API Documentation

This API documentation website is a platform that provides developers with information on how to use and interact with an application programming interface (API) of OneFirewall Platform. It includes details on the API endpoints, parameters, responses, and authentication, as well as examples and code snippets to help developers integrate the API into their applications. The website is designed to be user-friendly, intuitive, and easy to navigate, allowing developers to quickly find the information they need to start using the API.

However, we are looking always for feedback, please contact us on support[at]onefirewall.com for any suggestion.

OneFirewall API Arch

OneFirewall Coins

OneFirewall (OFA) Coins serve as a form of currency within the OneFirewall Alliance ecosystem, specifically designed to facilitate transactions and access to API Services. These Coins act as credits that members must possess in order to make requests against the APIs offered by OneFirewall. Here’s an overview of how OFA Coins are used: Coin Acquisition: Users need to obtain OFA Coins in order to utilize the API Services. These Coins can be acquired through various means, such as purchasing them directly from OneFirewall or earning them through participation in the OneFirewall Alliance community.


To use these APIs you will need to have authorized access to the OneFirewall platform. If you don’t already have, create and account and login into the application OneFirewall Alliance Platform Generate a API Token Once you have access to the OneFirewall Platform, you have to navigate under the profile page, where you can click and generate an API JWT Token that you have to store and use it for the requests to the set of APIs as presented in this documentation.

IP addresses

The IPv4 feeds is a set of end-points (API for simplicity) that provide access to Threat Inteligence information in connection to actors targeted by their IPv4. GET latest IPv4 Feeds You can call the API /api/v1/ips in order to receive an array of the latest IPv4 feeds collected at the OneFirewall Data lake. HTTP Request GET /api/v1/ips?page_size=512&ts=1684084988&full=yes HTTP/1.1 Host: app.onefirewall.com Authorization: Bearer PLACE_YOUR_OWN_TOKEN_HERE Input Variable Possible Values Notes page_size 1 to 1000 (Integer) The maximum size of the array to retreive (Optional) ts Timestamp from when to retreive data (Integer) (Optional) full yes or no (String) full=yes provide more information (Optional) Output The possible HTTP Code responses are:

IP addresses [FLAT]

If you need a simple list (example CSV) to retreive all the IPv4 feeds based on their score, you can use the below API GET Flat list of IPv4 You can call the API /api/v1/flat/:min_score in order to receive a plain text list (CSV) of IPv4 based on Min Score. HTTP Request GET /api/v1/flat/<min_score>?list=NO HTTP/1.1 Host: app.onefirewall.com Authorization: Bearer PLACE_YOUR_OWN_TOKEN_HERE Input Variable Possible Values Notes min_score 1 to 1000 (Integer) Minimum WCF Crime Score Feeds list YES or NO (String) NO=the output is CSV, YES=the output is a list of IPs separated by ‘,’ Output The possible HTTP Code responses are:

IP Info

Instantly Retrieve Accurate Geographical Information for any IPv4 Address. Enhance cybersecurity, target content, and manage access with our GeoIP Lookup of OneFirewall GET feeds for specific IPv4 You can call the API /api/v1/info/<IPv4> in order to receive GeoIP information for the IPv4. This API is useful when you want to verify public data in regards to the GeoIP of any IPv4. HTTP Request GET /api/v1/info/<IPv4> HTTP/1.1 Host: app.onefirewall.com Authorization: Bearer PLACE_YOUR_OWN_TOKEN_HERE Input Variable Possible Values Notes IPv4 IPv4 (String) A single IP Output The output of a JSON

IP addresses [IPv4]

This API is similar with the IP addresses [FLAT] however have some advantages and disadvantages in respect: Advantages Real time calculation of the OneFirewall Crime Score Equipped with the new (v3.2) Scoring algorithm Can be integrated into directly Fortigate, Checkpoint, etc.. Disadvantages Use pagination (therefore you have to call multiple times the IP if the list is bigger than 10000) Is relativly 6x slower than IP addresses [FLAT] GET Flat list of IPv4 You can call the API /api/v1/ipv4/:min_score?


Malicious URL Data API Usage Guide The proposed API service serves as a pivotal tool in combatting online threats by allowing users and applications to report and retrieve URLs associated with malicious activities, including phishing and malware distribution. This service empowers users to contribute to a collective defense against cyber threats by submitting suspicious URLs with corresponding details. By centralizing and categorizing this information, the service provides valuable insights into emerging threats and patterns, enabling users to proactively protect themselves and their systems.


Malicious Domains Data API Usage Guide The API service acts as a centralized hub, gathering and curating data from various sources, including security researchers, threat intelligence feeds, and community contributions in relation to any qualified domain name (FQDN) marked as serving malicious content. GET - Check single Domain name Retrieve metadata for over a million known malicious domains. Gain knowledge about specific threat actors. Integrate automated prevention measures into your security systems.


Malicious File Data API Usage Guide OneFirewall Alliance provides a robust File Indicator of Compromise (IoC) framework to enhance cybersecurity practices and bolster threat detection capabilities. With their extensive threat intelligence and Data Lake of malicious files, OneFirewall offers a comprehensive set of file IoCs that enable proactive identification and prevention of known threats. The File IoC framework from OneFirewall encompasses a range of metadata indicators associated with malicious files. These indicators typically include MD5, SHA1, and SHA256 hashes, which serve as unique identifiers for each file.


STIX2 (Structured Threat Information eXpression version 2) is a standardized language for representing cyber threat intelligence (CTI) that enables the sharing of threat intelligence across organizations and security tools. It is important to Threat Intel because it allows security professionals to more easily and effectively analyze and respond to cyber threats, improving their overall threat intelligence capabilities. At OneFirewall, our mission is to deliver a trustworthy and effective cybersecurity platform that safeguards against cyber attacks.