ShowMyIP REST API v1 - Developer Reference
Integrate IP geolocation, DNS lookups, ASN data, email health checks, and blacklist queries directly into your application. All endpoints return structured JSON and follow a consistent authentication and response envelope.
1. Overview & Base URL
The ShowMyIP REST API v1 provides programmatic access to network intelligence tools.
All endpoints are read-only (GET) and return application/json.
| Base URL | https://www.showmyip.com/api/v1/ |
|---|---|
| Protocol | HTTPS only. HTTP requests are redirected. |
| Format | JSON (Content-Type: application/json; charset=utf-8) |
| Methods | GET only. Any other method returns 405 Method Not Allowed. |
2. Authentication
Every request must carry a valid API token. The preferred method is a Bearer token
in the Authorization header:
Authorization: Bearer YOUR_API_KEYWhere you cannot set request headers (for example, a quick browser test), you may
instead pass the token as an ?api_key= query parameter:
GET /api/v1/ip/8.8.8.8?api_key=YOUR_API_KEYThe Authorization: Bearer header takes precedence over
the query parameter and should be preferred - query strings can be logged by
proxies and servers, exposing your key.
Tokens are issued per account and encode your access plan and rate-limit quota. Create and manage your own keys from the API keys dashboard (sign in required); the plaintext secret is shown once at creation and never again. For higher tiers or bespoke limits, contact us.
Token validation
- Tokens are compared against stored SHA-256 hashes with a constant-time comparison to prevent timing attacks.
- A missing, malformed, or unrecognised token returns
401 Unauthorizedimmediately (fail-closed). - An empty or unconfigured token store also returns
401for all requests.
Example
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/ip/8.8.8.8"Existing (environment) tokens are grandfathered
Tokens provisioned before self-serve plans (configured via the
SHOWMYIP_API_TOKENS environment table) are grandfathered:
they map to a legacy plan with access to every endpoint and
keep the rate limit defined in their own token metadata. Tier restrictions
below never down-grade an existing env token - your current integration
keeps working unchanged.
3. Plans & Pricing
API access is part of Deliverability
Guard, our domain & email-deliverability monitoring product. Each API key is
bound to a plan; the plan sets your requests-per-minute (RPM) ceiling and which
endpoints you may call. The compute-heavy email-health and
blacklist endpoints are included on the Scale plan.
All ~97 browser-based web tools on this site stay free and unlimited regardless
of plan.
| Plan | Price | Rate limit (RPM) | API endpoints | Monitoring included |
|---|---|---|---|---|
| Free | $0 | 60 | ip, dns, asnemail-health & blacklist return 402 |
1 domain, daily checks |
| Pro | $19/mo or $190/yr |
120 | ip, dns, asn |
5 domains, hourly checks, DMARC ingestion, 90-day history |
| Agency | $59/mo or $590/yr |
300 | ip, dns, asn |
25 domains, 15-min checks, branded client reports, 1-year history |
| Scale | $149/mo or $1,490/yr |
1,500 (capped to protect the shared resolver) | All 5 endpoints | 100 domains, 15-min checks, 2-year history |
| Legacy (grandfathered) | Grandfathered | Per token (default 6,000) | All endpoints | Existing arrangement |
Annual billing is roughly two months free versus paying monthly. Prices are in USD. Full plan details on the pricing page.
When you call an endpoint that your plan does not include, the API replies
402 Payment Required with a JSON body that names the endpoint and an
upgrade_url. Upgrade to unlock it:
{
"success": false,
"error": "This endpoint is not available on your plan. Upgrade to access it.",
"meta": {
"plan": "free",
"endpoint": "blacklist",
"upgrade_url": "https://www.showmyip.com/developers/#pricing"
}
}Pick a plan and we will issue your key. Billing is handled by our team while self-serve checkout is being finalised - no surprise charges, just tell us which tier you need.
Request an API key Get startedAnnual billing is roughly two months free. The Free plan needs no purchase - just create a key from the dashboard.
4. Rate Limits
Rate limits are enforced per token and vary by access tier. Every response includes the following headers so you can track consumption without polling:
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests allowed in the current window for your token. |
X-RateLimit-Remaining |
Requests remaining in the current window. |
X-RateLimit-Reset |
Unix timestamp (UTC) when the window resets and the counter returns to full. |
When the limit is exceeded the API returns 429 Too Many Requests.
The X-RateLimit-Reset header tells you when you may retry.
HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 17484768005. Response Envelope
Every response - success or error - uses the same JSON wrapper:
{
"success": true,
"data": { /* endpoint-specific payload */ },
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
}On error, success is false, data is absent,
and error is a single string message. The HTTP status code carries
the machine-readable error code - there is no nested code/message object:
{
"success": false,
"error": "Unauthorized. Provide a valid API token via \"Authorization: Bearer <token>\" or ?api_key=.",
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
}| Field | Type | Always present | Description |
|---|---|---|---|
success |
bool |
Yes | true on success; false on any error. |
data |
object |
On success only | Endpoint-specific payload. See per-endpoint reference below. |
error |
string |
On failure only | A human-readable error message. The HTTP status code carries the error code; there is no nested object. |
meta |
object |
Yes | Always carries api_version ("v1") and timestamp (ISO-8601 UTC). The blacklist endpoint adds a cached (bool) flag; other routes may add their own per-route fields. |
6. Error Codes
| HTTP Status | When it occurs | Recommended action |
|---|---|---|
400 Bad Request |
The resource parameter fails validation (e.g. not a valid IP address, invalid ASN format). | Fix the query parameter before retrying. |
401 Unauthorized |
Bearer token is missing, malformed, or not recognised. Also returned when the token store is empty. | Check your Authorization header. Contact us if you believe your key is valid. |
402 Payment Required |
Your plan does not include the requested endpoint (the email-health and blacklist endpoints are paid). The body names the endpoint and an upgrade_url. |
Upgrade your plan, or call only the endpoints your plan allows. |
404 Not Found |
The path does not map to a known resource. Valid resources are ip, dns, asn, email-health, blacklist. |
Check the resource name and path. See the endpoint reference below. |
405 Method Not Allowed |
A non-GET method (POST, PUT, DELETE, etc.) was used. | Use GET for all API requests. |
429 Too Many Requests |
Per-token rate limit exceeded for the current window. | Wait until X-RateLimit-Reset and then retry. |
500 Internal Server Error |
Unexpected server-side failure. | Retry with exponential back-off. Report persistent failures to support. |
502 Bad Gateway |
An upstream lookup failed - geolocation, DNS, or ASN data could not be retrieved at this time. | Retry after a short delay. Persistent failures usually indicate an upstream provider outage. |
7. CORS
CORS is supported so browser-based clients can call endpoints directly (subject to
token validation). The Authorization header is permitted in
cross-origin requests, meaning Bearer-authenticated browser requests can work
without a server-side proxy. Exact header values are set by the API router and
may vary by tier.
Note: embedding your API key in client-side JavaScript exposes it to end users. For production use, proxy API requests through your own backend.
8. Endpoint Reference
/api/v1/ip/{ip}
Returns geolocation and network details for the given IPv4 or IPv6 address.
Path parameter
| Parameter | Type | Description |
|---|---|---|
ip |
string | A valid IPv4 or IPv6 address. Must pass format validation; returns 400 otherwise. |
Example request
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/ip/8.8.8.8"Example response
{
"success": true,
"data": {
"ip": "8.8.8.8",
"version": "IPv4",
"reverse_dns": "dns.google",
"geo": {
"continent": "North America",
"country": "United States",
"country_code": "US",
"region": "Virginia",
"city": "Ashburn",
"zip": "20149",
"latitude": 39.03,
"longitude": -77.5,
"timezone": "America/New_York"
},
"network": {
"isp": "Google LLC",
"org": "Google Public DNS",
"asn": "AS15169 Google LLC",
"as_name": "GOOGLE"
},
"privacy": {
"proxy": false,
"vpn": false,
"tor": false,
"hosting": true,
"mobile": false
}
},
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
}/api/v1/dns/{domain}?type=A
Performs a DNS lookup for the specified domain and record type.
Path parameter
| Parameter | Type | Description |
|---|---|---|
domain |
string | A fully-qualified domain name (e.g. example.com). Validated server-side. |
Query parameter
| Parameter | Type | Default | Description |
|---|---|---|---|
type |
string | A |
DNS record type. Accepted values: A, AAAA, MX, NS, TXT, SOA, CNAME, CAA, SRV. |
Example request
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/dns/example.com?type=MX"Example response
{
"success": true,
"data": {
"domain": "example.com",
"type": "MX",
"records": [
{ "name": "example.com", "ttl": 3600, "type": "MX", "value": "10 mail.example.com." }
],
"raw": [
"example.com.\t3600\tIN\tMX\t10 mail.example.com."
]
},
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
}Each parsed record carries name, ttl (seconds),
type, and value (the right-hand side of the answer line, verbatim).
The raw array preserves the resolver’s unparsed answer lines for transparency.
/api/v1/asn/{n}
Returns registration and routing details for the given Autonomous System Number.
Path parameter
| Parameter | Type | Description |
|---|---|---|
n |
integer | A positive integer ASN (e.g. 15169). An optional AS prefix is accepted and stripped. |
Example request
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/asn/15169"Example response
{
"success": true,
"data": {
"asn": 15169,
"asn_label": "AS15169",
"organization": "Google LLC",
"country": "US"
},
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
}organization and country are parsed from
the registry’s WHOIS response and may be null when the registry does not
publish them.
/api/v1/email-health/{domain}
Runs a composite email-deliverability scorecard for the domain, checking MX records,
SPF, DKIM (common selectors), DMARC policy, and DNS-based blocklist (RBL) status.
Uses the EmailHealthChecker backend which performs all lookups via
PHP’s DNS resolver - no user input is shelled out.
Path parameter
| Parameter | Type | Description |
|---|---|---|
domain |
string | The domain whose email configuration should be evaluated (e.g. example.com). |
Example request
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/email-health/example.com"Example response
{
"success": true,
"data": {
"domain": "example.com",
"checked_at": "2026-05-31 12:00:00 UTC",
"overall_score": 83,
"grade": "B",
"summary": "Score 83/100 - needs attention: DKIM, DMARC.",
"checks": {
"mx": { "label": "MX Records", "status": "pass", "score": 100, "finding": "2 MX records published.", "details": [ "priority 10 -> mail.example.com" ], "fix": null },
"spf": { "label": "SPF", "status": "warn", "score": 80, "finding": "SPF uses soft fail (~all). Unauthorised mail is accepted but marked.", "details": [ "Record: v=spf1 include:_spf.example.com ~all" ], "fix": "Tighten \"~all\" to \"-all\" once every legitimate sender is listed." },
"dkim": { "label": "DKIM", "status": "warn", "score": 30, "finding": "No DKIM key found under common selectors. (DKIM selectors cannot be enumerated from DNS.)", "details": [ "Probed selectors: google, selector1, ..." ], "fix": "Enable DKIM signing and publish the public key under ._domainkey.example.com." },
"dmarc": { "label": "DMARC", "status": "warn", "score": 80, "finding": "DMARC at p=quarantine - failing mail is junked, not rejected.", "details": [ "Record: v=DMARC1; p=quarantine; rua=mailto:[email protected]" ], "fix": "Move to p=reject for full protection once quarantine runs cleanly." },
"blacklist": { "label": "Blacklist (Primary MX IP)", "status": "pass", "score": 100, "finding": "Primary MX IP is clean on the blocklists checked.", "details": [ "Tested IP: 93.184.216.34 (primary MX mail.example.com)." ], "fix": null }
}
},
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00"
}
} Each check carries label, status
(pass, warn, fail, or info), a
score (0–100 for that individual check), a finding,
a details array, and a fix (a remediation string, or
null when the check passes). The five checks are
mx, spf, dkim, dmarc, and
blacklist. The top-level overall_score is a weighted roll-up
of the individual check scores.
/api/v1/blacklist/{ip}
Checks whether the given IP address appears on DNS-based blocklists (DNSBLs/RBLs). The set of lists checked is determined server-side.
Path parameter
| Parameter | Type | Description |
|---|---|---|
ip |
string | A valid IPv4 address. Must pass format validation; returns 400 otherwise. |
Example request
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://www.showmyip.com/api/v1/blacklist/8.8.8.8"Example response
{
"success": true,
"data": {
"ip": "8.8.8.8",
"listed": false,
"listed_count": 0,
"checked_count": 6,
"lists_checked": [ "Spamhaus ZEN", "SpamCop", "Barracuda", "UCEPROTECT L1" ],
"could_not_check": [],
"could_not_check_count": 0,
"grade": "A+",
"score": 100,
"verdict": "clean",
"listings": []
},
"meta": {
"api_version": "v1",
"timestamp": "2026-05-31T12:00:00+00:00",
"cached": false
}
}| Field | Type | Description |
|---|---|---|
listed | bool | true when the IP is listed on at least one blocklist (i.e. verdict is "listed"). |
listed_count | int | Number of blocklists that returned a listing. |
checked_count | int | Number of lists that returned a definitive verdict (listed or clean). |
lists_checked | array<string> | Human-readable names of the lists that gave a definitive verdict. |
could_not_check | array<string> | Names of lists that refused, timed out, or returned an error band this run (excluded from the grade). |
could_not_check_count | int | Count of lists in could_not_check. |
grade | string | Weighted reputation grade: A+ through F, or N/A when nothing could be checked. |
score | int | Reputation score, 0–100. |
verdict | string | One of clean, listed, or unknown. |
listings | array<object> | One entry per list that returned a listing, each with zone, name, codes (the A-records returned), and delist (the official delisting URL, or null). |
The meta.cached flag indicates whether this report
was served from the per-target cache (the blacklist endpoint is the only route
that adds cached to meta).
Ready to integrate?
Sign in and create your API key in seconds from the keys dashboard. Need a higher tier or custom limits? Get in touch.
Create an API Key Contact SalesHow this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.