Skip to content
Solution

Security

The actual posture, listed.

You authenticate with an API key over TLS. We store that key hashed, lock out brute-force attempts, let you revoke per key, and rate-limit at every layer. Here is each control and what it does.

TLS for all API traffic

Every request to api.geoiphub.com is served over HTTPS with modern TLS. There is no plaintext endpoint, so keys and queried IPs never cross the wire unencrypted.

API keys stored hashed

Keys carry a geoip_ prefix for easy identification in code and secret scanners, and are stored bcrypt-hashed. We cannot read your key back after creation; if it leaks, you rotate it, not us.

Brute-force lockout

Repeated failed key attempts trigger a temporary block on the source IP. Guessing keys against the API gets an attacker locked out, not closer.

Per-key revocation

Revoke any key instantly from the dashboard. Revocation takes effect immediately; remaining keys on the account are unaffected.

Rate limiting at multiple layers

Quotas are enforced per key, per account, and at the edge. Abuse of one layer is caught by the next, protecting the service for everyone on it.

Least-privilege internals

Internal services authenticate to each other and hold only the permissions they need. The lookup path cannot touch billing; the dashboard cannot touch the scanning pipeline.

Responsible disclosure

Found a vulnerability? Email app@geoiphub.com with reproduction steps. We read every report and reply to legitimate findings.