API overview.
The Liberty91 API gives you programmatic access to the same threat intelligence you see in the platform: IOCs, events, your threat library, reports, alerts, and your customer organizations. It is a straightforward REST API that returns JSON, so you can wire Liberty91 into your SOAR playbooks, TIP, SIEM enrichment, or your own scripts without learning anything exotic.
Base URL
All endpoints live under a single versioned base:
https://api.liberty91.com/api/v1/
HTTPS only. The API is designed for server-to-server use, so your key should live in a backend service or script, never in a browser.
Your first request
Create an API key in the platform (see Authentication and API keys), then look up an indicator:
curl "https://api.liberty91.com/api/v1/iocs/lookup/?value=45.155.205.233" \
-H "X-API-Key: l91_live_xxxxxxxxxxxxxxxxxxxxxxxx"{
"value": "45.155.205.233",
"found": true,
"results": [
{
"id": "0b6f2c1e-8a4d-4f0b-9c9e-6f1d2a3b4c5d",
"value": "45.155.205.233",
"kind": "ip",
"tlp": "TLP:AMBER",
"verdict": "MALICIOUS",
"confidence": 85,
"whitelisted": false,
"first_seen": "2026-05-14T09:12:00Z",
"last_seen": "2026-07-01T16:40:00Z"
}
]
}Every response also carries X-RateLimit-* and X-Credits-* headers, so your
integration always knows where it stands. See
Rate limits and credits.
What is available
| Area | What you can do | Docs |
|---|---|---|
| IOCs | Exact lookup, filtered lists, CSV and STIX 2.1 export | IOCs |
| Events | List and read enriched events, ingest your own | Events |
| Threat library | Threat actors, malware, vulnerabilities, clusters | Threat library |
| Reports | List, generate, poll, and download intelligence reports | Reports |
| Alerts | Read alert rules and the events they matched | Alerts |
| Organizations | Assets, suppliers, document upload and extraction | Organizations |
Design principles
A few things hold across the whole surface:
- One key, one account. A key belongs to a single billing account and can only ever see that account's data. There is no way to reach across tenants.
- Scoped access. Keys carry read and write scopes, so a lookup integration never needs permission to ingest or generate anything.
- Cursor pagination everywhere. List endpoints return a
nextlink; follow it until it is null. See Pagination and errors. - Async where the work is heavy. Ingesting an event, generating a report, and
extracting entities from a document all return
202 Acceptedimmediately, and you poll a status field to completion. - Additive versioning. Within v1 the contract only grows. Fields are added, never renamed or removed, so integrations do not break under you.
Machine-readable reference
If you prefer generated docs or want to feed a client generator, the OpenAPI 3.0 schema and an interactive reference are published alongside the API:
- Interactive docs: https://api.liberty91.com/api/v1/docs/
- Raw OpenAPI schema: https://api.liberty91.com/api/v1/schema/
Both are unauthenticated and cost no credits.
Frequently asked questions
What can I do with the Liberty91 API?
Everything your threat intelligence workflow needs programmatically: look up and export IOCs, list and ingest events, browse your threat library, generate and download reports, read alert rules and their matches, and manage organization assets, suppliers, and documents.
Is the Liberty91 API REST or GraphQL?
REST. All endpoints live under https://api.liberty91.com/api/v1/ and return JSON, with
cursor pagination on list endpoints.
Does the API cost extra?
API usage is metered against your account's monthly credit pool. Most read requests cost a single credit, and failed requests are never charged. The full cost table is on the rate limits and credits page.