---
title: "Proxy & VPN Detection API: Detect Proxies, VPNs & Tor"
slug: "/ip-security-api.html"
parent: "IP Geolocation API"
description: "Proxy and VPN detection API that returns a 0 to 100 threat score per IP. Detects residential proxies, Tor, bots, and known attackers in one call. Bulk lookup and Free trial."
---

# Proxy & VPN Detection API with Threat Scoring

The Proxy & VPN Detection API checks any IP address and returns a threat score from 0 to 100 with VPN, proxy, residential proxy, and Tor flags, provider names, and confidence scores. Its IP proxy detection catches datacenter and residential proxies that standard checks miss, and flags known attackers, bots, spam, and cloud IPs in the same call. Use it for proxy detection and VPN detection at login, checkout, or signup to score IP risk in real time. Free trial available.

[Get Free API Access](https://app.ipgeolocation.io/signup)[Explore Documentation](https://ipgeolocation.io/documentation/ip-security-api.html)

## Detect VPNs, Proxies & Tor in One Call

Our VPN and proxy detection API evaluates IP risk based on various parameters and returns a Threat Score from 0 to 100 along with key risk flags, confidence scores, and last seen dates when available. It classifies traffic as VPN, PROXY (including commercial and residential proxy networks), or RELAY, and returns the provider name when available. It also flags Tor exit nodes, bots, spam sources, anonymous connections, known attacker signals, and cloud-provider hosting, including the cloud provider name when detected. By using our VPN and proxy detection software, you can stop fraud at the edge by identifying high-risk anonymous and masked traffic before it reaches your application.

Our data-driven Threat Score aggregates telemetry from active honeypots, proprietary blocklists, VPN and proxy enumeration, and real-time behavioral analysis to produce a single risk score per IP.

**Request**

```shell
curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=2.56.188.34'
```

**Response Preview**

```json
{
  "ip": "2.56.188.34",
  "security": {
    "threat_score": 80,
    "is_tor": false,
    "is_proxy": true,
    "proxy_provider_names": [
      "Zyte Proxy"
    ],
    "proxy_confidence_score": 90,
    "proxy_last_seen": "2025-12-12",
    "is_residential_proxy": true,
    "is_vpn": true,
    "vpn_provider_names": [
      "Nord VPN"
    ],
    "vpn_confidence_score": 99,
    "vpn_last_seen": "2026-01-19",
    "is_relay": false,
    "relay_provider_name": "",
    "is_anonymous": true,
    "is_known_attacker": true,
    "is_bot": false,
    "is_spam": false,
    "is_cloud_provider": true,
    "cloud_provider_name": "Packethub S.A."
  }
}
```

## Residential Proxy Detection

Residential proxy detection is where standard proxy filtering fails: abuse routed through residential proxy networks on consumer ISP connections slips past datacenter-focused checks. Our VPN and Proxy Detection API helps you identify both datacenter-hosted proxy traffic and residential proxy networks in the same API call by returning proxy provider attribution when available (for example, Evomi or Oxylabs) and a separate is_residential_proxy flag, so you can apply the right policy for each risk profile. This capability is critical for preventing account takeovers (ATO), credential stuffing, and ad fraud, where attackers deliberately blend in behind legitimate-looking ISP assignments.

The example shows an IP tied to an ISP in the network ownership details, yet our API still flags it as a PROXY because it is being routed through a proxy provider, as indicated by the provider name, and marks it as a residential proxy when applicable via is_residential_proxy.

Need this offline? The same data ships as a downloadable [residential proxy detection database](https://ipgeolocation.io/residential-proxy-database.html) for local, zero-latency lookups.

**Request**

```shell
curl -X GET 'https://api.ipgeolocation.io/v3/security?apiKey=API_KEY&ip=152.58.153.65'
```

**Response Preview**

```json
{
  "ip": "152.58.153.65",
  "security": {
    "threat_score": 45,
    "is_tor": false,
    "is_proxy": true,
    "proxy_provider_names": [
      "922 Proxy"
    ],
    "proxy_confidence_score": 99,
    "proxy_last_seen": "2026-01-04",
    "is_residential_proxy": true,
    "is_vpn": false,
    "vpn_provider_names": [],
    "vpn_confidence_score": 0,
    "vpn_last_seen": "",
    "is_relay": false,
    "relay_provider_name": "",
    "is_anonymous": true,
    "is_known_attacker": false,
    "is_bot": false,
    "is_spam": false,
    "is_cloud_provider": false,
    "cloud_provider_name": ""
  }
}
```

## Bulk Proxy & VPN Detection (Up to 50,000 IPs)

Our IP Security API allows you to retrieve security details for up to 50,000 IPs at once using the bulk lookup feature. This powerful capability saves time and enables users to analyze large volumes of IP behavior patterns quickly and efficiently. Through bulk IP security lookups, organizations can detect VPN usage at scale, perform VPN checks, identify proxies, bots, and known attackers across large datasets, and automate threat detection workflows for real-time security monitoring.

Whether you're monitoring user activity, blocking suspicious traffic, or conducting cybersecurity audits, the bulk lookup API is built to support high-performance threat intelligence operations.

**Request**

```shell
curl -X POST 'https://api.ipgeolocation.io/v3/security-bulk?apiKey=API_KEY' -H 'Content-Type: application/json' -d '{
  "ips": ["1.0.0.0", "1.0.0.1", "1.0.0.2"]
}'
```

**Response Preview**

```json
[
  {
    "ip": "1.0.0.0",
    "security": {
      "threat_score": 5,
      "is_tor": false,
      "is_proxy": false,
      "proxy_provider_names": [],
      "proxy_confidence_score": 0,
      "proxy_last_seen": "",
      "is_residential_proxy": false,
      "is_vpn": false,
      "vpn_provider_names": [],
      "vpn_confidence_score": 0,
      "vpn_last_seen": "",
      "is_relay": false,
      "relay_provider_name": "",
      "is_anonymous": false,
      "is_known_attacker": false,
      "is_bot": false,
      "is_spam": false,
      "is_cloud_provider": true,
      "cloud_provider_name": "Cloudflare, Inc."
    }
  },
  {
    "ip": "1.0.0.1",
    "security": {
      "threat_score": 5,
      "is_tor": false,
      "is_proxy": false,
      "proxy_provider_names": [],
      "proxy_confidence_score": 0,
      "proxy_last_seen": "",
      "is_residential_proxy": false,
      "is_vpn": false,
      "vpn_provider_names": [],
      "vpn_confidence_score": 0,
      "vpn_last_seen": "",
      "is_relay": false,
      "relay_provider_name": "",
      "is_anonymous": false,
      "is_known_attacker": false,
      "is_bot": false,
      "is_spam": false,
      "is_cloud_provider": true,
      "cloud_provider_name": "Cloudflare, Inc."
    }
  },
  {
    "ip": "1.0.0.2",
    "security": {
      "threat_score": 5,
      "is_tor": false,
      "is_proxy": false,
      "proxy_provider_names": [],
      "proxy_confidence_score": 0,
      "proxy_last_seen": "",
      "is_residential_proxy": false,
      "is_vpn": false,
      "vpn_provider_names": [],
      "vpn_confidence_score": 0,
      "vpn_last_seen": "",
      "is_relay": false,
      "relay_provider_name": "",
      "is_anonymous": false,
      "is_known_attacker": false,
      "is_bot": false,
      "is_spam": false,
      "is_cloud_provider": true,
      "cloud_provider_name": "Cloudflare, Inc."
    }
  }
]
```

## How Our VPN & Proxy Detection Works

Strong VPN and proxy detection does not come from a single flag. It combines network context, anonymous proxy detection, reputation signals, provider attribution, cloud-hosting signals, and recent activity into one IP reputation profile. That gives fraud, security, and platform teams a clear way to assess VPNs, proxies, residential proxies, relays, Tor traffic, bots, and cloud provider IPs before it turns into account abuse or checkout fraud.

### VPN and Proxy Enumeration

We continuously enumerate VPN and proxy infrastructure by connecting through provider networks and recording tagged exit node IP addresses. This allows the API to identify specific providers such as NordVPN, Zyte Proxy, 922 Proxy, and many other VPN and proxy services instead of returning only a generic VPN or proxy flag.

### Honeypot and Threat Feed Intelligence

Active honeypots and curated threat feeds capture IPs linked to brute force attacks, credential stuffing, vulnerability scanning, and spam activity. These signals are validated and incorporated into attacker and spam detection, helping power the is_known_attacker and is_spam flags with broader coverage and higher confidence.

### Residential Proxy Detection

Standard proxy detection often misses abuse routed through consumer ISP connections. The API uses continuous enumeration, behavioral profiling, network pattern analysis, and live connection analysis to identify residential proxy traffic even when the IP appears to belong to a legitimate ISP.

### Threat Score Aggregation

The threat score is a composite score from 0 to 100 that summarizes the security signals associated with an IP address. Low scores indicate little to no detected risk, while higher scores reflect stronger or multiple risk indicators such as VPN, proxy, attacker, spam, or cloud-hosted activity. Use it as a fast decisioning signal for allow, challenge, or block flows.

Risk Scoring

## IP Threat Score with VPN & Proxy Confidence Scores

Every IP lookup returns a `threat_score` from 0 to 100. Use it to decide when to allow traffic, slow it down, send it for review, or block it. The API also returns a `vpn_confidence_score` (your VPN score) and a `proxy_confidence_score` (your proxy score), each from 0 to 100, so you can judge how strong each detection is.

### Threat Score Scale

#### 1-19: Low Observed Risk

Allow with standard controls.

##### Low Risk

Scores here usually reflect isolated, low-severity indicators. An IP might belong to a cloud hosting provider or show a minor supporting signal without stronger anonymity or abuse indicators. Standard application-level controls are usually sufficient unless other signals raise concern. Still worth logging for pattern analysis over time.

*   Standard Controls
*   Low-Severity Signals
*   Monitor Patterns

#### 20-44: Use with Context

Combine with other signals before acting.

##### Medium Risk

This range can include IPs showing anonymization through a VPN or proxy without additional attacker or abuse signals, or IPs with a few lighter indicators that add up. Blocking at this level without supporting context from device, behavior, velocity, or geolocation data risks catching legitimate users. Treat the score as one input in a broader decision, not as a verdict on its own.

*   Review Needed
*   Behavior Check
*   Context Matters

#### 45-79: Elevated Risk

Add friction before allowing access.

##### Elevated Risk

IPs in this range often combine anonymization signals with other abuse indicators, such as bot activity or spam history. OTP, CAPTCHA, email verification, rate limiting, or review queues work well here. This range is useful for risky checkouts, suspicious logins, and signup flows where an outright block would create too much friction.

*   Step-up Auth
*   Suspicious
*   Rate Limit

#### 80-100: High Risk

Block, hard challenge, or route to manual review.

##### High Risk

A score in this range usually means multiple risk signals are showing up at once. That might include VPN or proxy use alongside attacker history, spam reports, or bot-like behavior. For payment fraud, account takeover, and signup abuse, this is usually where blocking or step-up verification makes sense.

*   Payment Fraud
*   High-risk signups
*   Account takeover
*   Promo abuse

### Confidence Scores: Detection Strength

How strongly VPN and proxy detections are supported.

#### How to Read Confidence Scores

*   `vpn_confidence_score`
*   `proxy_confidence_score`

Higher values mean stronger evidence for each detection. Use `threat_score` to choose the action, and use these confidence scores to decide how far to go with that action.

## What the Proxy & VPN Detection API Returns

A single API call returns detection flags, provider details, confidence scores, and threat signals for any IP address.

### Detection Flags

Boolean flags for VPN, proxy, residential proxy, Tor, relay, and anonymous IP detection. One call, all flags.

| Field | Description |
| --- | --- |
| `is_vpn` | Whether the IP is a known VPN exit node |
| `is_proxy` | Whether the IP is associated with a proxy service |
| `is_residential_proxy` | Whether the IP belongs to a residential proxy network |
| `is_tor` | Whether the IP is a Tor exit node |
| `is_relay` | Whether the IP is an iCloud Private Relay or similar service |
| `is_anonymous` | Whether the IP is an anonymous proxy, VPN, Tor, or relay (any form of anonymization) |

### Provider Identification

Returns the actual VPN and proxy provider names like NordVPN or Zyte Proxy, not just a true/false flag.

| Field | Description |
| --- | --- |
| `vpn_provider_names` | Names of VPN services associated with the IP (e.g. OpenVPN) |
| `proxy_provider_names` | Names of proxy services associated with the IP (e.g. Zyte Proxy) |
| `relay_provider_name` | Name of the relay service if applicable (e.g. iCloud Private Relay) |
| `cloud_provider_name` | Name of the cloud hosting provider if applicable (e.g. AWS) |

### Confidence and Timing

Confidence scores (0-100) for each detection type, plus last-seen timestamps showing when the IP was last active.

| Field | Description |
| --- | --- |
| `threat_score` | Overall risk score from 0 (clean) to 100 (high risk) |
| `vpn_confidence_score` | Confidence level (0-100) that the IP is a VPN exit node |
| `proxy_confidence_score` | Confidence level (0-100) that the IP is a proxy |
| `vpn_last_seen` | Date the IP was last observed on a VPN network |
| `proxy_last_seen` | Date the IP was last observed on a proxy network |

### Threat Signals

Known attacker, bot, spam, cloud hosting, and proxy flags. Each IP also gets a threat score from 0 to 100 based on all detected risk signals.

| Field | Description |
| --- | --- |
| `is_known_attacker` | Whether the IP has a history of malicious activity |
| `is_bot` | Whether the IP shows automated/bot behavior |
| `is_spam` | Whether the IP is associated with spam activity |
| `is_cloud_provider` | Whether the IP belongs to a cloud hosting provider |

## Need Offline Lookups? Try the Security Pro Databases

If your use case requires local processing, zero-latency lookups, or air-gapped deployments, the Security Pro downloadable databases give you the same detection data the API returns, hosted entirely on your own infrastructure.

![IP Security Database](https://static.ipgeolocation.io/web-assets/images/products/ip-security/ip-to-security-db.svg)

### IP Security Database

Full VPN, proxy, Tor, bot, spam, and attacker detection for every flagged IP range. Includes threat scores, provider names, and all detection flags. Updated daily.

[View Database](https://ipgeolocation.io/ip-security-database.html)

![Residential Proxy Database](https://static.ipgeolocation.io/web-assets/images/products/ip-security/residential-proxy-db.svg)

### Residential Proxy Database

Dedicated residential proxy detection with provider identification. Covers IPs routed through consumer ISP connections that standard proxy lists miss. Updated daily.

[View Database](https://ipgeolocation.io/residential-proxy-database.html)

![IP to Hosting Database](https://static.ipgeolocation.io/web-assets/images/products/ip-security/ip-to-hosting-db.svg)

### IP to Hosting Database

Identifies cloud providers, hosting companies, and datacenter IPs. Useful for filtering automated traffic, separating human visitors from infrastructure, and flagging server-originated requests.

[View Database](https://ipgeolocation.io/ip-hosting-database.html)

## Explore the Full Security Pro Tier

See all Security Pro databases in one place, pick individual datasets or custom mixes, and compare bundle options that pair Security Pro with other data feeds like Geo Standard. Includes sample data, schemas, update cadence, and field lists for every database in the tier.

[View Security Pro Tier](https://ipgeolocation.io/security-pro-databases.html)

Sub-millisecond local lookups

Daily & weekly updates

Data stays on your network

MMDB, CSV, and JSON formats

No per-query costs or rate limits

![security pro tables](https://static.ipgeolocation.io/web-assets/images/products/ip-security/security-pro-tables.svg)

## VPN & Proxy Detection Use Cases

### Preventing Account Takeover (ATO)

When a user attempts to log in, their IP address can be analyzed for threat level, proxy or VPN usage, and whether it is associated with known attackers, spam, or bots. Leveraging advanced VPN detection, this API stands out as one of the most reliable VPN detector services.

It plays a key role in controlling unauthorized logins and reducing the risk of multiple account creation. This use case is especially important for banking platforms, SaaS applications, and any user-based systems where security and identity integrity are paramount.

### Reducing Chargebacks & Payments Fraud Prevention

During the checkout process, the API works as a reliable proxy checker by analyzing the customer’s IP address. It can detect whether the IP is associated with a VPN, proxy, Tor, bot, spam, cloud provider, or shows a suspicious location mismatch. This helps prevent fraudulent transactions, such as fake orders or the use of stolen credit cards, protecting both your business and your customers.

### Real-Time Chat & Community Filtering

Before allowing users to send messages or join live chats, you can leverage the API’s bot detection and threat analysis features to evaluate their IP address. This helps identify spammy behavior, anonymous access, or any history of malicious activity. It ensures a safer and more trustworthy environment for gaming platforms, community forums, and live chat applications.

### Securing Signups and Stopping Fake Accounts

At signup, you can check the visitor’s IP address for proxy or VPN usage, anonymity signals, and bot or spam flags before creating an account. This helps you block automated registrations that often lead to credential stuffing and promo misuse. This use case is especially useful for SaaS trials, marketplaces, and consumer apps where fake signups inflate costs and reduce trust.

### DDoS Mitigation and Rate Limiting

By integrating IP intelligence at the edge, you can identify high-risk traffic patterns before they hit your servers. The API helps differentiate between legitimate human visitors and automated botnets or scrapers designed to overwhelm your infrastructure. This allows security teams to implement granular rate limiting and ensures that system resources remain available for genuine users while blocking attacks in real time.

## Start Detecting VPNs & Proxies Today

Enrich every request with precise geolocation and real-time threat intelligence, delivered on a global edge with a 99.99% uptime SLA. Start free and scale when you’re ready.

[Get Started](https://app.ipgeolocation.io/signup)

## VPN & Proxy Detection FAQs

### What is a VPN detection API?

**Answer:** A VPN detection API checks an IP address and tells you whether it belongs to a VPN service. When a user connects through a VPN, their real IP address is hidden behind the VPN provider's exit node. A VPN detection API identifies these exit nodes so you can flag, challenge, or block the traffic based on your risk policy. The IPGeolocation IP Security API goes further by identifying the specific VPN provider name, returning a confidence score, and including the last-seen date for that IP on the VPN network.

### Can the API detect residential proxies?

**Answer:** Yes. Residential proxy detection is a core capability of the IP Security API, not a separate product or paid add-on. The API identifies IPs used by residential proxy networks even when the IP belongs to a consumer ISP, which is the scenario that most standard proxy detection APIs miss. The response includes the `is_residential_proxy` flag, the proxy provider name (for example, "922 Proxy" or "Evomi Proxy"), a confidence score, and the date the IP was last seen on that proxy network.

### Does the API detect Tor exit nodes?

**Answer:** Yes. The API returns an `is_tor` boolean flag that identifies known Tor exit nodes. Tor detection is included in every IP Security API response alongside VPN, proxy, and other threat signals.

### Can I look up multiple IPs at once?

**Answer:** Yes. The bulk lookup endpoint accepts up to 50,000 IP addresses in a single POST request. This is useful for batch analysis of user logs, transaction records, or security audits where you need to assess large volumes of IPs without making individual API calls.

### What is the difference between is_proxy and is_residential_proxy?

**Answer:** `is_proxy` flags IPs associated with any type of proxy service, including datacenter proxies, commercial proxy networks, and open proxies. `is_residential_proxy` specifically flags IPs that belong to residential proxy networks, where traffic is routed through consumer ISP connections. Residential proxies are harder to detect because the underlying IP belongs to a real ISP rather than a datacenter. The API flags both types separately so you can apply different policies to each.

### How does the API identify known attackers and spam sources?

**Answer:** A network of active honeypots and curated threat feeds captures IPs linked to brute force attacks, credential stuffing, vulnerability scanning, and spam activity. These signals are continuously collected, validated, and fed into the API to power the `is_known_attacker` and `is_spam` flags. The result is broader coverage and more reliable detection, so you can apply these flags with confidence in production security and abuse prevention systems.

### Does the API detect anonymous proxies?

**Answer:** Yes. The API flags anonymous proxies through the `is_anonymous` field, which is set when an IP hides its origin behind a VPN, proxy, Tor, or relay. You also get the specific signals behind it: `is_vpn` , `is_proxy` , `is_residential_proxy` , `is_tor` , and `is_relay` , each with provider names and confidence scores where available. That lets you treat a datacenter proxy differently from a residential one.

### Can I use this as an IP reputation API?

**Answer:** Yes. The `threat_score` from 0 to 100 works as an IP reputation score, combining VPN, proxy, Tor, bot, spam, known attacker, and cloud hosting signals into one value per IP. Use it to allow, challenge, or block traffic, then read the individual flags to see why an IP scored the way it did. Detection data refreshes continuously as new proxy and VPN endpoints appear.

### How accurate is IPGeolocation's VPN and proxy detection?

**Answer:** Each VPN and proxy detection in the API response includes a confidence score from 0 to 100, which helps you assess how strong the signal is instead of depending on a single yes/no flag. The API detects VPN and proxy traffic through active endpoint enumeration, network fingerprinting, and real-time behavioral analysis across VPN, proxy, and relay infrastructure. Detection data is updated continuously as new exit nodes and proxy endpoints are identified.

### What is the threat score and how should I use it?

**Answer:** The threat score is a number from 0 to 100 that represents the overall risk level of an IP address. It summarizes the security signals returned by the API, including VPN, proxy, residential proxy, relay, Tor, bot, spam, known attacker, and cloud hosting indicators. A score near 0 suggests little to no risk has been detected, while a higher score indicates stronger or multiple risk signals. You can use the threat score as a quick decisioning signal at login, checkout, signup, or API access points and then review the individual flags to understand why the IP was flagged.

### How often is the detection data updated?

**Answer:** The detection data is updated continuously. VPN and proxy infrastructure changes fast as providers rotate exit nodes, launch new endpoints, and shift traffic across residential and datacenter networks. The API stays current through active enumeration, honeypot monitoring, threat feed ingestion, proprietary blocklists, behavioral analysis, and signals gathered from the [live VPN and proxy detector](https://ipgeolocation.io/real-time-proxy-and-vpn-detection.html), which evaluates real user connections in real time. This helps identify new anonymization endpoints faster and keep detection coverage current.

### Is the IP Security API available on the free plan?

**Answer:** The IP Security API is available on all paid plans, starting at $19/month on the Starter plan with 150,000 API credits. You can use the [dedicated IP Security API endpoint for standalone IP risk checks](https://ipgeolocation.io/documentation/ip-security-api.html#single-ip-lookup-endpoint), or [combine security data with the IP Geolocation API in a single request](https://ipgeolocation.io/documentation/ip-location-api.html#ip-security-information-for-an-ip-address--includesecurity-parameter). To activate your premium free trial, [contact support](https://ipgeolocation.io/contact.html) through the support page or reach out on live chat.

### Does the API identify VPN and proxy providers by name?

**Answer:** Yes. When the API detects a VPN or proxy, it returns the provider name in the `vpn_provider_names` or `proxy_provider_names` field where available. For example, the response might show "NordVPN" or "Zyte Proxy" as the identified service. This lets you build rules around specific providers rather than treating all VPN or proxy traffic the same way. Not all IP security APIs offer provider-level identification. Many return only a boolean flag.

### Is there a downloadable IP security database instead of the API?

**Answer:** Yes. If you need a downloadable IP security database instead of API calls, IPGeolocation offers it under the [Security Pro](https://ipgeolocation.io/security-pro-databases.html) tier. The [IP Security Database](https://ipgeolocation.io/ip-security-database.html) is the main downloadable VPN detection and proxy detection database. It includes the core IP security fields available through the API, covering VPN, proxy, Tor, bot, spam, known attacker, and hosting/cloud detection. For residential proxy detection, there is a separate [Residential Proxy Database](https://ipgeolocation.io/residential-proxy-database.html). For teams that only need to flag cloud and hosting IPs, the [IP to Hosting Database](https://ipgeolocation.io/ip-hosting-database.html) is a smaller subset built for that use case. Security Pro databases are available in MMDB, JSON, and CSV formats with daily or weekly updates depending on the plan. You can review sample data on the [Security Pro databases](https://ipgeolocation.io/security-pro-databases.html) page.

### What is a proxy detection API?

**Answer:** A proxy detection API checks an IP address and tells you whether it is routing traffic through a proxy. The Proxy & VPN Detection API flags datacenter, commercial, and residential proxies separately, returns the proxy provider name and a confidence score where available, and includes the last-seen date. It detects both standard and residential proxy traffic in the same call.

### Is there a free tool to check if an IP is a proxy or VPN?

**Answer:** Yes. Enter any IP in the lookup box at the top of this page, or pick one of the sample IPs, to see its threat score and detection flags (VPN, proxy, residential proxy, Tor, bot, and more) right in the browser, no code required. To check IPs inside your app or in bulk, the Proxy & VPN Detection API returns the same data as JSON and handles up to 50,000 IPs per request.
