Full API access is available on Pro and Enterprise plans. Authenticate with your API key in the Authorization header.
All API requests require your API key in the Authorization header:
API keys are managed from the API keys tab in your dashboard. You can create multiple keys, label them by use case, and revoke them individually. Revocation is immediate.
The guard endpoint is the core decision API called by the PHP client. It validates the session and returns an allow/block decision. Available on all plans.
/api/check
Evaluate a session and return an allow/block decision.
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | required | Your GhostGuard API key |
| sid | string | required | Session ID from the GhostGuard session cookie |
| ip | string | optional | Visitor IP address for ban-list check |
| ua | string | optional | Visitor user-agent string |
| host | string | optional | Customer domain for domain validation |
| url | string | optional | Current page URL for logging |
/api/stats
Returns today's session counts, bot counts, mail stats, and monthly usage.
/api/feed
Returns recent sessions for your account. Poll every 5 seconds for a live feed.
| Parameter | Default | Description |
|---|---|---|
| limit | 60 | Number of sessions to return (max 100) |
/api/domains
List all registered domains with monthly session and bot counts.
/api/domain/add
Register a new domain. Body: {"domain": "example.com"}
/api/domain/toggle
Enable or disable a domain. Body: {"id": 123}
/api/domain/delete
Permanently delete a domain and all associated sessions. Body: {"id": 123}
/api/bans
List all bans for your account. Filter by type with ?type=ip|session|email
/api/ban
Add a manual ban. Body: {"type": "ip", "value": "1.2.3.4", "reason": "Manual ban"}
/api/unban
Remove a ban by ID. Body: {"id": 456}
/api/keys
List all API keys for your account, including last-used timestamps.
/api/key/create
Create a new API key. Body: {"label": "Production"}
/api/key/revoke
Revoke a key immediately. Body: {"id": 789}
| HTTP status | Meaning |
|---|---|
| 400 | Bad request — missing or invalid parameters |
| 401 | Unauthorized — missing or invalid API key |
| 403 | Forbidden — API key valid but domain not registered or account suspended |
| 429 | Rate limited — monthly session quota exceeded for your plan |
| 500 | Server error — GhostGuard internal error, fail-open applies |