Developer guides and integration examples
Practical walkthroughs showing how to wire botoi endpoints into your stack. Working code, no filler.
66% of firms had an AI agent incident: 4 API checks to add this week
The CSA April 2026 survey found two-thirds of organizations had a cybersecurity incident tied to unchecked AI agents. Four endpoint checks, drop-in code, and a scoring rubric you can ship today.
Detect AI scrapers with TLS fingerprints, not user agents
GPTBot, ClaudeBot, and PerplexityBot now spoof Chrome user agents on 30%+ of requests. JA4 TLS fingerprinting catches them at the handshake, before your origin even parses the headers.
Gemini 3.1 Deep Research now speaks MCP: connect 49 tools in 5 minutes
Google shipped MCP support in Deep Research Max in April 2026. Point it at the botoi MCP server and Gemini gets DNS, WHOIS, breach, and TLS lookups for any research task. Five-minute setup.
Cloudflare Code Mode MCP: stop paying 1M tokens to describe your tools
Cloudflare cut MCP tool definitions from 1.17M tokens to 1K by letting agents write code against a typed API surface. Here is how the pattern works and when to use it.
LiteLLM got backdoored: audit your AI toolchain this week
TeamPCP shipped credential-stealing malware inside a LiteLLM release and drained AWS, GCP, and SSH keys from dev machines. Five checks to run before your next pip install.
Shadow MCP: the enterprise problem nobody budgeted for
Employees are plugging unauthorized MCP servers into Claude and Cursor. One gateway rule, one inventory query, and one policy template to get ahead of it.
Free weather API with air quality in one call
One API key, two endpoints, and a 40-line Node.js function that returns current temperature and PM2.5 for any city. No product-tier upgrade.
Check breached emails at signup without running HaveIBeenPwned yourself
Catch compromised credentials before you store them. A single API call, a Next.js route handler, and a React Hook Form validator that adds 40ms to signup latency.
Claude Skills vs MCP tools: pick the right extension point
Claude Skills load instructions into context. MCP tools execute remote actions. Seven criteria to pick the right one, with code for both paths.
Redact PII from AI agent logs before it hits your database
Your agent logs every prompt and tool call. One missed SSN in a transcript turns into a GDPR disclosure. A three-line middleware fixes it before the row is written.
Stop signup fraud with 3 API checks, no captcha required
Captchas hurt conversion and bots solve them anyway. Score each signup with VPN, disposable email, and IP blocklist checks in under 120ms, and only challenge the top 5%.
Claude Code reverse-engineered: 6 lessons for your AI agent
Researchers unminified Claude Code's CLI bundle and published its system prompt, tool schemas, and agent loop. Six lessons for anyone shipping an AI agent to real users.
MCP OAuth 2.1 with PKCE: secure your agent server in 7 steps
The 2026-03-15 MCP spec makes OAuth 2.1 + PKCE the authorization standard for agent servers. Seven steps to ship: PRM metadata, dynamic client registration, scope design, and token validation with code.
MCP SSE deprecated: migrate to Streamable HTTP before your server breaks
MCP SSE transport hit end-of-life on April 1, 2026. Migrate to Streamable HTTP with a stateless handler, fresh-instance-per-request, and a session resume path; code for Node, Python, and Cloudflare Workers.
AP2 agent payments protocol: a developer guide with 60+ partners
Google shipped AP2 with Mastercard, PayPal, Coinbase, and 57 more. Six concepts developers need to wire agent-led payments, plus the x402 crypto extension and Mandate flow with code.
Axios got backdoored: 5 npm packages to replace with HTTP APIs
A North Korea-linked actor shipped a RAT inside axios 1.14.1 to 70M weekly installers. Five single-purpose npm packages you can delete today and replace with HTTP API calls.
Your AI agent burns 21,000 tokens to fix a typo: 6 cost patterns
One documented Claude Code session used 21,000 input tokens to fix a single character. Six patterns that cut token bills by 60 to 80%, with code and real numbers.
MCP joined the Linux Foundation: 5 enterprise readiness upgrades
MCP moved under the Agentic AI Foundation with 97M monthly SDK downloads. Five upgrades your MCP server needs before enterprise procurement signs off, with code.
NumVerify alternative: phone validation plus 150 endpoints
NumVerify charges $14.99/month for phone validation alone. Botoi validates phones from 30+ countries and includes 150+ developer endpoints starting free.
ipstack alternative: IP geolocation plus 150 endpoints
ipstack charges $9.99/month for IP geolocation alone. Botoi bundles city-level IP lookup, VPN detection, and 150+ developer endpoints starting free.
API observability when AI agents are your heaviest callers
Gartner says 30% of new API traffic comes from LLMs. Five observability patterns to detect agent callers, trace tool-use chains, and set rate limits that fit bursty workloads.
Postman killed free teams: 5 ways to test APIs without paying
Postman now charges $19/user/month for team features. Five free alternatives for API testing: curl, Hoppscotch, Bruno, interactive playgrounds, and AI assistants with MCP.
10,000 MCP servers exist: here is what separates the good ones
The MCP ecosystem crossed 10,000 servers in April 2026. Seven practices that separate useful MCP servers from abandoned ones, with examples from a 49-tool production server.
Claude Managed Agents: connect 49 MCP tools in one config
Claude Managed Agents launched April 8, 2026. Wire botoi MCP server into a managed agent and give Claude 49 developer tools with one config block.
Claude Advisor Tool: pair a fast executor with a smarter planner
The Advisor Tool lets Sonnet call Opus mid-generation for strategic guidance. One API request, two models, near-Opus quality at Sonnet cost.
AI agents are calling your API: 5 auth mistakes that create backdoors
80% of teams run AI agents in production but only 22% treat them as independent identities. Five auth mistakes that turn your API into an open door.
OWASP Top 10 for agentic apps: what API developers need to change
The OWASP agentic apps top 10 lists risks your existing API security misses. Five fixes API developers can ship this week, with code.
Secure your MCP server: an 8-point developer checklist
43 agent frameworks shipped with embedded vulnerabilities in 2026. Eight checks to lock down your MCP server before an AI agent finds the gaps.
Claude Mythos found 500+ zero-days: automate your security checks
Anthropic's Claude Mythos uncovered 500+ vulnerabilities in battle-hardened codebases. Here are 6 API-driven security checks you can automate today without waiting for access.
API rate limiting: 4 algorithms every developer should know
Fixed window, sliding window, token bucket, and leaky bucket explained with diagrams, X-RateLimit headers, and Node.js retry logic you can copy-paste.
How to use the Botoi TypeScript SDK with 5 real examples
Install @botoi/sdk, call 150+ endpoints with full type safety, auto-retry, and zero dependencies. Five copy-paste examples included.
API key vs JWT vs OAuth2: pick the right auth for your API
Compare API keys, JWTs, and OAuth2 across 7 criteria. Learn which fits server-to-server calls, user sessions, and third-party access with working curl examples.
MCP vs A2A: picking the right AI agent protocol
MCP connects AI models to tools. A2A connects AI agents to each other. Compare architecture, auth, message format, and adoption to pick the right protocol.
OpenAPI to MCP server: 150 endpoints, 49 AI tools
How we converted an OpenAPI spec into a curated MCP server with 49 tools. Schema conversion, tool descriptions, annotations, and stateless HTTP transport.
Add llms.txt to your API for AI discoverability
llms.txt tells LLMs what your API does in 6x fewer tokens than HTML. Step-by-step tutorial with spec format, two-tier approach, and a real-world example.
REST vs GraphQL vs gRPC: a decision framework for 2026
A concrete framework for choosing REST, GraphQL, or gRPC in 2026. Comparison table, code examples, and the criteria that matter for each.
Webhook security: HMAC signatures, idempotency, and replay protection
Three code patterns stop spoofed payloads, duplicate deliveries, and replayed webhook requests. Node.js examples with HMAC-SHA256 and timestamp checks.
OWASP API Security Top 10: checklist with fixes
Walk through all 10 OWASP API Security risks (2023 edition) with real attack scenarios, concrete fixes, and a copy-paste checklist for your security review.
Build an AI ops agent: SSL, DNS, and uptime via MCP
Wire 4 MCP tools into Claude Code or Cursor to monitor SSL expiry, DNS changes, uptime, and accessibility from natural-language prompts.
How to price your API: 5 models that work in 2026
Five API pricing models with real numbers, Stripe billing code, and a decision flowchart. Includes botoi's own free-tier-to-$199/mo case study.
How to add developer tools to Claude with MCP
Connect Claude Desktop, Claude Code, or Cursor to 49 developer tools in under 2 minutes. DNS lookups, JWT signing, email validation, and more via one MCP server.
Validate emails from Claude with the botoi MCP server
Connect Claude Desktop or Claude Code to 49 developer tools via MCP. Validate emails, check MX records, and flag disposable addresses without leaving your editor.
How to detect VPN users in your app with one API call
Add VPN, proxy, and Tor detection to signup, checkout, and login flows. Express middleware, Next.js integration, and risk scoring examples with working code.
How to validate emails in Node.js without installing a package
Three API calls check syntax, MX records, and disposable domains. No npm install, no regex file, no SMTP timeout. Works from fetch in any Node.js version.
How to add IP geolocation to your SaaS in 20 minutes
Four SaaS features that need IP geolocation: currency defaults, GDPR banners, fraud detection, and analytics dashboards. Working code for each, no Google Maps required.
APIVerve alternative: REST endpoints, no credit math
APIVerve uses credits that vary by endpoint. Botoi charges flat per-request across 150+ REST endpoints with a free tier, no GraphQL, no credit math.
Give your AI agent 150+ tools in 30 seconds
One JSON config connects Claude, Cursor, or VS Code to 49 MCP tools and 150+ API endpoints. DNS, email validation, JWT, hashing, QR codes, and more.
10 MCP servers every developer should know in 2026
A curated list of 10 MCP servers for AI coding assistants. Covers Botoi, GitHub, Filesystem, Postgres, Playwright, Sentry, Slack, Linear, Stripe, and SQLite with setup configs.
How to give AI agents real-world tools with a single API
Connect AI agents to 150+ developer tools via REST API or MCP. Claude tool use, OpenAI function calling, and MCP-based architectures with code examples.
ExchangeRate-API alternative: currency conversion plus 150+ endpoints
ExchangeRate-API and Fixer.io only do currency conversion. Botoi bundles live exchange rates with 150+ endpoints under one API key.
APILayer alternative: one API key replaces six products
APILayer charges per product. Fixer, NumVerify, ipstack, and mailboxlayer each need their own key and billing. Botoi covers all six with one key, starting free.
API Ninjas alternative: 150+ endpoints, one key, free tier
API Ninjas charges $14.99/mo for 100+ APIs. Botoi offers 150+ developer endpoints with a free tier, interactive docs, and MCP server support.
Clearbit alternative: free company enrichment after the HubSpot sunset
Clearbit shut down its standalone API after HubSpot acquired it. Botoi covers company lookup, tech detection, email validation, and IP geolocation across 150+ free endpoints.
Barcode generator API: one POST, SVG output, six formats
Generate barcodes with one API call. Supports Code128, EAN-13, EAN-8, UPC-A, ITF-14, and MSI. Returns SVG you can embed in labels, invoices, or PDFs.
URL metadata API: build link previews like Slack in one call
Extract Open Graph tags, Twitter Card data, favicons, and page titles from any URL with one POST request. Build link preview cards in under 20 lines of code.
VAT number validation API: verify EU tax IDs in one POST
Validate VAT numbers for all 27 EU member states with one API call. Returns validity, country code, and formatted number. Free tier, no SOAP XML.
Validate IBAN numbers with one API call
Validate any IBAN, extract the country code and check digits, and get a formatted string back. One POST request, 80+ countries, no banking SDK required.
Free geocoding API: forward, reverse, and distance in one REST call
Convert addresses to coordinates, coordinates to addresses, and calculate distances between points with three REST endpoints. Free tier, no Google Maps required.
Monitor SSL certificate expiry with a REST API
Check SSL certificate expiry dates, issuers, and security headers for any domain with two API endpoints. Includes GitHub Actions, Node.js, and Slack alert examples.
Currency conversion API: real-time exchange rates over REST
Convert between 170+ currencies and fetch live exchange rates with two REST endpoints. Free tier, no account required, JSON responses in under 50ms.
Check domain availability with one API call
POST a domain name, get an availability boolean and registrar data back in under 200ms. Build real-time domain search UIs, batch-check TLDs, and suggest names programmatically.
Validate phone numbers and convert to E.164 with one API call
Parse, validate, and normalize phone numbers from 30+ countries into E.164 format. One POST request, no libphonenumber install, free tier included.
VPN and proxy detection API: flag abuse without blocking users
Detect VPN, proxy, Tor, and datacenter connections with one POST request. Includes Next.js middleware, Express rate limiting, and fraud scoring examples.
Generate PDFs from HTML and Markdown with a REST API
Two POST requests turn HTML or Markdown into downloadable PDFs. No Puppeteer, no Chromium, no 500MB dependency. Invoices, reports, and receipts in under 1 second.
Generate QR codes with a REST API: one POST, instant SVG
Generate QR codes from any URL or text with one POST request. Returns SVG in under 100ms. Free tier, no library install, 6 configurable parameters.
WHOIS API: structured domain lookups via RDAP in one POST
Get registrar, expiry date, nameservers, and status codes for any domain with one API call. Structured JSON from RDAP; no text parsing.
DNS lookup API: query A, MX, and TXT records over REST
Look up DNS records programmatically with 3 REST endpoints. Query single record types, batch multiple types, and check propagation across Google, Cloudflare, and Quad9.
Botoi MCP server: 49 developer tools inside your AI coding assistant
Connect Claude, Cursor, or VS Code to 49 developer tools via MCP. DNS lookups, JWT signing, Base64 encoding, PII detection, and more; no context switching.
Block disposable emails in Next.js with one middleware file
A 40-line Next.js middleware that calls the botoi API to reject signups from temporary email addresses. Copy, paste, deploy.
Audit your domain's email security on every push with GitHub Actions
A GitHub Action that checks SPF, DMARC, and DKIM records using the botoi API and fails the build if any record is missing or misconfigured.
Debug webhooks without deploying: a temporary inbox you can spin up in 10 seconds
Create a throwaway webhook URL, point any service at it, and inspect every payload. No tunnels, no servers, no Zapier account.
Convert any JSON response to a Zod schema with one POST request
Paste a JSON payload, get a validated Zod schema back. No CLI install, no build step. Works from any language that can make HTTP requests.
Optimize SVGs in your CI pipeline with a REST API (no SVGO install needed)
A single curl command shrinks SVG files by 40-60%. Add it to GitHub Actions, GitLab CI, or any pipeline without installing Node.js or SVGO.
Scan user input for PII before storing it: a free API approach
Detect names, emails, phone numbers, and credit card numbers in text with one API call. Free tier, no Azure account, no ML setup.
Parse and validate cron expressions via REST API
Send a cron string, get back the next run times, a human-readable description, and validation errors. Useful for admin panels and scheduling UIs.
Stop writing TypeScript interfaces by hand: auto-generate them from JSON
POST a JSON payload to the botoi API and get back TypeScript types. No QuickType CLI, no browser tab, no copy-paste from ChatGPT.
Generate 10,000 realistic test users in 2 seconds with a mock data API
Define a schema with field types and constraints. The API returns typed fake data; names, emails, addresses, dates. No Faker install needed.
Generate Open Graph images dynamically without Next.js or Vercel
An OG image API that works from Astro, Remix, Rails, Django, Laravel, or plain HTML. One POST request returns a 1200x630 PNG.
Email validation API comparison 2026: free tiers, accuracy, and speed
Hunter, ZeroBounce, Emailable, AbstractAPI, and botoi compared side by side. Pricing, rate limits, detection features, and response times.
Detect what tech stack any website uses via API (at 1/30th the price of Wappalyzer)
Wappalyzer charges $450/month for API access. The botoi tech detection endpoint costs $0 on the free tier and $9/month on Starter. Same data, fraction of the price.
Validate an email address without sending a single message
Three API calls check syntax, MX records, and disposable providers. Catch bad emails at signup before they cost you bounces and sender reputation.
SPF, DMARC, and DKIM: the complete email authentication guide
Audit your domain's email security in 30 seconds with 3 API calls. Covers the 6 most common SPF, DMARC, and DKIM misconfigurations and how to fix them.
Token counting for GPT, Claude, and Llama in one API
Count and truncate tokens across 15 LLM models with a single POST request. Prevent context window overflows and estimate costs before every API call.
Capture website screenshots with one API call
Send a URL, get a PNG, JPEG, or WebP back in under 2 seconds. Full-page capture, custom viewports, and JavaScript rendering included.
ipinfo.io alternative: free city-level IP geolocation and VPN detection
ipinfo.io removed city-level geo from its free tier in 2025. Botoi offers city-level IP lookup, VPN detection, and 150+ more endpoints at no cost.
AbstractAPI alternative: one key for 150+ endpoints
AbstractAPI charges per API. Three subscriptions cost $55-117/mo. Botoi covers the same features with one $9/mo plan and 150+ endpoints included.
RapidAPI alternative: one key for 150+ endpoints, no marketplace tax
Stop managing 4 API subscriptions from 4 providers. Botoi gives you 150+ developer utility endpoints under one API key with consistent response formats.