Loading
Loading
The IP Threat Intelligence API returns a complete security profile for any IPv4 or IPv6 address in a single request — VPN, proxy, residential proxy, Tor exit node, bot, spam, and known-attacker signals, plus a 0–100 threat score.
The response carries field-level detail most providers omit: per-signal confidence scores (proxy_confidence_score, vpn_confidence_score), named providers (proxy_provider_names, vpn_provider_names), last-seen recency, and Apple-style relay detection (is_relay). It is built for fraud and trust-and-safety engineers screening checkout and signup traffic, and for security teams enriching IP datasets at scale.
A single endpoint serves real-time lookups; the bulk endpoint screens up to 50,000 IPs per request. Start with 10,000 free credits, no credit card required.
threat_score that summarizes all security signals detected for the IP. Low scores indicate little to no observed risk. High scores reflect multiple or strong risk indicators such as active VPN usage, proxy routing, known attacker history, and bot behaviour. You can use this score as a single decision-making signal — for example, allow scores below 20, challenge scores between 20 and 60, and block scores above 60 — without evaluating individual flags in your application logic.is_vpn flag. Use VPN detection to enforce geo-restrictions, comply with content licensing agreements, and identify high-anonymity sessions that warrant additional verification steps. vpn_confidence_score (0–100) indicates how strong the VPN signal is, and vpn_provider_names lists the VPN service when identified — useful for teams that maintain provider-level blocklists.is_proxy flag covers datacenter, residential, and HTTP proxies, with is_residential_proxy specifically marking traffic routed through consumer ISP connections. proxy_confidence_score (0–100) rates the strength of the signal and proxy_provider_names lists the operator when known — particularly useful for fraud teams that maintain blocklists by provider. Residential proxies look like legitimate consumer connections, catching abuse that datacenter-only detection misses.is_tor flag identifies IP addresses that are known Tor exit nodes at the time of the request. Tor traffic indicates a high intent to remain anonymous and is commonly used by threat actors to evade IP-based blocking. Applications that serve regulated content, handle financial transactions, or require verified identity should treat Tor traffic with elevated scrutiny.is_bot flag identifies IP addresses associated with automated tools including scanners, credential stuffing frameworks, web scrapers, and other non-human traffic sources. The is_spam flag surfaces IP addresses linked to spam campaigns and email abuse. Both flags feed directly from threat intelligence feeds updated on an ongoing basis.is_known_attacker flag marks IP addresses observed conducting malicious activity such as brute force attacks, port scans, vulnerability probes, or DDoS participation. This flag draws from curated threat feeds and honeypot telemetry, not just static blocklists.threat_score, is_known_attacker, is_spam, and is_bot flags together form a comprehensive IP reputation profile. As an IP reputation API, each response reflects the current standing of the IP address across multiple threat intelligence sources — not a cached score from a daily batch run. You can act on reputation data at login, checkout, API ingestion, or any other entry point where traffic quality matters.threat_score gives you a single threshold to act on across all these scenarios.is_anonymous flag consolidates VPN, proxy, and Tor signals into a single flag for cases where your application simply needs to know whether the IP is attempting to obscure its true origin, regardless of the specific method used.is_relay flag and relay_provider_name field identify privacy-relay services such as Apple iCloud Private Relay — a distinct anonymity layer that VPN- and proxy-only detection misses.is_cloud_provider flag and cloud_provider_name field identify IP addresses belonging to cloud infrastructure (AWS, Google Cloud, Azure, Hetzner, etc.). Cloud IPs are rarely end-user connections and often indicate automated traffic, API integrations, or server-to-server calls originating from cloud workloads.Most IP security data providers crawl and refresh their threat datasets once per day or once per hour. The APIFreaks IP Security API is backed by crawlers that run continuously without interruption, meaning VPN exit nodes, proxy infrastructure, Tor relays, and attacker-associated IP ranges are identified and reflected in API responses as soon as they are detected — not hours later. For applications making real-time access decisions, this makes a direct difference: an IP that joined a botnet campaign or started operating as a proxy exit node in the last few minutes is already flagged, not waiting for the next scheduled crawl.
POST /ip/security endpoint accepts a JSON array of up to 50,000 IP addresses and returns a security profile for each one. Bulk processing is designed for security audits on existing datasets, log enrichment workflows, threat hunting across historical traffic, and any scenario where real-time single-IP lookups are not practical.fields parameter to return only the fields your application needs, reducing payload size and parsing overhead. Use the excludes parameter to strip out objects or fields you do not need. Both parameters accept dot-notation paths (e.g., security.threat_score) for field-level control.Chargebacks, coupon abuse, and account takeovers frequently originate from IP addresses routed through proxies, VPNs, or Tor. Integrating this IP fraud detection API at checkout and account creation lets you flag high-risk sessions before a transaction completes, without adding friction to legitimate customers. The threat_score gives you a single threshold to act on, while individual flags (is_proxy, is_known_attacker) let you tailor your response to the specific risk type. Because threat data is refreshed continuously rather than on a scheduled crawl, newly active fraud infrastructure is reflected in the API response in real time.
Automated traffic — scrapers, credential stuffers, and click fraud bots — has become a significant operational cost. The is_bot flag, combined with cloud provider detection (is_cloud_provider), quickly identifies machine-originated traffic. Most bot operations run out of cloud or hosting infrastructure, making cloud provider detection a lightweight but effective first filter.
Free trials, review platforms, voting systems, and referral programmes are abused by users who create multiple accounts from anonymised IP addresses. Detecting proxies, VPNs, and Tor connections during account registration lets you enforce usage limits without relying solely on device fingerprinting or email verification.
Security teams enrich existing IP datasets — SIEM events, server logs, abuse reports — with reputation context before triage. Run the bulk endpoint over historical traffic to attach threat_score, is_known_attacker, and is_residential_proxy to every record, then prioritize investigation by score. Pair it with the IP Geolocation API when you also need country, ASN, and ISP context on the same addresses.
$ pip install requests
| Parameter | Required | Type | Default | Description |
|---|---|---|---|---|
| ip | No | String | - | A valid IPv4 or IPv6 address to look up. If omitted, the API uses the public IP of the requesting client. |
| fields | No | String | - | Comma-separated list of fields to return. Supports dot notation (e.g. security.threat_score). |
| excludes | No | String | - | Comma-separated list of fields to remove from the response. Supports dot notation (e.g. security.is_tor). |
$ pip install requests
The POST request body must be in JSON format and should contain an ips array of valid IPv4 or IPv6 addresses. Optional parameters fields and excludes are passed as query parameters in the URL.
{
"ips": [
"8.8.8.8",
"1.1.1.1",
"45.33.32.156"
]
}A single bulk request can contain up to 50,000 IP addresses. Requests exceeding this limit will be rejected. For datasets larger than 50,000 IPs, split them into batches and send multiple requests.| HTTP Status | Reasons |
|---|---|
| 400 | Provided IP address is not valid. |
| 404 | Provided IP address doesn't exist in our database. |
| 423 | The IP address is a bogon IP address. |
| 400 | Please provide data in required format in request body. |
Fraud teams commonly integrate proxy and VPN detection at the authentication layer to flag sessions that are deliberately obscuring their true origin. The following request checks a single IP and returns only the security object, keeping the response small and latency low.
# Response { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Google LLC" } }curl -X 'GET' 'https://api.apifreaks.com/v1.0/ip/security?ip=8.8.8.8&fields=security&apiKey=API-KEY'
If you have a dataset of IP addresses to retroactively screen — for example, after a suspected account takeover campaign — the bulk endpoint lets you process up to 50,000 IPs in a single request.
# Response [ { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Google LLC" } }, { "ip": "1.1.1.1", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Cloudflare, Inc." } }, { "ip": "45.33.32.156", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Linode" } } ]curl -X 'POST' 'https://api.apifreaks.com/v1.0/ip/security?apiKey=API-KEY' \ -H 'Content-Type: application/json' \ -d '{"ips":["8.8.8.8","1.1.1.1","45.33.32.156"]}'
The response is a JSON array in the same order as your input. Process it by index to match results back to your original dataset.
For high-volume real-time applications, use the fields parameter to return only the fields your application reads.
# Response { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_proxy": false, "is_vpn": false, "vpn_confidence_score": 0 } }curl -X 'GET' 'https://api.apifreaks.com/v1.0/ip/security?ip=8.8.8.8&fields=security.threat_score,security.is_vpn,security.is_proxy,security.vpn_confidence_score&apiKey=API-KEY'
The threat_score field provides a single number summarizing the security signals associated with an IP address. The scale runs from 0 to 100. Here is how to interpret each range and what actions are typically appropriate:
| Score Range | Risk Level | Recommended Action |
|---|---|---|
| 0–19 | Low | Allow with standard controls. Log for pattern analysis over time. |
| 20–44 | Medium | Combine with other signals before acting. Consider soft challenges for sensitive actions. |
| 45–74 | Elevated | Require additional verification (MFA, CAPTCHA). Block access to high-value actions such as withdrawals or account changes. |
| 75–100 | High | Block or quarantine. These scores reflect multiple strong signals (e.g. known attacker + active proxy + Tor). |
Threat scores are not static. An IP address can shift between ranges as new intelligence is gathered. For real-time applications, always call the API at decision points rather than caching results for extended periods.
is_residential_proxy flag marks IPs routing through consumer ISP connections, in addition to datacenter and HTTP proxies covered by is_proxy. proxy_confidence_score indicates how strong the signal is, and proxy_provider_names names the operator when identified. Residential proxies matter because they look like ordinary consumer traffic, making them the preferred choice for sophisticated fraud.is_proxy flags IPs specifically routing through a proxy service. is_anonymous is broader and returns true whenever any anonymizing technology is detected — VPN, proxy, or Tor. Use is_proxy to act on proxy traffic specifically; use is_anonymous when any form of anonymization should trigger the same response.POST /ip/security endpoint accepts up to 50,000 IP addresses per request. For larger datasets, split the list into batches and send multiple requests. Each entry is billed independently — 5 credits per successfully retrieved result.To perform an IP Threat Intelligence API request through the API, you will need API credits. Credits are only deducted for successful queries, defined by a 2xx status code. If a request results in a 4xx or 5xx status code, no credits will be deducted, and any credits already charged will be refunded.
5 credits.5 credits per successfully retrieved result.Utilize the Credits Usage API to efficiently monitor your recent consumption of both one-off and subscription credits. This API provides a streamlined way to track and manage your credit usage, ensuring you stay informed about your remaining balance and can optimize your resource allocation effectively.