Threat Feeds
LimesIndex publishes curated threat feeds as daily snapshots in multiple formats. Each feed is regenerated by a CronJob worker and served as an immutable file with a SHA-256 checksum, so you can diff it against your previous pull or pin a specific snapshot.
List feeds
GET/v1/feeds
Returns the catalog of feeds available to the calling key's tier.
Response (200)
{
"feeds": [
{
"name": "tor_exits",
"title": "Tor exit nodes",
"description": "Public Tor exit relay IPs, refreshed every 6 hours.",
"tier": "free",
"license": "CC-BY-4.0",
"entitled": true,
"row_count": 1042,
"generated_at": "2026-04-20T03:00:00Z",
"sha256": "0f6b…",
"formats": ["csv","json","plain","bind","nginx","caddy","iptables","cloudflare"],
"download_url": {
"csv": "/v1/feeds/tor_exits/download/csv",
"json": "/v1/feeds/tor_exits/download/json"
}
}
],
"user_tier": "free"
}
Feeds shipped today
| Name | Tier | What's in it |
|---|---|---|
tor_exits | free | Tor exit relay IPs |
ai_crawlers | free | AI training crawler IPs (GPTBot, ClaudeBot, PerplexityBot, etc.); supports ?brand= filter |
vpn_proxy | free | Consumer VPN / proxy egress IPs |
datacenter_ranges | free | Known datacenter network blocks |
trap_confirmed | premium | IPs confirmed via LimesIndex pristine email traps |
asn_wide_blocked | premium | Prefixes on Spamhaus DROP/EDROP + ASNs on UCEprotect Level 3 |
Get manifest
GET/v1/feeds/{feed}/manifest
The manifest returns the SHA-256, row count, and generation timestamp for the current snapshot — call this before downloading to detect whether the feed has changed since your last pull.
Download
GET/v1/feeds/{feed}/download/{format}
Streams the feed in the requested format. 8 formats are available:
| Format | Use |
|---|---|
csv | Spreadsheet / scripting |
json | Application integration |
plain | Bare IP-per-line for ipset restore, grep, etc. |
bind | BIND-compatible RPZ / RBL zone snippet |
nginx | deny <cidr>; directive block |
caddy | @blocked remote_ip … matcher + respond 403 |
iptables | Shell script with iptables + ip6tables rules |
cloudflare | ip.src in {…} Cloudflare Firewall Rules expression |
ai_crawlers ?brand= filter
ai_crawlers supports an optional ?brand= query parameter (case-insensitive) to narrow the feed to a specific crawler operator. Non-matching rows are dropped before encoding, and the response includes an X-Feed-Brand header.
curl -H "X-API-Key: $KEY" \
"https://api.limesindex.com/v1/feeds/ai_crawlers/download/nginx?brand=perplexity"
Tier gating
Premium feeds return 403 FORBIDDEN for free-tier keys. The list response includes entitled: false on premium feeds so UIs can show an upgrade CTA without a second round-trip.
Examples
# Pull the manifest first to detect churn
curl -H "X-API-Key: $KEY" \
"https://api.limesindex.com/v1/feeds/tor_exits/manifest"
# Download CSV
curl -H "X-API-Key: $KEY" -o tor_exits.csv \
"https://api.limesindex.com/v1/feeds/tor_exits/download/csv"
# Drop straight into nginx — adds a deny block at the top of your conf
curl -H "X-API-Key: $KEY" \
"https://api.limesindex.com/v1/feeds/datacenter_ranges/download/nginx" \
> /etc/nginx/conf.d/datacenter-deny.conf
Related
- Blocklist — query individual IPs against the aggregated blocklist
- Using the DNSBL — query the bl.limesindex.com DNS zone from mail servers