RequestGuard Docs
API Reference Updated May 10, 2026

API Overview

RequestGuard fraud-risk decisioning API for signups, logins, checkout, and forms.

RequestGuard is one API for deciding what to do with risky traffic before it costs you money. Send the request context for a signup, login, checkout, form submission, or API event. Receive a decision your application can use immediately: allow, challenge, review, or block.

Base URL

https://api.requestguard.com/v1

Authentication

Send your API key as a bearer token:

curl "https://api.requestguard.com/v1/assess" \
  -H "Authorization: Bearer rg_sk_live_..." \
  -H "Content-Type: application/json" \
  --data '{"ip":"8.8.8.8","email":"user@example.com","event":"signup"}'

You can also use X-API-Key for platforms where bearer auth is hard to configure.

Fraud Decisioning

POST /assess
{
  "ip": "1.2.3.4",
  "email": "user@example.com",
  "domain": "example.com",
  "user_agent": "Mozilla/5.0 ...",
  "event": "signup",
  "user_id": "optional",
  "session_id": "optional",
  "phone": "optional",
  "billing_country": "US",
  "shipping_country": "US",
  "metadata": {
    "plan": "free",
    "source": "paid_ad"
  }
}
{
  "request_id": "req_123",
  "risk_score": 87,
  "risk_level": "high",
  "decision": "block",
  "confidence": 0.91,
  "recommended_action": "block_request",
  "summary": "Block signup request because email domain is associated with temporary inbox services.",
  "reasons": [
    {
      "code": "disposable_email",
      "severity": "high",
      "description": "Email domain is associated with temporary inbox services."
    }
  ],
  "matched_rules": [],
  "signals": {
    "ip": {},
    "email": {},
    "domain": {},
    "device": {},
    "behavior": {}
  }
}

Rules Engine

Rules let you put your business logic inside RequestGuard.

POST /rules
GET /rules
PATCH /rules/{id}
DELETE /rules/{id}
{
  "name": "Block disposable signups",
  "action": "block",
  "conditions": {
    "events": ["signup"],
    "disposable_email": true
  }
}

Supported conditions include events, IP allow/block lists, email domains, domains, countries, ASNs, hosting provider flag, disposable email flag, free email flag, role account flag, suspicious TLD, domain age threshold, and risk score threshold.

Investigation Logs

GET /events
GET /events?query=req_123
GET /events.csv
GET /analytics/summary

Use these endpoints to power dashboards, export investigations, and prove what the API is blocking.

Webhooks

POST /webhooks
GET /webhooks
PATCH /webhooks/{id}
DELETE /webhooks/{id}
{
  "name": "Security alerts",
  "url": "https://example.com/requestguard/webhook",
  "event_types": ["high_risk_assessment"]
}

High-risk assessments are delivered asynchronously and never block the customer-facing assessment response.

Intelligence Endpoints

EndpointPurpose
POST /assessMain fraud and abuse decision
GET /ip/{ip}/reputationIP reputation, ASN, hosting, proxy, Tor, bot likelihood
GET /ip/{ip}/geoIP country, timezone, source, and geolocation confidence when known
GET /domain/{domain}Domain age, TLD, threat, parking, and DNS posture signals
POST /email/checkDisposable, free provider, role account, domain age, and suggested action
GET /dns/lookup?domain=&type=DNS records through Cloudflare DoH

Errors

Errors return an error object directly:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid RequestGuard API key."
  }
}