IP Security API

Overview

The IP Security API returns detailed threat flags for any IPv4 or IPv6 address. It detects whether an IP is associated with a VPN, a proxy, a residential proxy, a Tor exit node, a relay, bot activity, spam activity, or known attacker behavior. For VPN and proxy signals, it also returns confidence scores, provider names, and last seen timestamps when available. This helps you reliably identify anonymous and masked traffic before it reaches your systems.

The API also checks whether the IP is linked to a cloud provider and, when available, returns the cloud provider name.

IP Security API Lookup Endpoints

The IP Security API offers two endpoints for IP risk assessment: single lookup and bulk lookup. Below you’ll find details and examples for both endpoints, along with the full list of optional query parameters and how to use them with each endpoint.

Note

Please note the following:

  • After adding your website as a Request Origin in the Billing Dashboard, you can call the endpoints below directly from the client-side without including the apiKey query parameter to help prevent unauthorized use of your API key.
  • Base URL (v3): https://api.ipgeolocation.io/v3/security
  • Responses are returned in JSON by default. To receive XML, add output=xml . You can also explicitly request JSON with output=json .
Important
Each successful Security lookup costs 2 credits. The X-Credits-Charged response header shows the total credits charged for the request. For details, please refer to our Credits Usage Guide.

Single IP Lookup Endpoint

1. Lookup the Caller IP (No ip Parameter)

If you don’t pass the ip parameter, the API automatically detects the public IP address of the requesting client and returns its threat score and security signals (for example, VPN/proxy/Tor/bot/spam/hosting indicators and the provider names when available). Use this option when you want to assess the IP risk of the requesting client without specifying an IP address.

curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY'
Response
1{
2  "ip": "115.186.118.130",
3  "security": {
4    "threat_score": 0,
5    "is_tor": false,
6    "is_proxy": false,
7    "proxy_provider_names": [],
8    "proxy_confidence_score": 0,
9    "proxy_last_seen": "",
10    "is_residential_proxy": false,
11    "is_vpn": false,
12    "vpn_provider_names": [],
13    "vpn_confidence_score": 0,
14    "vpn_last_seen": "",
15    "is_relay": false,
16    "relay_provider_name": "",
17    "is_anonymous": false,
18    "is_known_attacker": false,
19    "is_bot": false,
20    "is_spam": false,
21    "is_cloud_provider": false,
22    "cloud_provider_name": ""
23  }
24}

2. Lookup a Specific IP Address

Pass the ip parameter to check a specific IPv4 or IPv6 address. The API returns the threat score and security signals (such as VPN, proxy, residential proxy, Tor, bot, spam, relay, and hosting flags), along with provider names, confidence scores, and last seen dates when available.

curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=2.56.188.34'
Response
1{
2  "ip": "2.56.188.34",
3  "security": {
4    "threat_score": 80,
5    "is_tor": false,
6    "is_proxy": true,
7    "proxy_provider_names": [
8      "Zyte Proxy"
9    ],
10    "proxy_confidence_score": 80,
11    "proxy_last_seen": "2025-12-12",
12    "is_residential_proxy": true,
13    "is_vpn": true,
14    "vpn_provider_names": [
15      "Nord VPN"
16    ],
17    "vpn_confidence_score": 80,
18    "vpn_last_seen": "2026-01-19",
19    "is_relay": false,
20    "relay_provider_name": "",
21    "is_anonymous": true,
22    "is_known_attacker": true,
23    "is_bot": false,
24    "is_spam": false,
25    "is_cloud_provider": true,
26    "cloud_provider_name": "Packethub S.A."
27  }
28}

Additional Query Parameters

Use these query parameters to exclude fields, or return only the fields you need.

1. Exclude Fields ( excludes )

Use excludes to remove fields you don’t need from the response. Pass a comma-separated list of field paths.

How to write field paths: Use dot notation for nested fields: object.field . For example:

  • Exclude specific flags: security.is_tor , security.is_cloud_provider
Note
  • ip is always included and cannot be excluded.

An example request and response are shown below.

curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=2.56.188.34&excludes=security.is_tor,security.is_cloud_provider'
Response
1{
2  "ip": "2.56.188.34",
3  "security": {
4    "threat_score": 80,
5    "is_proxy": true,
6    "proxy_provider_names": [
7      "Zyte Proxy"
8    ],
9    "proxy_confidence_score": 80,
10    "proxy_last_seen": "2025-12-12",
11    "is_residential_proxy": true,
12    "is_vpn": true,
13    "vpn_provider_names": [
14      "Nord VPN"
15    ],
16    "vpn_confidence_score": 80,
17    "vpn_last_seen": "2026-01-19",
18    "is_relay": false,
19    "relay_provider_name": "",
20    "is_anonymous": true,
21    "is_known_attacker": true,
22    "is_bot": false,
23    "is_spam": false,
24    "cloud_provider_name": "Packethub S.A."
25  }
26}

In this example, the response does not contain is_tor and is_cloud_provider in the security object.

2. Return Specific Fields ( fields )

Use fields to return only the response fields you need. This helps reduce response size and keeps the payload focused.

How to specify fields: Provide a comma-separated list using dot notation: object.field . For example:

  • Security score: security.threat_score

An example request and response are shown below.

curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=2.56.188.34&fields=security.threat_score'
Response
1{
2  "ip": "2.56.188.34",
3  "security": {
4    "threat_score": 80
5  }
6}

Bulk IP Security Lookup Endpoint

The bulk endpoint allows you to perform IP security lookup for multiple IPv4 or IPv6 (maximum 50,000) in a single request.

  • Bulk lookup supports the same query parameters as the single lookup ( excludes , fields , and output ).
Important
  • For bulk lookups, the requests count and quota billing are calculated per valid IP address or domain name submitted, using the same credit rules as single lookups (+2 for Security); bogon, private, and malformed IPs are not counted, and the exact charge is returned in the X-Credits-Charged response header.
  • The X-Successful-Record response header is returned only if the request contains one or more invalid IP addresses. It indicates how many entries returned valid data with an HTTP 200 status. If all submitted IPs or domains are valid, this header is not included in the response.

1. Bulk lookup request

Send a POST request and pass the ips array as JSON.

curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY' \
-H 'Content-Type: application/json' \
-d '{"ips":["2.56.188.34","2.56.188.35"]}'
Response
1[
2  {
3    "ip": "2.56.188.34",
4    "security": {
5      "threat_score": 80,
6      "is_tor": false,
7      "is_proxy": true,
8      "proxy_provider_names": [
9        "Zyte Proxy"
10      ],
11      "proxy_confidence_score": 80,
12      "proxy_last_seen": "2025-12-12",
13      "is_residential_proxy": true,
14      "is_vpn": true,
15      "vpn_provider_names": [
16        "Nord VPN"
17      ],
18      "vpn_confidence_score": 80,
19      "vpn_last_seen": "2026-01-19",
20      "is_relay": false,
21      "relay_provider_name": "",
22      "is_anonymous": true,
23      "is_known_attacker": true,
24      "is_bot": false,
25      "is_spam": false,
26      "is_cloud_provider": true,
27      "cloud_provider_name": "Packethub S.A."
28    }
29  },
30  {
31    "ip": "2.56.188.35",
32    "security": {
33      "threat_score": 35,
34      "is_tor": false,
35      "is_proxy": false,
36      "proxy_provider_names": [],
37      "proxy_confidence_score": 0,
38      "proxy_last_seen": "",
39      "is_residential_proxy": false,
40      "is_vpn": false,
41      "vpn_provider_names": [],
42      "vpn_confidence_score": 0,
43      "vpn_last_seen": "",
44      "is_relay": false,
45      "relay_provider_name": "",
46      "is_anonymous": false,
47      "is_known_attacker": true,
48      "is_bot": false,
49      "is_spam": false,
50      "is_cloud_provider": true,
51      "cloud_provider_name": "Packethub S.A."
52    }
53  }
54]

2. Bulk Lookup with Additional Request Parameters

Use fields when you want to return only specific properties from the security object. Use excludes when you want to return the full security object but omit certain properties.

I. Using fields Parameter

This example uses the fields parameter to return only specific fields from the security object.

The goal is to return only:

  • security.is_vpn
  • security.vpn_confidence_score
  • security.is_proxy

Here is how the parameter is used:

  • Select only required fields: fields=security.is_vpn,security.vpn_confidence_score,security.is_proxy 
curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY&fields=security.is_vpn,security.vpn_confidence_score,security.is_proxy' \
-H 'Content-Type: application/json' \
-d '{"ips":["2.56.188.34","2.56.188.35"]}'
Response
1[
2  {
3    "ip": "2.56.188.34",
4    "security": {
5      "is_proxy": true,
6      "is_vpn": true,
7      "vpn_confidence_score": 80
8    }
9  },
10  {
11    "ip": "2.56.188.35",
12    "security": {
13      "is_proxy": false,
14      "is_vpn": false,
15      "vpn_confidence_score": 0
16    }
17  }
18]

II. Using excludes Parameter

This example uses the excludes parameter to remove specific fields from the security object.

The goal is to return the full security object except:

  • security.threat_score
  • security.proxy_last_seen
  • security.vpn_last_seen

Here is how the parameter is used:

  • Exclude specific fields: excludes=security.threat_score,security.proxy_last_seen,security.vpn_last_seen 
curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY&excludes=security.threat_score,security.proxy_last_seen,security.vpn_last_seen' \
-H 'Content-Type: application/json' \
-d '{"ips":["2.56.188.34","2.56.188.35"]}'
Response
1[
2  {
3    "ip": "2.56.188.34",
4    "security": {
5      "is_tor": false,
6      "is_proxy": true,
7      "proxy_provider_names": [
8        "Zyte Proxy"
9      ],
10      "proxy_confidence_score": 80,
11      "is_residential_proxy": true,
12      "is_vpn": true,
13      "vpn_provider_names": [
14        "Nord VPN"
15      ],
16      "vpn_confidence_score": 80,
17      "is_relay": false,
18      "relay_provider_name": "",
19      "is_anonymous": true,
20      "is_known_attacker": true,
21      "is_bot": false,
22      "is_spam": false,
23      "is_cloud_provider": true,
24      "cloud_provider_name": "Packethub S.A."
25    }
26  },
27  {
28    "ip": "2.56.188.35",
29    "security": {
30      "is_tor": false,
31      "is_proxy": false,
32      "proxy_provider_names": [],
33      "proxy_confidence_score": 0,
34      "is_residential_proxy": false,
35      "is_vpn": false,
36      "vpn_provider_names": [],
37      "vpn_confidence_score": 0,
38      "is_relay": false,
39      "relay_provider_name": "",
40      "is_anonymous": false,
41      "is_known_attacker": true,
42      "is_bot": false,
43      "is_spam": false,
44      "is_cloud_provider": true,
45      "cloud_provider_name": "Packethub S.A."
46    }
47  }
48]

3. Bulk Lookup Response for Invalid IPs

In a bulk request, each IP address is processed independently.

If an IP address is invalid (non-public, non-routable, or malformed), the API returns an object containing only a descriptive message field for that entry along with the valid public IP address responses.

curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY' \
-H 'Content-Type: application/json' \
-d '{"ips":["10.0.0.0","2.56.188.35"]}'
Response
1[
2  {
3    "message": "'10.0.0.0' is a bogon IP address."
4  },
5  {
6    "ip": "2.56.188.35",
7    "security": {
8      "threat_score": 35,
9      "is_tor": false,
10      "is_proxy": false,
11      "proxy_provider_names": [],
12      "proxy_confidence_score": 0,
13      "proxy_last_seen": "",
14      "is_residential_proxy": false,
15      "is_vpn": false,
16      "vpn_provider_names": [],
17      "vpn_confidence_score": 0,
18      "vpn_last_seen": "",
19      "is_relay": false,
20      "relay_provider_name": "",
21      "is_anonymous": false,
22      "is_known_attacker": true,
23      "is_bot": false,
24      "is_spam": false,
25      "is_cloud_provider": true,
26      "cloud_provider_name": "Packethub S.A."
27    }
28  }
29]

Security Details in Main IPGeolocation Endpoint

Security data is available only on the Paid plan of the IP Geolocation API. See the Pricing page for plan details.

You can retrieve security details using the /v3/ipgeo endpoint by explicitly including include=security in the query parameters. When requested, the response includes security information along with location, abuse contact, timezone, ASN data, user-agent, network, company and other fields described in the IP Location API documentation.

Security details are returned in the /v3/ipgeo response once the security object is enabled, as shown below.

curl -X GET 'https://api.ipgeolocation.io/v3/ipgeo?apiKey=API_KEY&ip=2.56.188.34&include=security'
Response
1{
2  "ip": "2.56.188.34",
3  "security": {
4    "threat_score": 80,
5    "is_tor": false,
6    "is_proxy": true,
7    "proxy_provider_names": [
8      "Zyte Proxy"
9    ],
10    "proxy_confidence_score": 80,
11    "proxy_last_seen": "2025-12-12",
12    "is_residential_proxy": true,
13    "is_vpn": true,
14    "vpn_provider_names": [
15      "Nord VPN"
16    ],
17    "vpn_confidence_score": 80,
18    "vpn_last_seen": "2026-01-19",
19    "is_relay": false,
20    "relay_provider_name": "",
21    "is_anonymous": true,
22    "is_known_attacker": true,
23    "is_bot": false,
24    "is_spam": false,
25    "is_cloud_provider": true,
26    "cloud_provider_name": "Packethub S.A."
27  },
28  "location": {
29    "continent_code": "NA",
30    "continent_name": "North America",
31    "country_code2": "US",
32    "country_code3": "USA",
33    "country_name": "United States",
34    "country_name_official": "United States of America",
35    "country_capital": "Washington, D.C.",
36    "state_prov": "Texas",
37    "state_code": "US-TX",
38    "district": "Dallas",
39    "city": "Dallas",
40    "zipcode": "75201",
41    "latitude": "32.77822",
42    "longitude": "-96.79512",
43    "is_eu": false,
44    "country_flag": "https://ipgeolocation.io/static/flags/us_64.png",
45    "geoname_id": "4684902",
46    "country_emoji": "🇺🇸"
47  },
48  "country_metadata": {
49    "calling_code": "+1",
50    "tld": ".us",
51    "languages": [
52      "en-US",
53      "es-US",
54      "haw",
55      "fr"
56    ]
57  },
58  "network": {
59    "connection_type": "",
60    "route": "2.56.188.0/22",
61    "is_anycast": false
62  },
63  "currency": {
64    "code": "USD",
65    "name": "US Dollar",
66    "symbol": "$"
67  },
68  "asn": {
69    "as_number": "AS62240",
70    "organization": "Clouvider Limited",
71    "country": "GB",
72    "type": "HOSTING",
73    "domain": "clouvider.net",
74    "date_allocated": "2013-12-12",
75    "rir": "RIPE"
76  },
77  "company": {
78    "name": "Packethub S.A.",
79    "type": "BUSINESS",
80    "domain": "packethub.com"
81  },
82  "time_zone": {
83    "name": "America/Chicago",
84    "offset": -6,
85    "offset_with_dst": -6,
86    "current_time": "2026-03-07 03:37:38.628-0600",
87    "current_time_unix": 1772876258.628,
88    "current_tz_abbreviation": "CST",
89    "current_tz_full_name": "Central Standard Time",
90    "standard_tz_abbreviation": "CST",
91    "standard_tz_full_name": "Central Standard Time",
92    "is_dst": false,
93    "dst_savings": 0,
94    "dst_exists": true,
95    "dst_tz_abbreviation": "CDT",
96    "dst_tz_full_name": "Central Daylight Time",
97    "dst_start": {
98      "utc_time": "2026-03-08 TIME 08:00",
99      "duration": "+1.00H",
100      "gap": true,
101      "date_time_after": "2026-03-08 TIME 03:00",
102      "date_time_before": "2026-03-08 TIME 02:00",
103      "overlap": false
104    },
105    "dst_end": {
106      "utc_time": "2026-11-01 TIME 07:00",
107      "duration": "-1.00H",
108      "gap": false,
109      "date_time_after": "2026-11-01 TIME 01:00",
110      "date_time_before": "2026-11-01 TIME 02:00",
111      "overlap": true
112    }
113  }
114}
Important
The security object returned by /v3/ipgeo (when requested using include=security ) contains the same security data available through the dedicated /v3/security endpoint.

Use /v3/ipgeo when security information is required together with additional data such as location, ASN, abuse, timezone, company, network, or user-agent details within a single response.

When only security information is required, it is recommended to use the dedicated /v3/security endpoint to reduce response payload size and maintain more predictable credit usage.

Reference to IP Security API Response

Below, we provide separate tables for each JSON object in the response, listing all possible fields available across the security endpoint.

1. Standalone Fields Reference

FieldTypeDescriptionCan be empty?
ipstring

IP address that is used to lookup security information.

No

2.  security JSON Object Reference

FieldTypeDescriptionCan be empty?
threat_scorenumber

Overall threat score for the IP address. Ranges from 0 to 100. 100 indicates the highest risk.

No
is_torboolean

Indicates whether the IP is a Tor exit node.

No
is_proxyboolean

Indicates whether the IP is associated with a proxy network.

No
proxy_provider_namesarray[string]

List of detected proxy provider names, when available.

Yes
proxy_confidence_scorenumber

Confidence score (0–100) for proxy detection, when flag is true. Defaults to 0.

No
proxy_last_seenstring

Last seen date (YYYY-MM-DD) for proxy activity, when available.

Yes
is_residential_proxyboolean

Indicates whether the IP is associated with a residential proxy network.

No
is_vpnboolean

Indicates whether the IP is associated with a VPN network.

No
vpn_provider_namesarray[string]

List of detected VPN provider names, when available.

Yes
vpn_confidence_scorenumber

Confidence score (0–100) for VPN detection, when flag is true. Defaults to 0.

No
vpn_last_seenstring

Last seen date (YYYY-MM-DD) for VPN activity, when available.

Yes
is_relayboolean

Indicates whether the IP is associated with a relay network.

No
relay_provider_namestring

Relay provider name, when available.

Yes
is_anonymousboolean

Indicates whether the IP is anonymous. True if VPN, proxy, Tor, or relay is detected.

No
is_known_attackerboolean

Indicates whether the IP is flagged for known attacker behavior.

No
is_botboolean

Indicates whether the IP is associated with bot activity.

No
is_spamboolean

Indicates whether the IP is associated with spam activity.

No
is_cloud_providerboolean

Indicates whether the IP belongs to a cloud provider.

No
cloud_provider_namestring

Name of the Cloud Provider, if the IP address belongs to a cloud provider.

Yes

Error Codes

IP Security API returns HTTP status code 200 for a successful API request along with the response.

In case of a bad or invalid request, IP Security API returns 4xx HTTP status code along with a descriptive message explaining the reason for the error.

Below is a detailed explanation of the specific HTTP status codes and their corresponding error conditions:

HTTP StatusDescription
400
Bad Request

It is returned for one of the following reasons:

  • If the provided IPv4 or IPv6 address is invalid.

  • If special character(s) ( ) [ ] { } | ^ ` is passed in the API URL either as parameter or its value. Specially in case of API key.

  • If the IP addresses JSON list is empty, or the provided JSON does not have 'ips' field while querying security-bulk endpoint.

  • If more than 50,000 IP addresses are provided while querying from security-bulk endpoint.

401
Unauthorized

It is returned for one of the following reasons:

  • If API key (as apiKey URL parameter) is missing from the request to IP Security API.

  • If an invalid (a random value) API key is provided.

  • If your account has been disabled or locked to use due to abuse or illegal activity.

  • When the request to IP Security API is made using API key for a database subscription

  • When the request to IP Security API is made using a free subscription API key.

  • When the request to IP Security API is made on the 'paused' subscription.

  • If a domain name is passed in the ip parameter when making a request to the IP Security API.

  • If you’re making API requests after your subscription trial has been expired.

  • If your account’s active-until date has passed and you need to renew or upgrade your subscription.

  • If bulk IP to security lookup endpoint is called using free subscription API key.

  • If the bulk IP to security lookup endpoint is called using Request Origin (CORS) authentication. Bulk requests require an apiKey and cannot be authenticated using Request Origin.

404
Not Found

It is returned for one of the following reasons:

  • If the IPv4 or IPv6 address does not exist in our database.

  • If the IPv4, IPv6 or domain name passed as a path variable, instead of URL parameter as ip= .

  • If the wrong endpoint is called, that does not exist in our API.

405
Method Not Allowed

  • If wrong HTTP request method is used for calling the endpoints. Only GET and POST methods are allowed. POST method for security-bulk   endpoint and GET method for security endpoint requests.

413
Content Too Large

  • If the passed data in the POST requests is more than the limit of the API.

415
Unsupported Media Type

  • If the payload for IPs in security-bulk endpoint is missing, or the content type is not mentioned as JSON.

423
Locked

  • If the passed IP address is from a bogon ip ranges, or is part of a private network.

429
Too Many Requests

It is returned for one of the following reasons:

  • If the API usage limit has reached for the free subscriptions, or paid subscriptions with the status 'past due', 'deleted' or 'trial expired'.

  • If the surcharge API usage limit has reached against the subscribed plan.

499
Client Closed Request

  • If the client has set the very short request or connection timeout, leading to the server closing the request prematurely.

5XX
Server Side Error

  • If a 500 (Internal Server Error), 502 (Bad Gateway), 503 (Service Unavailable), 504 (Gateway Timeout), or 505 (HTTP Version Not Supported) status code is returned, it indicates an issue on our end. Please contact us with your request at  support@ipgeolocation.io for further assistance.

API SDKs

To facilitate the developers, we have added some SDKs for various programming languages. The detailed documentation on how to use these SDKs is available in the respective SDK's documentation page linked below.

Our SDKs are also available on Github. Feel free to help us improve them. Following are the available SDKs:

Frequently Asked Questions

Each Security lookup costs 2 credits per valid IP. The X-Credits-Charged response header shows the total credits charged for the request. For details, please refer to our Credits Usage Guide.

In bulk lookup, 2 credits are charged for each valid IP in the payload. Bogon, private, or malformed IPs are not counted. The X-Credits-Charged response header shows the total credits charged for the request. For details, please refer to our Credits Usage Guide.

A confidence score is a 0–100 indicator of how strongly a signal (for example, VPN or proxy) is detected.
A score of 0 is the default value when the related detection flag is false.
Please use the Threat Score as a quick way to route traffic, and then use the flags to understand why. Each team uses the score differently depending on the product and the risk level of the action. For example, is_anonymous can be true when is_proxy or is_tor is true. If is_proxy is true, the IP is using a proxy route, which can be a commercial or residential proxy, and that can be determined by the is_residential_proxy flag. Use the separate flags to know what else it is: is_vpn, is_residential_proxy, or is_relay. Use these details to decide when to allow, challenge, restrict, or block, especially for sensitive actions.
is_anonymous indicates that the connection is using an anonymizing route such as a VPN, proxy, relay, or Tor. Many teams use it as a quick signal to apply extra verification on sensitive endpoints.
A relay is a privacy-focused routing service that can mask the original IP, similar to how a VPN or proxy hides location. Relays are often used for privacy and tracking protection, and they can also be used to bypass controls.
  • Proxy: Forwards traffic through another server and mainly masks the IP.
  • VPN: Routes traffic through a remote server and encrypts and tunnels the connection.
  • Tor: Routes traffic through multiple nodes to provide stronger anonymity.
Our security data is updated at least twice every 24 hours to capture changes across IP ranges. Downloadable security databases are available with daily and weekly update options, depending on your plan. Please see the Security Databases documentation for update details.
We refresh security data regularly and track VPNs, proxies, relays, and Tor exit nodes as providers add and rotate IP ranges. Like any IP-based detection, results can change over time, so we recommend monitoring outcomes and tuning your policy based on real traffic.
Our Security data is available on all paid plans. See our pricing page for details. We charge 2 credits per valid IP lookup for the Security data. If you include Security data in the /ipgeo endpoint, an additional 2 credits will be charged. The X-Credits-Charged response header shows the total credits charged for the request. To understand credits in detail, please refer to Credits Usage Guide.
Yes. Along with the Threat Score, the API returns flags such as VPN or proxy usage, relay signals, Tor, bot activity, spam indicators, known attacker signals, and cloud hosting context. These fields help you understand what was detected and support auditing and logging.
Tor is a privacy network that routes traffic through multiple nodes to make tracking harder. A Tor exit node is the last node that reaches the public internet, so websites typically see the exit node IP instead of the user’s real IP.
Yes. The API detects free and paid VPNs, commercial and residential proxies, privacy relays, and Tor exit nodes. It also returns related risk signals such as bot indicators, spam signals, known attacker flags, and anonymity status.
No. We do not flag well-known search engine crawlers and other clean bots as bots. The is_bot field is intended to indicate suspicious or abusive automation, so if you use is_bot in your rules, legitimate crawlers should not be blocked.

Yes. A free trial is available so you can test accuracy and integration. Please contact us via customer support or use the live chat on our website to request access.

Yes. You can download sample VPN and proxy data that includes the same risk flags returned by this API, so you can review the structure and quality. Please see Security Databases for examples and formats, or contact support if you want help choosing the right dataset or if you want data for your own IP ranges.

Subscribe Our Newsletter

Get the latest in geolocation tech, straight to your inbox.