The IPGeolocation IP Security API checks any IP address and returns a threat score, VPN/proxy/Tor detection flags, provider names, confidence scores, and timestamps. It identifies residential proxies that standard detection misses and flags known attackers, bots, spam sources, and cloud provider IPs. Use it at login, checkout, signup, or anywhere you need to assess IP risk in real time. Free trial available.
ip:"216.73.216.63",
security:Object,
threat_score:5,
is_tor:false,is_proxy:false,proxy_confidence_score:0,proxy_last_seen:"",is_residential_proxy:false,is_vpn:false,vpn_confidence_score:0,vpn_last_seen:"",is_relay:false,relay_provider_name:"",is_anonymous:false,is_known_attacker:false,is_bot:false,is_spam:false,is_cloud_provider:true,cloud_provider_name:"Amazon.com, Inc.",Our VPN and proxy detection API evaluates IP risk based on various parameters and returns a Threat Score from 0 to 100 along with key risk flags, confidence scores, and last seen dates when available. It classifies traffic as VPN, PROXY (including commercial and residential proxy networks), or RELAY, and returns the provider name when available. It also flags Tor exit nodes, bots, spam sources, anonymous connections, known attacker signals, and cloud-provider hosting, including the cloud provider name when detected. By using our VPN and proxy detection software, you can stop fraud at the edge by identifying high-risk anonymous and masked traffic before it reaches your application.
Our data-driven Threat Score aggregates telemetry from active honeypots, proprietary blocklists, VPN and proxy enumeration, and real-time behavioral analysis to produce a single risk score per IP.
curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=2.56.188.34'1{
2 "ip": "2.56.188.34",
3 "security": {
4 "threat_score": 80,
5 "is_tor": false,
6 "is_proxy": true,
7 "proxy_provider_names": [
8 "Zyte Proxy"
9 ],
10 "proxy_confidence_score": 90,
11 "proxy_last_seen": "2025-12-12",
12 "is_residential_proxy": true,
13 "is_vpn": true,
14 "vpn_provider_names": [
15 "Nord VPN"
16 ],
17 "vpn_confidence_score": 99,
18 "vpn_last_seen": "2026-01-19",
19 "is_relay": false,
20 "relay_provider_name": "",
21 "is_anonymous": true,
22 "is_known_attacker": true,
23 "is_bot": false,
24 "is_spam": false,
25 "is_cloud_provider": true,
26 "cloud_provider_name": "Packethub S.A."
27 }
28}Standard proxy detection can miss abuse routed through residential proxy networks on consumer ISP connections. Our VPN and Proxy Detection API helps you identify both datacenter-hosted proxy traffic and residential proxy networks in the same API call by returning proxy provider attribution when available (for example, Evomi or Oxylabs) and a separate is_residential_proxy flag, so you can apply the right policy for each risk profile. This capability is critical for preventing account takeovers (ATO), credential stuffing, and ad fraud, where attackers deliberately blend in behind legitimate-looking ISP assignments.
The example shows an IP tied to an ISP in the network ownership details, yet our API still flags it as a PROXY because it is being routed through a proxy provider, as indicated by the provider name, and marks it as a residential proxy when applicable via is_residential_proxy.
curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=152.58.153.65'1{
2 "ip": "152.58.153.65",
3 "security": {
4 "threat_score": 45,
5 "is_tor": false,
6 "is_proxy": true,
7 "proxy_provider_names": [
8 "922 Proxy"
9 ],
10 "proxy_confidence_score": 99,
11 "proxy_last_seen": "2026-01-04",
12 "is_residential_proxy": true,
13 "is_vpn": false,
14 "vpn_provider_names": [],
15 "vpn_confidence_score": 0,
16 "vpn_last_seen": "",
17 "is_relay": false,
18 "relay_provider_name": "",
19 "is_anonymous": true,
20 "is_known_attacker": false,
21 "is_bot": false,
22 "is_spam": false,
23 "is_cloud_provider": false,
24 "cloud_provider_name": ""
25 }
26}Our IP Security API allows you to retrieve security details for up to 50,000 IPs at once using the bulk lookup feature. This powerful capability saves time and enables users to analyze large volumes of IP behavior patterns quickly and efficiently. Through bulk IP security lookups, organizations can detect VPN usage at scale, perform VPN checks, identify proxies, bots, and known attackers across large datasets, and automate threat detection workflows for real-time security monitoring.
Whether you're monitoring user activity, blocking suspicious traffic, or conducting cybersecurity audits, the bulk lookup API is built to support high-performance threat intelligence operations.
curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY' -H 'Content-Type: application/json' -d '{
"ips": ["1.0.0.0", "1.0.0.1", "1.0.0.2"]
}1[
2 {
3 "ip": "1.0.0.0",
4 "security": {
5 "threat_score": 5,
6 "is_tor": false,
7 "is_proxy": false,
8 "proxy_provider_names": [],
9 "proxy_confidence_score": 0,
10 "proxy_last_seen": "",
11 "is_residential_proxy": false,
12 "is_vpn": false,
13 "vpn_provider_names": [],
14 "vpn_confidence_score": 0,
15 "vpn_last_seen": "",
16 "is_relay": false,
17 "relay_provider_name": "",
18 "is_anonymous": false,
19 "is_known_attacker": false,
20 "is_bot": false,
21 "is_spam": false,
22 "is_cloud_provider": true,
23 "cloud_provider_name": "Cloudflare, Inc."
24 }
25 },
26 {
27 "ip": "1.0.0.1",
28 "security": {
29 "threat_score": 5,
30 "is_tor": false,
31 "is_proxy": false,
32 "proxy_provider_names": [],
33 "proxy_confidence_score": 0,
34 "proxy_last_seen": "",
35 "is_residential_proxy": false,
36 "is_vpn": false,
37 "vpn_provider_names": [],
38 "vpn_confidence_score": 0,
39 "vpn_last_seen": "",
40 "is_relay": false,
41 "relay_provider_name": "",
42 "is_anonymous": false,
43 "is_known_attacker": false,
44 "is_bot": false,
45 "is_spam": false,
46 "is_cloud_provider": true,
47 "cloud_provider_name": "Cloudflare, Inc."
48 }
49 },
50 {
51 "ip": "1.0.0.2",
52 "security": {
53 "threat_score": 5,
54 "is_tor": false,
55 "is_proxy": false,
56 "proxy_provider_names": [],
57 "proxy_confidence_score": 0,
58 "proxy_last_seen": "",
59 "is_residential_proxy": false,
60 "is_vpn": false,
61 "vpn_provider_names": [],
62 "vpn_confidence_score": 0,
63 "vpn_last_seen": "",
64 "is_relay": false,
65 "relay_provider_name": "",
66 "is_anonymous": false,
67 "is_known_attacker": false,
68 "is_bot": false,
69 "is_spam": false,
70 "is_cloud_provider": true,
71 "cloud_provider_name": "Cloudflare, Inc."
72 }
73 }
74]Strong IP security decisions do not come from a single flag. They come from combining network context, anonymizer detection, reputation signals, provider attribution, cloud-hosting signals, and recent activity into one security profile. That gives fraud, security, and platform teams a clearer way to assess VPNs, proxies, relays, Tor traffic, bots, cloud provider IPs, and abusive IP behavior before it turns into account abuse or checkout fraud.
We continuously enumerate VPN and proxy infrastructure by connecting through provider networks and recording tagged exit node IP addresses. This allows the API to identify specific providers such as NordVPN, Zyte Proxy, 922 Proxy, and many other VPN and proxy services instead of returning only a generic VPN or proxy flag.
Active honeypots and curated threat feeds capture IPs linked to brute force attacks, credential stuffing, vulnerability scanning, and spam activity. These signals are validated and incorporated into attacker and spam detection, helping power the is_known_attacker and is_spam flags with broader coverage and higher confidence.
Standard proxy detection often misses abuse routed through consumer ISP connections. The API uses continuous enumeration, behavioral profiling, network pattern analysis, and live connection analysis to identify residential proxy traffic even when the IP appears to belong to a legitimate ISP.
The threat score is a composite score from 0 to 100 that summarizes the security signals associated with an IP address. Low scores indicate little to no detected risk, while higher scores reflect stronger or multiple risk indicators such as VPN, proxy, attacker, spam, or cloud-hosted activity. Use it as a fast decisioning signal for allow, challenge, or block flows.
A single API call returns detection flags, provider details, confidence scores, and threat signals for any IP address.
is_vpnWhether the IP is a known VPN exit node
is_proxyWhether the IP is associated with a proxy service
is_residential_proxyWhether the IP belongs to a residential proxy network
is_torWhether the IP is a Tor exit node
is_relayWhether the IP is an iCloud Private Relay or similar service
is_anonymousWhether the IP is using any form of anonymization
vpn_provider_namesNames of VPN services associated with the IP
proxy_provider_namesNames of proxy services associated with the IP
relay_provider_nameName of the relay service if applicable
cloud_provider_nameName of the cloud hosting provider if applicable
threat_scoreOverall risk score from 0 (clean) to 100 (high risk)
vpn_confidence_scoreConfidence level (0-100) that the IP is a VPN exit node
proxy_confidence_scoreConfidence level (0-100) that the IP is a proxy
vpn_last_seenDate the IP was last observed on a VPN network
proxy_last_seenDate the IP was last observed on a proxy network
is_known_attackerWhether the IP has a history of malicious activity
is_botWhether the IP shows automated/bot behavior
is_spamWhether the IP is associated with spam activity
is_cloud_providerWhether the IP belongs to a cloud hosting provider
A single API call returns detection flags, provider details, confidence scores, and threat signals for any IP address.
is_vpnis_proxyis_residential_proxyis_toris_relayis_anonymousFor complete field definitions, request parameters, and code examples, see the IP Security API documentation.
When a user attempts to log in, their IP address can be analyzed for threat level, proxy or VPN usage, and whether it is associated with known attackers, spam, or bots. Leveraging advanced VPN detection, this API stands out as one of the most reliable VPN detector services.
It plays a key role in controlling unauthorized logins and reducing the risk of multiple account creation. This use case is especially important for banking platforms, SaaS applications, and any user-based systems where security and identity integrity are paramount.
During the checkout process, the API works as a reliable proxy checker by analyzing the customer’s IP address. It can detect whether the IP is associated with a VPN, proxy, Tor, bot, spam, cloud provider, or shows a suspicious location mismatch. This helps prevent fraudulent transactions, such as fake orders or the use of stolen credit cards, protecting both your business and your customers.
Before allowing users to send messages or join live chats, you can leverage the API’s bot detection and threat analysis features to evaluate their IP address. This helps identify spammy behavior, anonymous access, or any history of malicious activity. It ensures a safer and more trustworthy environment for gaming platforms, community forums, and live chat applications.
At signup, you can check the visitor’s IP address for proxy or VPN usage, anonymity signals, and bot or spam flags before creating an account. This helps you block automated registrations that often lead to credential stuffing and promo misuse. This use case is especially useful for SaaS trials, marketplaces, and consumer apps where fake signups inflate costs and reduce trust.
By integrating IP intelligence at the edge, you can identify high-risk traffic patterns before they hit your servers. The API helps differentiate between legitimate human visitors and automated botnets or scrapers designed to overwhelm your infrastructure. This allows security teams to implement granular rate limiting and ensures that system resources remain available for genuine users while blocking attacks in real time.
Enrich every request with precise geolocation and real-time threat intelligence, delivered on a global edge with a 99.99% uptime SLA. Start free and scale when you’re ready.
A VPN detection API checks an IP address and tells you whether it belongs to a VPN service. When a user connects through a VPN, their real IP address is hidden behind the VPN provider's exit node. A VPN detection API identifies these exit nodes so you can flag, challenge, or block the traffic based on your risk policy. The IPGeolocation IP Security API goes further by identifying the specific VPN provider name, returning a confidence score, and including the last-seen date for that IP on the VPN network.
Yes. Residential proxy detection is a core capability of the IP Security API, not a separate product or paid add-on. The API identifies IPs used by residential proxy networks even when the IP belongs to a consumer ISP, which is the scenario that most standard proxy detection APIs miss. The response includes the is_residential_proxy flag, the proxy provider name (for example, "922 Proxy" or "Evomi Proxy"), a confidence score, and the date the IP was last seen on that proxy network.
Yes. The API returns an is_tor boolean flag that identifies known Tor exit nodes. Tor detection is included in every IP Security API response alongside VPN, proxy, and other threat signals.
Yes. The bulk lookup endpoint accepts up to 50,000 IP addresses in a single POST request. This is useful for batch analysis of user logs, transaction records, or security audits where you need to assess large volumes of IPs without making individual API calls.
is_proxy flags IPs associated with any type of proxy service, including datacenter proxies, commercial proxy networks, and open proxies. is_residential_proxy specifically flags IPs that belong to residential proxy networks, where traffic is routed through consumer ISP connections. Residential proxies are harder to detect because the underlying IP belongs to a real ISP rather than a datacenter. The API flags both types separately so you can apply different policies to each.
A network of active honeypots and curated threat feeds captures IPs linked to brute force attacks, credential stuffing, vulnerability scanning, and spam activity. These signals are continuously collected, validated, and fed into the API to power the is_known_attacker and is_spam flags. The result is broader coverage and more reliable detection, so you can apply these flags with confidence in production security and abuse prevention systems.
Each VPN and proxy detection in the API response includes a confidence score from 0 to 100, which helps you assess how strong the signal is instead of depending on a single yes/no flag. The API detects VPN and proxy traffic through active endpoint enumeration, network fingerprinting, and real-time behavioral analysis across VPN, proxy, and relay infrastructure. Detection data is updated continuously as new exit nodes and proxy endpoints are identified.
The threat score is a number from 0 to 100 that represents the overall risk level of an IP address. It summarizes the security signals returned by the API, including VPN, proxy, residential proxy, relay, Tor, bot, spam, known attacker, and cloud hosting indicators. A score near 0 suggests little to no risk has been detected, while a higher score indicates stronger or multiple risk signals. You can use the threat score as a quick decisioning signal at login, checkout, signup, or API access points and then review the individual flags to understand why the IP was flagged.
The detection data is updated continuously. VPN and proxy infrastructure changes fast as providers rotate exit nodes, launch new endpoints, and shift traffic across residential and datacenter networks. The API stays current through active enumeration, honeypot monitoring, threat feed ingestion, proprietary blocklists, behavioral analysis, and signals gathered from the live VPN and proxy detector, which evaluates real user connections in real time. This helps identify new anonymization endpoints faster and keep detection coverage current.
The IP Security API is available on all paid plans, starting at $19/month on the Starter plan with 150,000 API credits. You can use the dedicated IP Security API endpoint for standalone IP risk checks, or combine security data with the IP Geolocation API in a single request. To activate your premium free trial, contact support through the support page or reach out on live chat.
Yes. When the API detects a VPN or proxy, it returns the provider name in the vpn_provider_names or proxy_provider_names field where available. For example, the response might show "NordVPN" or "Zyte Proxy" as the identified service. This lets you build rules around specific providers rather than treating all VPN or proxy traffic the same way. Not all IP security APIs offer provider-level identification. Many return only a boolean flag.
Get the latest in geolocation tech, straight to your inbox.
