IQLink REST API

Manage DNS, CDN proxy, email forwarding, WAF, analytics and more.

Base URL

https://api.iqlink.pl

Rate Limits

120 requests per minute per IP. Responses include standard rate limit headers.

Content Type

All requests and responses use application/json.

Authentication

The API uses JWT Bearer tokens from Supabase Auth. Include the token in the Authorization header:

Authorization: Bearer <access_token>

Login via OTP (for CLI / API clients)

POST /v1/cli/login Public

Send a 6-digit OTP code to the given email address.

{
  "email": "user@example.com"
}

POST /v1/cli/verify Public

Verify OTP code and receive access + refresh tokens.

// Request
{
  "email": "user@example.com",
  "token": "123456"
}

// Response
{
  "access_token": "eyJ...",
  "refresh_token": "abc...",
  "user": { "id": "uuid", "email": "user@example.com" }
}

Token Refresh

POST /auth/v1/token?grant_type=refresh_token Public

Refresh an expired access token.

{
  "refresh_token": "abc..."
}

CLI Tool

IQLink provides a command-line tool for managing your domains from the terminal.

Install

# Linux (amd64)
curl -Lo iqlink https://docs.iqlink.pl/dl/iqlink-linux-amd64
chmod +x iqlink && sudo mv iqlink /usr/local/bin/

# Linux (arm64)
curl -Lo iqlink https://docs.iqlink.pl/dl/iqlink-linux-arm64
chmod +x iqlink && sudo mv iqlink /usr/local/bin/

# macOS (Apple Silicon)
curl -Lo iqlink https://docs.iqlink.pl/dl/iqlink-darwin-arm64
chmod +x iqlink && sudo mv iqlink /usr/local/bin/

# macOS (Intel)
curl -Lo iqlink https://docs.iqlink.pl/dl/iqlink-darwin-amd64
chmod +x iqlink && sudo mv iqlink /usr/local/bin/

Quick Start

# Login
iqlink login user@example.com

# List domains
iqlink zones

# List DNS records
iqlink dns example.com

# Add A record with proxy
iqlink dns add example.com A www 1.2.3.4 --proxy

# Toggle proxy on/off
iqlink proxy on example.com <record-id>

# Check security score
iqlink security example.com

# View analytics
iqlink analytics example.com --period 7d

All Commands

Command	Description
`login [email]`	Login via OTP code
`logout`	Clear stored credentials
`whoami`	Show account info & usage
`zones`	List domains
`zones add <domain>`	Add a domain
`zones delete <domain>`	Remove a domain
`zones check <domain>`	Check NS delegation
`dns <domain>`	List DNS records
`dns add ...`	Add DNS record
`dns update ...`	Update DNS record
`dns delete ...`	Delete DNS record
`dns export <domain>`	Export BIND zone file
`dns template <domain> <id>`	Apply DNS template
`proxy on\|off <domain> <id>`	Toggle per-record proxy
`email <domain>`	List email forwards
`email add ...`	Add email forward
`email delete ...`	Delete email forward
`waf <domain>`	Show WAF status
`waf enable\|disable <domain>`	Toggle WAF
`cache purge <domain>`	Purge cache
`analytics <domain>`	Show analytics
`security <domain>`	Run security check
`dnssec <domain>`	DNSSEC status
`dnssec enable\|disable`	Toggle DNSSEC

Errors

Errors return JSON with an error field:

{
  "error": "domain not found"
}

Code	Meaning
`400`	Bad request — invalid input
`401`	Unauthorized — missing or invalid token
`403`	Forbidden — insufficient permissions or plan limit
`404`	Not found
`409`	Conflict — e.g. proxy ↔ site mutual exclusivity
`429`	Rate limited
`500`	Internal server error

Zones (Domains)

GET /v1/zones JWT

List all domains for the authenticated account.

// Response
[
  {
    "id": "bd2b5609-...",
    "domain": "example.com",
    "status": "active",
    "ns_verified": true,
    "created_at": "2026-03-01T12:00:00Z"
  }
]

POST /v1/zones JWT

Add a domain. Auto-creates SOA + NS records in PowerDNS.

{ "domain": "example.com" }

DELETE /v1/zones/{id} JWT

Delete a domain and all its DNS records.

POST /v1/zones/{id}/check-nameservers JWT

Verify NS delegation via TLD query. Returns delegation status.

// Response
{
  "tld_delegated": true,
  "authoritative": true,
  "expected_ns": ["ns1.iqlink.pl", "ns2.iqlink.pl"],
  "found_ns": ["ns1.iqlink.pl", "ns2.iqlink.pl"]
}

DNS Records

GET /v1/zones/{id}/records JWT

List all DNS records for a zone. Proxied records show virtual (original) content.

// Response
[
  {
    "id": "base64-encoded-id",
    "type": "A",
    "name": "example.com",
    "content": "1.2.3.4",
    "ttl": 300,
    "proxied": true,
    "proxiable": true,
    "port": 443
  }
]

POST /v1/zones/{id}/records JWT

Create a DNS record. Supports A, AAAA, CNAME, MX, TXT, SRV, CAA, NS.

{
  "type": "A",
  "name": "www",
  "content": "1.2.3.4",
  "ttl": 300,
  "proxied": false
}

Field	Type	Required	Notes
`type`	string	Yes	A, AAAA, CNAME, MX, TXT, SRV, CAA, NS
`name`	string	Yes	Subdomain or @ for apex
`content`	string	Yes	Record value
`ttl`	int	No	Default: 300
`priority`	int	No	For MX/SRV records
`proxied`	bool	No	Enable CDN proxy (A/AAAA/CNAME only)

PUT /v1/zones/{id}/records/{rid} JWT

Update a DNS record.

DELETE /v1/zones/{id}/records/{rid} JWT

Delete a DNS record.

GET /v1/zones/{id}/records/export JWT

Export zone as BIND zone file (text/plain).

POST /v1/zones/{id}/records/template JWT

Apply a DNS template (e.g. Google Workspace, Microsoft 365).

{ "template_id": "google-workspace" }

GET /v1/templates JWT

List available DNS templates.

Proxy (CDN)

Per-record proxy toggle (Cloudflare-style orange cloud). When enabled, traffic flows through IQLink edge nodes with TLS termination, caching, WAF, and DDoS protection.

PATCH /v1/zones/{id}/records/{rid}/proxy JWT

Toggle proxy on/off for a DNS record (A, AAAA, CNAME only).

{ "proxied": true }

When proxy is enabled, the DNS record is replaced with a LUA A record that health-checks edge nodes and routes traffic through them. The original record content is preserved and used as the backend target.

GET /v1/zones/{id}/proxy JWT

Get proxy settings (SSL mode, cache config).

PUT /v1/zones/{id}/proxy JWT

Update proxy settings.

{
  "ssl_mode": "full",       // flexible | full | strict
  "cache_enabled": true,
  "cache_ttl": 3600,
  "region": "pl"            // pl | eu | global
}

Email Forwarding

Forward emails to external addresses. Auto-creates MX, SPF, DMARC records. DKIM-signed via iqlink.pl.

GET /v1/zones/{id}/email JWT

List email forwards, DNS readiness, and usage limits.

// Response
{
  "forwards": [
    {
      "id": "uuid",
      "alias": "contact",
      "destinations": ["user@gmail.com"],
      "enabled": true,
      "is_catchall": false
    }
  ],
  "dns_ready": true,
  "limit": 5,
  "count": 1
}

POST /v1/zones/{id}/email JWT

Create an email forward. First forward auto-creates MX/SPF/DMARC records.

{
  "alias": "contact",
  "destinations": ["user@gmail.com", "backup@example.com"]
}

PUT /v1/zones/{id}/email/{fid} JWT

Update a forward (destinations, enabled).

DELETE /v1/zones/{id}/email/{fid} JWT

Delete a forward. Last forward auto-removes DNS records.

WAF / Firewall

Per-zone Web Application Firewall powered by Coraza + OWASP CRS 4.15.0.

GET /v1/zones/{id}/firewall JWT

Get WAF configuration.

PUT /v1/zones/{id}/firewall JWT

Update WAF configuration. Triggers config sync to edge nodes.

{
  "mode": "block",            // off | monitor | block
  "paranoia_level": 1,        // 1-4
  "rate_limit": 100,          // requests per second
  "block_ai_bots": false,
  "browser_check": false,
  "hotlink_protection": false,
  "wordpress_hardening": false
}

Free plan: paranoia 1, rate limit 100/s fixed. Pro: all features except custom rules. Business: full access.

DELETE /v1/zones/{id}/firewall JWT

Disable WAF.

GET /v1/zones/{id}/firewall/events JWT

Paginated WAF events (blocked requests).

GET /v1/zones/{id}/firewall/stats JWT

WAF statistics (top rules, IPs, URIs, 24h).

Cache

POST /v1/zones/{id}/cache/purge JWT

Purge cached content.

// Purge everything
{ "purge_everything": true }

// Purge specific URLs
{ "files": ["https://example.com/style.css"] }

Analytics

GET /v1/zones/{id}/analytics?period=24h JWT

Per-zone traffic analytics. Period: 1h, 6h, 24h, 7d, 30d, 365d.

// Response
{
  "summary": {
    "total_requests": 12451,
    "total_bytes": 1288490188,
    "cache_hit_rate": 78.5,
    "unique_ips": 3201
  },
  "status_codes": { "2": 11118, "3": 1021, "4": 262, "5": 50 },
  "timeseries": [ ... ]
}

Free: max 24h. Pro: max 30d + hostname breakdown. Business: max 365d + hostname breakdown.

Security Check

GET /v1/zones/{id}/security-check JWT

Run a 10-point domain security audit. Checks DNS, SSL, Email, Reputation.

// Response
{
  "score": 8,
  "total": 10,
  "checks": [
    {
      "category": "DNS",
      "name": "NS delegation",
      "status": "pass",
      "detail": "Using IQLink nameservers"
    },
    {
      "category": "SSL",
      "name": "TLS version",
      "status": "pass",
      "detail": "TLS 1.3"
    },
    {
      "category": "DNS",
      "name": "DNSSEC",
      "status": "fail",
      "detail": "Not enabled",
      "fix": "iqlink dnssec enable example.com"
    }
  ]
}

DNSSEC

GET /v1/zones/{id}/dnssec JWT

Get DNSSEC status and DS records.

POST /v1/zones/{id}/dnssec JWT

Enable DNSSEC (Pro/Business only). Returns DS records to add at registrar.

DELETE /v1/zones/{id}/dnssec JWT

Disable DNSSEC. Remove DS records at registrar first to avoid BOGUS responses.

Health Status

GET /v1/health-status JWT

Edge node health status and traffic stats.

GET /v1/regions Public

List available routing regions (pl, eu, global).

Plans & Billing

Plans

Feature	Free	Pro (49 PLN/mo)	Business (199 PLN/mo)
Zones	5	50	200
Email forwards	5	50	9,999
Proxy records	2	20	100
Analytics	24h	30d	365d
WAF paranoia	1 (fixed)	1-4	1-4
Custom WAF rules	—	—	Yes
DNSSEC	—	Yes	Yes

GET /v1/billing/info JWT

Get current plan, usage, and limits.

POST /v1/billing/checkout JWT

Create a Stripe Checkout session for plan upgrade.

{ "plan": "pro" }  // pro | business

POST /v1/billing/portal JWT

Create a Stripe Billing Portal session for managing subscription.

GET /v1/billing/invoices JWT

List invoices.

IQLink API v1.2.0 · iqlink.pl · support@iqlink.pl