IP API

Residential proxies and other forms of anonymization services provide a challenge for fraud prevention and risk teams. The Synthient IP API provides detailed intelligence on IP addresses, including risk scoring, device insights, and network information to help identify and mitigate potential threats.

GET/api/v3/lookup/ip

Get IP Data

Parameters

Name
days
Type
number
Description
Optional. Limit the lookback window to the last N days. Affects the behavior, categories, enriched, and ip_risk fields. Defaults to 365 when not specified.

Response Fields

Querying ip information ip_address

Name
ip
Type
string
Description
The IP address queried in the request.
Name
network
Type
null | object
Description
The network information of the IP address.
Name
network.asn
Type
uint32
Description
The autonomous system number (ASN). Will be 0 if not reserved.
Name
network.isp
Type
string
Description
Internet service provider (ISP) name.
Name
network.org
Type
null | string
Description
Name of organization which owns the IP address.
Name
network.type
Type
string
Description
Type of network (e.g. RESIDENTIAL, DATACENTER).
Name
network.connection_type
Type
string
Description
Connection type description (for example, broadband, cellular).
Name
network.abuse_email
Type
null | string
Description
Email address for reporting abuse.
Name
network.abuse_phone
Type
null | string
Description
Phone number for reporting abuse.
Name
network.domain
Type
null | string
Description
Registered domain of the network owner.
Name
network.contact
Type
null | string
Description
General abuse contact information when available.
Name
location
Type
object
Description
Geographical information for the IP.
Name
location.geo_hash
Type
string
Description
Geohash for coarse location grouping.
Name
location.continent
Type
string
Description
Two-letter continent code.
Name
location.country
Type
string
Description
Two-letter ISO country code.
Name
location.state
Type
string
Description
Region or state code.
Name
location.region_name
Type
string
Description
Region or state name.
Name
location.region_id
Type
string
Description
Internal region identifier.
Name
location.county
Type
string
Description
County or district name.
Name
location.city
Type
string
Description
City name.
Name
location.postal_code
Type
null | string
Description
Postal or ZIP code when available.
Name
location.timezone
Type
string
Description
IANA time zone identifier.
Name
location.utc_offset
Type
int16
Description
Offset from UTC in minutes.
Name
location.geo_id
Type
uint32
Description
Internal geo identifier.
Name
location.latitude
Type
float64
Description
Latitude coordinate.
Name
location.longitude
Type
float64
Description
Longitude coordinate.
Name
ip_data
Type
object
Description
Enriched intelligence and risk signals about the IP.
Name
ip_data.device_count
Type
number
Description
Count of unique devices observed behind this IP.
Name
ip_data.devices
Type
array
Description
Details of devices seen using this IP address.
Name
ip_data.devices[].os
Type
string
Description
Operating system of the device (for example, ANDROID, IOS, WINDOWS).
Name
ip_data.devices[].version
Type
string
Description
OS version string when available.
Name
ip_data.behavior
Type
array<string>
Description
List of observed behaviors (e.g. TOR_USER, ACTIVE_CRAWLER).
Name
ip_data.categories
Type
array<string>
Description
Top-level categories associated with this IP (e.g. RESIDENTIAL_PROXY).
Name
ip_data.enriched
Type
array<object>
Description
Providers and signals observed for this IP.
Name
ip_data.enriched[].provider
Type
string
Description
Name of the enrichment provider.
Name
ip_data.enriched[].category
Type
null | string
Description
Category provided by the data source when available (for example, RESIDENTIAL_PROXY).
Name
ip_data.enriched[].type
Type
string
Description
Signal type returned by that provider.
Name
ip_data.enriched[].last_seen
Type
string
Description
Last date this signal was observed (YYYY-MM-DD).
Name
ip_data.ip_risk
Type
int
Description
Risk score from 0-100 indicating the likelihood this IP is being used for malicious activity.

GET/api/v3/lookup/ip/:ip_address

curl -G https://v3api.synthient.com/api/v3/lookup/ip/101.53.218.152 \
-H "Authorization: $API_KEY" \

Response

{
  "ip": "101.53.218.152",
  "network": {
      "asn": 55850,
      "isp": "TrustPower Ltd",
      "type": "RESIDENTIAL",
      "org": null,
      "abuse_email": null,
      "abuse_phone": null,
      "domain": null
  },
  "location": {
      "country": "NZ",
      "state": "CAN",
      "city": "New Brighton",
      "timezone": "Pacific/Auckland",
      "longitude": 172.341,
      "latitude": -43.532,
      "geo_hash": "rb6"
  },
  "ip_data": {
      "device_count": 0,
      "devices": [],
      "behavior": [
          "PROGRAMMATIC_TRAFFIC"
      ],
      "categories": [
          "RESIDENTIAL_PROXY"
      ],
      "enriched": [
          {
              "provider": "LUNAPROXY",
              "type": "RESIDENTIAL_PROXY",
              "last_seen": "2025-04-21"
          },
          {
              "provider": "PROXYCAKE_PRIVATE",
              "type": "RESIDENTIAL_PROXY",
              "last_seen": "2025-04-21"
          },
          {
              "provider": "BRIGHTDATA",
              "type": "RESIDENTIAL_PROXY",
              "last_seen": "2025-06-27"
          }
      ],
      "ip_risk": 96
  }
}

Devices

The device field indicates the type of device associated with the IP address. It is used to identify patterns of abuse or suspicious behavior.

Device data is aggregated from various 3rd party data sources and may not be available for all IP addresses.

Type
ANDROID
IOS
WINDOWS
MACOS
LINUX
CHROME_OS
SMART_TV
GAME_CONSOLE
OTHER

Enriched Types

Type	Description
FREE_VPN	Free VPN service detected
COMMERCIAL_VPN	Commercial VPN service detected
ENTERPRISE_VPN	Enterprise VPN service (for example, SonicWall)
MOBILE_PROXY	Proxy provided by a mobile carrier
BLOCKCHAIN_PROXY	Decentralized or blockchain-based proxy
RESIDENTIAL_PROXY	Proxy running on residential IP addresses
PUBLIC_PROXY	Open proxy accessible to anyone
DATACENTER_PROXY	Proxy hosted in a datacenter
TOR_NODE	Tor exit node
PRIVATE_RELAY	Anonymizing private relay (for example, iCloud Private Relay)

Network Types

Type	Description
MOBILE	Mobile-network (cellular)
SATELLITE	Satellite Internet
IN_FLIGHT_WIFI	In-flight airplane Wi-Fi
RESIDENTIAL	Residential broadband ISP
CORPORATE	Corporate/enterprise network
ACADEMIC	Academic/institutional network
DATACENTER	Datacenter infrastructure
GOVERNMENT	Government-owned network

Behavior

The behavior field is an array of strings that indicates the type of activity associated with the IP address within a 90 day window. It is used to identify patterns of abuse or suspicious behavior.

The behavior field should be treated as an array of strings. It is frequent to updates so treating it as an enum is not advised.

Behavior	Description
PROGRAMMATIC_TRAFFIC	Automated requests from common HTTP clients or libraries (for example, curl, requests).
ACTIVE_CRAWLER	High-volume automated requests consistent with crawling or scraping.
TORRENTING	Participation in peer-to-peer file sharing (for example, BitTorrent).
TOR_USER	Connections observed to Tor entry nodes, indicating Tor usage.
CREDENTIAL_STUFFING	Rapid or repeated failed login attempts suggesting credential stuffing.
COMPROMISED_DEVICE	Activity associated with devices compromised or infected with malware.
MALICIOUS_TRAFFIC	Traffic patterns indicative of abuse or malicious activity.

Response Codes

Status Code	Description
200 - Success	The request was completed successfully and the server returned the expected data.
400 - Bad Request	Invalid input parameters (for example, malformed IP address).
401 - Unauthorized	No API key was provided or the key is invalid; access to the resource is denied.
402 - Payment Required	You’ve run out of credits—please add funds or upgrade your plan to continue making requests.
500 - Internal Server Error	An unexpected error occurred on our side; reach out to support if the issue persists.