  "last_seen": "2026-07-15T09:42:11Z",
  "hits": 4127,
  "pattern": "sip-register-bruteforce",
  "asn": "AS49505",
  "country": "RU"
}
GET/v1/threats

Live threat event stream

Rolling stream of honeypot events. Filter by port, country, and minimum threat score. Supports long-poll and WebSocket on Active Defense+.

Parameters

NameInTypeDescription
limitqueryintegerMax events to return (default 50, max 500).
min_scorequeryintegerMinimum threat score 0–100.
portqueryintegerFilter by SIP port (5060, 5061, etc.).
countryquerystringISO 3166-1 alpha-2 country code.

Request

curl -H "Authorization: Bearer sk_live_..." \
     "https://api.sipradar.net/v1/threats?limit=50&min_score=60"

Response

{
  "events": [
    {
      "ip": "185.243.115.84",
      "port": 5060,
      "country": "RU",
      "user_agent": "SIPVicious",
      "score": 98,
      "pattern": "sip-register-bruteforce",
      "ts": "2026-07-15T09:42:11Z"
    }
  ],
  "meta": { "buffer": 60, "streaming": true }
}
POST/v1/scan

PBX security audit

Kick off an on-demand PBX audit against a public SIP endpoint. Returns a job ID and optional webhook callback.

Parameters

NameInTypeDescription
target *bodystringHostname or IP of the SIP endpoint.
platform *bodystringasterisk | kamailio | 3cx | freeswitch | opensips | freepbx
webhook_urlbodystringHTTPS URL for scan.completed webhook.

Request

curl -X POST https://api.sipradar.net/v1/scan \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"target":"pbx.example.com","platform":"asterisk"}'

Response

{
  "job_id": "scan_7f3a9c2e",
  "status": "queued",
  "target": "pbx.example.com",
  "platform": "asterisk",
  "eta_seconds": 45
}
GET/v1/blacklist.txt

Plain-text SIP blacklist

Plain-text list of malicious IPs for Fail2Ban, iptables, or nftables. Refreshes every 60 seconds. One IP per line.

Request

curl -H "Authorization: Bearer sk_live_..." \
     https://api.sipradar.net/v1/blacklist.txt

Response

185.243.115.84
77.83.36.219
5.188.86.174
222.186.42.155
POST/v1/report

Submit suspicious activity

Submit a suspicious IP or raw SIP payload to the honeypot network for analysis and reputation scoring.

Parameters

NameInTypeDescription
ip *bodystringSource IP address.
payloadbodystringRaw SIP message (base64-encoded).
notesbodystringOptional context for analysts.

Request

curl -X POST https://api.sipradar.net/v1/report \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"ip":"203.0.113.42","notes":"REGISTER flood on port 5060"}'

Response

{
  "report_id": "rpt_a8f2c1d0",
  "status": "queued",
  "queued_at": "2026-07-15T10:22:00Z"
}

Rate limits

Per-plan request limits

Rate limits apply per API key. Webhook and WebSocket streaming are available on Active Defense and Enterprise.

PlanRequests / minWebSocketBulk lookup
Community100 / monthn/a1 IP per request
Single PBXReal-timen/a1 IP per request
Active DefenseUnlimitedYesBatch supported
EnterpriseUnlimited (dedicated pool)YesCustom batch size

Webhooks

Event-driven integrations

Configure webhook URLs in your dashboard. All payloads are signed with HMAC-SHA256 using your webhook secret.

scan.completed

Fired when a PBX audit job finishes. Payload includes full remediation report.

{
  "event": "scan.completed",
  "job_id": "scan_7f3a9c2e",
  "target": "pbx.example.com",
  "critical_findings": 2,
  "report_url": "https://api.sipradar.net/v1/scan/scan_7f3a9c2e/report"
}
scan.failed

Fired when a PBX audit cannot complete (timeout, ownership verification failed).

{
  "event": "scan.failed",
  "job_id": "scan_7f3a9c2e",
  "target": "pbx.example.com",
  "reason": "ownership_verification_failed"
}
threat.high_score

Fired when a new honeypot event exceeds your configured score threshold.

{
  "event": "threat.high_score",
  "ip": "185.243.115.84",
  "score": 98,
  "pattern": "sip-register-bruteforce",
  "ts": "2026-07-15T09:42:11Z"
}

SDKs

Official client libraries

Native SDKs for PHP, Python, and Node.js. OpenAPI 3.1 schema and Postman collection available in the dashboard.

PHP

composer require sipradar/sdk

<?php
use SipRadar\Client;

$client = new Client('sk_live_...');
$result = $client->ip()->lookup('185.243.115.84');
echo $result->score; // 98

Python

pip install sipradar

from sipradar import SipRadar

client = SipRadar(api_key="sk_live_...")
result = client.ip.lookup("185.243.115.84")
print(result.score)  # 98

Node.js

npm install @sipradar/sdk

import { SipRadar } from '@sipradar/sdk';

const client = new SipRadar({ apiKey: 'sk_live_...' });
const result = await client.ip.lookup('185.243.115.84');
console.log(result.score); // 98

Errors

HTTP status codes

All errors return JSON with an error object containing code, message, and request_id.

  • 401Unauthorized

    Missing or invalid Bearer token.

  • 403Forbidden

    Valid token but insufficient plan permissions for this endpoint.

  • 404Not Found

    Resource does not exist (e.g. unknown IP with no reputation data).

  • 429Too Many Requests

    Rate limit exceeded. Retry-After header indicates wait time in seconds.

  • 500Internal Server Error

    Unexpected server error. Contact support with the X-Request-Id header.

Get started

Generate your API key and start integrating.

Community tier includes 1 PBX scan/month, 100 API lookups, and a 48-hour delayed threat feed, free forever.