API Documentation

Quick Start

Get started with the Reputatic API in minutes

1. Create an API Key

Generate an API key from your Settings → API Keys page.

2. Make Your First Request

curl -X GET "https://app.reputatic.com/api/v1/subnets" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

3. Handle the Response

{
  "data": [
    {
      "id": 1,
      "cidr": "192.168.1.0/24",
      "reputation_score": 85,
      "last_scan_at": "2025-10-17T12:00:00.000000Z",
      "is_blacklisted": false
    }
  ]
}

Authentication

Secure your API requests with Bearer token authentication

All API requests must include your API key in the Authorization header:

Authorization: Bearer YOUR_API_KEY

Keep your API key secure

Never expose your API key in client-side code or public repositories. Treat it like a password.

API Endpoints

Complete reference for all available endpoints

GET /api/v1/subnets

Retrieve a paginated list of all your monitored subnets.

Example

curl -X GET "https://app.reputatic.com/api/v1/subnets" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

GET /api/v1/subnets/{id}

Get detailed information about a specific subnet.

Example

curl -X GET "https://app.reputatic.com/api/v1/subnets/1" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

GET /api/v1/subnets/{id}/reputation

Get reputation score and blacklist status for a subnet.

Example

curl -X GET "https://app.reputatic.com/api/v1/subnets/1/reputation" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

GET /api/v1/incidents

Retrieve all incidents related to your subnets.

Example

curl -X GET "https://app.reputatic.com/api/v1/incidents" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

POST /api/v1/incidents/{id}/resolve

Mark an incident as resolved.

Example

curl -X POST "https://app.reputatic.com/api/v1/incidents/1/resolve" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

Real-time Event Notifications

Webhooks allow you to receive HTTP POST notifications when specific events occur in your account. Set them up in Settings → Webhooks.

Available Events

Blacklist Events

blacklist.hit blacklist.removed

Reputation Events

reputation.drop reputation.improved

Scan Events

scan.started scan.completed scan.failed

Resource Events

subnet.created subnet.deleted asn.created asn.synced

Webhook Payload Structure

All webhook events follow this structure:

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "type": "blacklist.hit",
  "created_at": "2025-10-20T12:00:00Z",
  "data": {
    "subnet": {
      "id": 42,
      "cidr": "192.168.1.0/24",
      "reputation_score": 65
    },
    "blacklist": {
      "name": "bl.spamcop.net",
      "ip": "192.168.1.100",
      "detected_at": "2025-10-20T12:00:00Z"
    }
  },
  "account": {
    "id": 1,
    "email": "[email protected]"
  }
}

Request Headers

Every webhook request includes these headers:

Content-Type: application/json
User-Agent: Reputatic-Webhooks/1.0
X-Reputatic-Event: blacklist.hit
X-Reputatic-Signature: <hmac_sha256_signature>
X-Reputatic-Delivery: 12345
X-Reputatic-Timestamp: 1697811600

Signature Verification

Verify webhook authenticity using HMAC SHA-256 signatures:

PHP

<?php
$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_REPUTATIC_SIGNATURE'];
$secret = 'whsec_your_secret_here';

$expected = hash_hmac('sha256', $payload, $secret);
if (hash_equals($expected, $signature)) {
    // Signature valid
    $data = json_decode($payload, true);
    // Process webhook...
    http_response_code(200);
} else {
    http_response_code(401);
}

Node.js

const crypto = require('crypto');

app.post('/webhooks', express.raw({type: 'application/json'}), (req, res) => {
  const signature = req.headers['x-reputatic-signature'];
  const secret = 'whsec_your_secret_here';
  
  const expected = crypto
    .createHmac('sha256', secret)
    .update(req.body)
    .digest('hex');
  
  if (crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))) {
    const event = JSON.parse(req.body.toString());
    // Process webhook...
    res.status(200).send('OK');
  } else {
    res.status(401).send('Invalid signature');
  }
});

Python

import hmac
import hashlib

@app.route('/webhooks', methods=['POST'])
def handle_webhook():
    payload = request.data
    signature = request.headers.get('X-Reputatic-Signature')
    secret = 'whsec_your_secret_here'
    
    expected = hmac.new(
        secret.encode(),
        payload,
        hashlib.sha256
    ).hexdigest()
    
    if hmac.compare_digest(expected, signature):
        event = request.json
        # Process webhook...
        return 'OK', 200
    else:
        return 'Invalid signature', 401

Retry Logic

If your endpoint fails or returns a non-2xx status, Reputatic automatically retries:

Attempt 1: Immediate

Attempt 2: After 2 minutes

Attempt 3: After 4 minutes

Attempt 4: After 8 minutes

💡 Endpoints are auto-disabled after 10 consecutive failures

Best Practices

Always verify the signature before processing
Return 200 status code quickly (process async)
Use HTTPS endpoints in production
Handle idempotency with the event ID
Log all webhook deliveries for debugging

Rate Limiting

API requests are rate-limited by plan:

Plan	API Requests/Min	Webhooks
Free	60	1
Pro	600	5
Business	1,500	Unlimited

Rate Limit Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

Quick Start

1. Create an API Key

2. Make Your First Request

3. Handle the Response

Authentication

API Endpoints

Example

Example

Example

Example

Example

Available Events

Blacklist Events

Reputation Events

Scan Events

Resource Events

Webhook Payload Structure

Request Headers

Signature Verification

PHP

Node.js

Python

Retry Logic

Best Practices

Rate Limiting

Need Help?