Subscribe to receive notifications of new posts:

Using the CloudFlare API to pull visitor IPs


3 min read

Note: This API feature no longer works. Please contact support if you have a question about current functions available via the CloudFlare API.

CloudFlare Recent IPs API blog

Many of our customers love CloudFlare's statistics report because the information available differs from other services providing analytics.

One frequent request is that customers would like to be able to look at the individual IP hits coming to their site. This information can be useful if you see a sudden increase in traffic and want more insight into the origin. Ian Pye, CloudFlare's API and reporting guru, created a solution in the CloudFlare API.

How to use the API function to view recent visitor IPs within the past 48 hours:

  1. Open Firefox and install the Firefox JSONview addon. We recommend doing the API call in Firefox with the JSONview addon since the data output is easy to read.
  2. Get your API key from your CloudFlare account.
  3. Get your zone id by clicking on the 'Reports and Stats' option for the domain you want to pull data for. The zone ID is at the end of the url on that page (zid=xxxx).
  4. The API values from the Client Interface API are as follows:
    [a] = zone_ips
    [tkn] = Your API Key
    [email] = [email protected] (use the one associated with your CloudFlare account)
    [zid] = ID of the zone you would like to check.
    [hours] = Number of hours to go back. Default is 24, max is 48.
    [class] = (Optional) Restrict the result set to a given class. Currently r|s|t, for regular, crawler, threat respectively. If you omit this token you will see the results for all visitors.
    [geo] = (Optional) Include to add longitude and latitude information to the response. 0,0 means no data.

The URL is:

​5. So, you are now ready to run the query. Open your Firefox browser, and run the following function, but insert the data from steps 1 through 3 for your particular site:[email protected]&zid=1228&hours=36&geo

The variables listed in blue are the ones that you should customize for your particular site.

​6. The data output will list the IPs in order from the most number of hits in the selected time period to the least. You will also be able to see the visitor classified by type.

One thing to note is that for Free accounts, you will only be able to see data older than 24 hours. For Pro accounts, you can see data in the
last 24 hours as well.

In terms of what you can do with the data, if you see a lot of requests coming a certain IP in a short period of time, you may determine it is an attack. In that case, you should add it to your Block List in your CloudFlare Threat Control panel. By adding the IP to the Block List, the visitor will be stopped from accessing your server reducing your server load.

Have any suggestions for improving the API? Have something cool that you've done with the CloudFlare API that you would like to share with the rest of the community? We'd love to hear about it. Share it with us.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

Follow on X


Related posts