API Overview
Base URL, authentication, errors, rate limits, and links to RequestGuard API resource docs.
Use the RequestGuard API for fraud decisioning, intelligence lookups, protected links, rules, webhooks, events, analytics, and public package vulnerability checks. This overview covers shared REST behavior. Resource-specific endpoints live in their own docs sections.
Base URL
https://api.requestguard.com/v1All endpoint paths in these docs are relative to /v1.
Authentication
Most endpoints require a RequestGuard API key:
curl "https://api.requestguard.com/v1/{resource}" \
-H "Authorization: Bearer rg_sk_live_..." \
-H "Content-Type: application/json" \
--data '{"example":true}'You can also send X-API-Key for platforms where bearer auth is hard to configure.
Some public endpoints have different authentication rules:
| Endpoint | Authentication |
|---|---|
POST /go/links | API key optional. Anonymous link creation is supported. Invalid keys are rejected. |
GET /vulnerabilities/npm/{package}/ | No API key required. |
See Authorization for header formats and endpoint-specific behavior.
Request and Response Conventions
JSON endpoints accept Content-Type: application/json and return JSON responses unless a resource documents a different media type, such as CSV exports.
Use ISO 8601 strings for timestamps, URL-encode path parameters, and include only fields supported by the target resource. Response objects can include nullable fields when upstream intelligence is unavailable or not applicable.
Errors
Errors return an error object directly:
{
"error": {
"code": "UNAUTHORIZED",
"message": "Missing or invalid RequestGuard API key."
}
}Common status conventions:
| Status | Meaning |
|---|---|
400 | Invalid or missing request input. |
401 | Required API key is missing or invalid. |
403 | The API key is valid but not allowed to perform the requested action. |
404 | Resource, package, domain, IP, or record was not found. |
409 | The request conflicts with an existing resource state. |
429 | Rate limit or quota exceeded. |
503 | Required upstream intelligence source is unavailable. |
Rate Limits
Rate limits are applied by endpoint and account plan. Public endpoints can have stricter anonymous limits. Authenticated requests are attributed to the API key’s account when a valid key is supplied.
When a limit is exceeded, the API returns 429 with an error code such as RATE_LIMITED or QUOTA_EXCEEDED.
Idempotency
GET requests are safe to retry. For create or update requests, retry only after checking the resource docs for reuse behavior or conflict handling.
Protected link creation can reuse active, non-expiring links with the same normalized destination and account scope. Other write endpoints may return 409 when the requested state conflicts with an existing resource.
Resource Docs
| Area | Docs |
|---|---|
| Authorization | Authentication, optional keys, and invalid-key behavior |
| Protected Links | Create go.requestguard.com links |
| Fraud Decisioning | Assess signups, logins, checkout, forms, and API events |
| Rules | Manage custom allow, review, challenge, and block rules |
| Events and Analytics | Search investigation events and summary metrics |
| Webhooks | Send high-risk assessment notifications |
| Email Check | Check disposable, free, role, and risky mailbox signals |
| Email Security | Inspect SPF, DKIM, and DMARC posture |
| Abuse Contacts | Find abuse reporting contacts |
| Blocklists | IP and domain blocklist behavior |
| npm Vulnerabilities | Public npm package vulnerability intelligence |
| IP Intelligence | IP reputation, geolocation, and RDAP endpoints |
| Domain Intelligence | Domain risk and RDAP endpoints |
| DNS | DNS lookup endpoint |
| Network Checks | ASN, host, online, and CIDR checks |
| Device and CAPTCHA Diagnostics | Fingerprint and CAPTCHA test endpoints |
OpenAPI
Use the machine-readable OpenAPI document when you need schemas, parameters, and the complete endpoint list:
https://requestguard.com/openapi/requestguard.v1.json