Security
The actual posture, listed.
You authenticate with an API key over TLS. We store that key hashed, lock out brute-force attempts, let you revoke per key, and rate-limit at every layer. Here is each control and what it does.
TLS for all API traffic
Every request to api.geoiphub.com is served over HTTPS with modern TLS. There is no plaintext endpoint, so keys and queried IPs never cross the wire unencrypted.
API keys stored hashed
Keys carry a geoip_ prefix for easy identification in code and secret scanners, and are stored bcrypt-hashed. We cannot read your key back after creation; if it leaks, you rotate it, not us.
Brute-force lockout
Repeated failed key attempts trigger a temporary block on the source IP. Guessing keys against the API gets an attacker locked out, not closer.
Per-key revocation
Revoke any key instantly from the dashboard. Revocation takes effect immediately; remaining keys on the account are unaffected.
Rate limiting at multiple layers
Quotas are enforced per key, per account, and at the edge. Abuse of one layer is caught by the next, protecting the service for everyone on it.
Least-privilege internals
Internal services authenticate to each other and hold only the permissions they need. The lookup path cannot touch billing; the dashboard cannot touch the scanning pipeline.
Responsible disclosure
Found a vulnerability? Email app@geoiphub.com with reproduction steps. We read every report and reply to legitimate findings.