ifport.io

External port visibility for agents and servers.

ifport.io checks which TCP ports are publicly visible on the IP address that made the request.

Like "what is my IP", but for visible TCP ports.

Root endpoint is the product: request `https://ifport.io` and get your current exposure report.

Usage

curl https://ifport.io
curl "https://ifport.io/?format=json"
curl "https://ifport.io/?format=json&view=min"
curl "https://ifport.io/?format=markdown"
curl "https://ifport.io/?format=plain"
curl https://ifport.io/json
curl "https://ifport.io/json?view=min"
curl https://ifport.io/check
curl https://ifport.io/plain
curl "https://ifport.io/gate?policy=strict"
curl https://ifport.io/status
curl https://ifport.io/openapi.json
curl https://ifport.io/llms.txt
curl -sS -X POST https://ifport.io/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
curl -sS -X POST https://ifport.io/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"get_visible_ports","arguments":{"ports":[22,80,443]}}}'
curl "https://ifport.io/json?profile=default"
curl "https://ifport.io/json?profile=web"
curl "https://ifport.io/json?profile=top1000"

Advanced same-scope artifacts are available at /action-plan, /evidence, /one-shot, /mission, /automation-pack.tar.gz, and /network-path. See /openapi.json for the full surface.

Profiles

default: Request default. Compact request-source profile: 22, 80, 443, 3000, 8080, 8443.
web: 80, 443, 3000, 5000, 5173, 8000, 8080, 8443
databases: 3306, 5432, 6379, 9200, 27017
mail: 25, 465, 587, 993, 995
top1000: Explicit broad request-source scan covering 1000 curated TCP ports.

Speed

fast: Up to 8 custom ports, 400 ms per port, 8000 ms global timeout. Default for / and /plain, and for explicit top1000 scans.
balanced: Up to 25 custom ports, 650 ms per port, 20000 ms global timeout. Default for /check and /json compact profiles.
deep: Up to 50 custom ports, 1200 ms per port, 30000 ms global timeout.

Important

The result describes the public IP address that made the request. If the request is made through NAT, VPN, proxy, CI/CD, cloud runtime, or an LLM sandbox, the result may not describe your local machine.

The public MVP does not scan arbitrary target IPs or hostnames. Custom checks only change the port list for the request source IP.

Need one request with result + concept + operations + automation + support context? Use /mission.

The root endpoint is deterministic when format is set: /?format=json, /?format=markdown, and /?format=plain bypass browser/CLI heuristics and force the requested representation.

/json is the canonical machine response. Agents that only need the stable parse set should prefer /json?view=min or /?format=json&view=min.

Need immediate next steps? Use /action-plan to get prioritized hardening actions and command templates.

/action-plan also includes per-port operator runbooks plus ready automation kits for GitHub Actions, GitLab CI, and cron/bash gates. JSON is the default; use format=markdown or browser HTML for a shareable operator report.

/automation-pack packages those runbooks as ifport/port-runbooks.md together with gate scripts and scan evidence.

Every scan response includes drift analysis against the previous check for the same source/profile key.

Scan responses also include snapshot evidence fields; use /verify to validate fingerprint and signature integrity.

Scan responses include scan.scan_id and share.result_url. Use /result/<scan_id> to read the persisted result later as browser HTML, CLI Markdown, or JSON; it does not run a new scan or accept IP/host/target lookup. Use /result/<scan_id>.svg for an embeddable read-only result card in README files, tickets, chats, and deploy records. Use /result/<scan_id>/evidence for the read-only persisted evidence pack derived from stored scan data. JSON responses expose those URLs as share.result_card_svg_url and share.result_evidence_url, so agents can hand them to the user without constructing them manually. The persisted result also includes an operator card and value receipt for tickets, incidents, deploy notes, and sponsor context.

Need a no-scan deployment grade for operators or agents? Use /readiness.

Need an operator handbook that explains what to do after a result? Use /playbook.

Agent clients can use POST /mcp with MCP JSON-RPC methods initialize, tools/list, and tools/call.

Stable machine contract

The following fields are guaranteed stable in 0.x. Agents should treat this as the minimal safe parse set; additional response fields may be added and should be ignored when unknown.

schema_version
service
target.type
target.ip
results.open
results.closed
results.filtered_or_timeout
partial
policy.verdict = pass|warn|fail|not_evaluated
decision.status = allow|review|block
decision.reason_code

Human words such as safe can appear in HTML or Markdown copy. Agents should parse decision.status and policy.verdict.

Example JSON response

GET /json?view=min returns a request-source result like this. Run the command from the exact network path you want to validate.

{
  "schema_version": "1.0",
  "service": "ifport.io",
  "observed_source_ip": "203.0.113.42",
  "target": {
    "type": "request_source_ip",
    "ip": "203.0.113.42"
  },
  "scan": {
    "scan_id": "63ead4aa-ab2a-413f-890a-35a9e9fd890a",
    "started_at": "2026-06-02T19:20:34.671186493Z",
    "type": "tcp_syn_or_connect",
    "profile": "default",
    "speed": "balanced",
    "duration_ms": 326,
    "per_port_timeout_ms": 650,
    "global_timeout_ms": 20000,
    "ports_checked": [22, 80, 443, 3000, 8080, 8443]
  },
  "results": {
    "open": [],
    "closed": [],
    "filtered_or_timeout": [22, 80, 443, 3000, 8080, 8443],
    "errors": []
  },
  "partial": false,
  "cache": {
    "hit": false,
    "ttl_seconds": 30
  },
  "accuracy": {
    "representation": "direct_public_path",
    "confidence": "high",
    "observed_ip_scope": "public",
    "reasons": [
      "Observed source IP was taken from the request transport path."
    ],
    "next_steps": [
      "Keep this as baseline evidence and rerun after network, firewall, or deploy changes."
    ]
  },
  "policy": {
    "name": "strict",
    "verdict": "pass"
  },
  "decision": {
    "status": "allow",
    "reason_code": "policy_and_exposure_within_expected_bounds"
  }
}

Operational contract

Rate-limited responses use {"error":"rate_limited","retry_after_seconds":n} plus Retry-After, RateLimit-Policy, RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset.

Scan cache keys include observed source IP, profile or custom ports, speed, policy, intent, and expect_open. format and view only change rendering/projection.

Source attribution uses trusted edge headers only after edge sanitization; otherwise it falls back to the transport source. Use /network-path as the diagnostic source of truth.

Why people support IfPort

IfPort gives immediate, defensive signal with zero setup: a single request returns what the internet can reach on your current public path. Teams use it in incident response, deployment checks, CI guardrails, and agent workflows.

Donations keep the project independent and cover uptime, abuse-protection, monitoring, and maintenance.

/sponsor-kit gives copy-paste sponsor text, procurement notes, funding proof, and roadmap unlocks.

/funding.json and /funding.yml expose no-scan funding metadata for agents, README files, and support workflows.

/badge.svg gives an embeddable live support badge for README files and internal docs.

/playbook packages interpretation, CI gate wiring, evidence habits, and support rationale for operators.

/robots.txt, /sitemap.xml, and the structured metadata on this page make the free checker easier to discover and cite.