Audit any website's font licensing in one API call

Most websites are running fonts they probably should not be.

This is not a particularly controversial claim, but most product teams have never thought about it carefully. A designer picks a typeface that looks good. A developer drops it into a Tailwind config. Years later, the company is using fonts that nobody at the organization remembers picking, with licensing terms nobody has reviewed, on a website that is generating real revenue using somebody else's intellectual property.

For most sites, this is fine. The font is a free Google Font with a permissive license, the marketing page is small, nobody notices. For some sites, it is not fine. The font was a freemium typeface where the free version was for personal use only. The font was a leak of a paid commercial typeface. The font was originally licensed for desktop only, but it is now being served as a webfont in violation of the agreement. Or the licensing terms changed three years ago and the original license no longer covers what the company is doing with it today.

The cost of getting it wrong has gone up. Type foundries have professionalized their compliance work. Some now run automated scrapers that detect their fonts in use without a license and send invoices that start in the tens of thousands of dollars. The Netflix font dispute we covered in an earlier post was the publicly visible tip of an iceberg of similar quiet settlements between foundries and brands.

The defensive answer should be obvious: every company should know what fonts are actually running on its websites and whether they are licensed correctly. The reason almost nobody does this is that there has never been an easy way to check.

Today we are launching one.

The URL Scan API

The URL Scan API takes a URL, opens it in a headless browser, detects every font that actually loads on the page (CSS-declared, fallback-resolved, dynamically injected, served from a CDN, embedded as base64), and cross-references each one against our license database. It returns a structured report with the fonts detected, the license type, the risk level, and an overall compliance score.

The whole thing is one HTTP call:

curl -X POST https://api.lipi.ai/v3/url-scan \
  -H 'x-api-key: lpi_your_api_key' \
  -H 'Content-Type: application/json' \
  -d '{ "url": "https://example.com" }'

The job runs asynchronously, takes 30 to 60 seconds for a full scan, and you poll the returned poll_url until the status flips to succeeded.

What you get back looks like this:

{
  "fonts_detected": [
    { "family": "Inter", "weights": ["400", "500", "700"], "source": "google_fonts" },
    { "family": "Söhne", "weights": ["400"], "source": "stylesheet" }
  ],
  "license_results": [
    { "font_name": "Inter", "risk_level": "low", "license_type": "SIL Open Font License", "commercial_use": true },
    { "font_name": "Söhne", "risk_level": "low", "license_type": "Commercial (Klim Type Foundry)", "commercial_use": true }
  ],
  "compliance_summary": {
    "total_fonts": 2,
    "overall_score": 100,
    "overall_risk": "low"
  }
}

A clean website returns a high score and low risks across the board. A messy website returns mixed risks, fonts flagged as unknown (meaning the licensing situation could not be determined automatically and needs human review), and a flag on the summary. The numbers and labels are designed to slot directly into a compliance dashboard, a Slack alert, or a CI gate.

Where this is useful

Five categories of teams have asked us for this, and they cover most of the people who should be running font scans regularly:

Agencies and design studios. Before delivering a website to a client, scan it. Catch the freemium font that the freelance designer dropped in to hit a deadline before the client signs off and inherits the liability. Add the scan to your QA checklist and you stop being the agency that shipped the licensing problem.

In-house brand and marketing teams. Do an audit pass across your owned web properties (marketing site, blog, careers page, customer portal, status page, embedded marketing pages on third-party platforms, partner microsites) and produce a single compliance report. Most companies have not done this since their last brand refresh, and the answer is almost never 'all clear'.

M&A due diligence. When a company acquires another company, the acquirer inherits all of the acquired company's IP risk. Font licensing risk is part of that. A scan of every public web property the target operates is a half-hour of API calls that can flag a real liability before the deal closes.

CI and pre-deployment gates. Run the scan on every staging deploy. Fail the build if any font on the page returns a high risk score. This catches font drift the moment somebody adds a new typeface that was not part of the approved brand system, before it ships to production and starts accumulating impressions you would prefer not to be paying licensing on.

Compliance and legal teams. Periodic audits of high-traffic properties. The output of the API is structured data that drops directly into compliance reporting tools, internal dashboards, or quarterly review documents.

The common thread is that all of these used to require either expensive consultants or a designer manually inspecting CSS files and guessing about licensing terms. Now any of them is a curl command.

What the scanner actually catches

The scanner runs a real headless browser, which means it sees fonts the way a real visitor's browser sees them. That matters for a few cases that simpler approaches miss:

Fonts loaded only after JavaScript runs (single-page apps, React/Vue/Svelte sites, anything that lazy-loads a stylesheet) are detected. A scanner that just parsed your HTML would miss them.

Fonts loaded from a CDN under a different domain than the main page (fonts.googleapis.com, use.typekit.net, custom self-hosted CDNs) are detected and attributed to their source.

Fonts loaded conditionally (different fonts on mobile vs. desktop, different fonts for logged-in users) are detected on whatever viewport configuration the scan is run against.

Fonts that are declared in CSS but never actually used on the page are not flagged, because the scanner reports what is actually rendered, not what is theoretically loadable. This avoids false positives from leftover CSS rules.

Fonts that fall back to a system font because the licensed file failed to load are detected as the system font, which is what the user actually sees, not the broken declared font.

How to start

Pricing is one credit per scan. Each Lipi.ai account starts with free credits, and additional credit packs are available from the developer dashboard. Cached results from URLs scanned in the last seven days return instantly and still cost a single credit, which is worth knowing if you are running periodic audits on the same property.

Authentication is the same API key that powers the Font Match API, so if you are already integrated with our font identification service, the URL Scan endpoint is already open to you. If you are not, you can generate an API key from your developer dashboard in about thirty seconds.

Full API documentation, including the response schemas for running, succeeded, and failed job states, the field-by-field meaning of every risk level, and a Postman collection for testing, is at /docs/url-scan-api.

Why we built this

Font licensing is one of the corners of corporate IP that almost nobody pays attention to until they get an invoice. The defensive posture is to not let that happen, and the reason almost nobody does is that there has been no practical way to audit at scale.

You should not need a font lawyer on retainer to know what fonts your website is using. You should be able to ask your servers, get a structured answer, and act on it. The URL Scan API is that asking interface.

Open the developer dashboard, generate a key, and try a scan against any public URL you want. The first one is on us.