APIs Overview
CrowdSec exposes three ways to programmatically access its threat intelligence. They serve different use cases and scale requirements — pick the one that fits your workflow, or combine them.
Enrichment API
The standard HTTP/JSON API. Send a request, get a response — ideal for on-demand lookups, scripts, and real-time enrichment inside a SIEM, SOAR, or TIP.
- Best for: per-IP lookups, real-time enrichment pipelines, integrations with security platforms
- Rate limits: apply per API key (see your plan quota)
- Auth: API key via
x-api-keyheader - Formats: JSON
Offline Replicas
A full, periodically refreshed snapshot of the CrowdSec CTI database delivered as a downloadable file. No per-request latency, no rate limits — you run the data locally.
- Best for: high-volume enrichment, air-gapped environments, bulk ingestion into a data lake or TIP
- Rate limits: none (bulk download)
- Auth: dedicated API key (premium)
- Formats:
mmdb,parquet,json
TAXII
A TAXII 2.1 / STIX 2.1 feed for continuous, incremental synchronization. Poll the feed periodically and pull only what changed since your last poll — native integration with any TAXII-compatible platform.
- Best for: TIPs and platforms that speak TAXII natively (OpenCTI, MISP, Anomali, …), continuous feed synchronization
- Rate limits: none beyond polling cadence
- Auth: dedicated API key (premium)
- Protocol: TAXII 2.1 over HTTPS, indicators as STIX 2.1 objects
Which one to choose?
| Enrichment API | Offline Replica | TAXII | |
|---|---|---|---|
| High-volume / bulk enrichment | ⚠️ (per IP requests) | ✅ | ✅ |
| Data access model | Call when you need it | Download periodically, query locally | Poll periodically, query locally |
| Format | json | json, mmdb, parquet | STIX |
| Incremental updates | ❌ | ❌ | ✅ |
| Available In self service | ✅ | ❌ (contact sales) | ❌ (contact sales) |