API Reference
Updated May 18, 2026
Authorization
RequestGuard API key formats, optional authentication, and invalid-key behavior.
Most RequestGuard API endpoints require an API key. Send the key as a bearer token:
curl "https://api.requestguard.com/v1/assess" \
-H "Authorization: Bearer rg_sk_live_..." \
-H "Content-Type: application/json" \
--data '{"ip":"8.8.8.8","email":"user@example.com","event":"signup"}'You can also send the same key with X-API-Key:
curl "https://api.requestguard.com/v1/events" \
-H "X-API-Key: rg_sk_live_..."Optional Authentication
POST /go/links supports anonymous creation. A valid RequestGuard API key is optional and only needed when users want account-scoped tracking, link reuse, or quota attribution.
If an API key is supplied to POST /go/links, it must be valid. Invalid keys are rejected instead of falling back to anonymous behavior.
GET /vulnerabilities/npm/{package}/ is public and does not require an API key.
Required Authentication
These API areas require a valid key:
| Area | Endpoints |
|---|---|
| Fraud decisioning | POST /assess |
| Rules | POST /rules, GET /rules, PATCH /rules/{id}, DELETE /rules/{id} |
| Events and analytics | GET /events, GET /events.csv, GET /analytics/summary |
| Webhooks | POST /webhooks, GET /webhooks, PATCH /webhooks/{id}, DELETE /webhooks/{id} |
| Account-scoped intelligence | IP, domain, DNS, WHOIS, email, abuse, and blocklist endpoints unless documented otherwise |
Error Response
{
"error": {
"code": "UNAUTHORIZED",
"message": "Missing or invalid RequestGuard API key."
}
}Use separate live and test keys if your account provides both. Do not expose secret keys in browser code.