Loading
Loading
Detect VPNs, proxies, Tor nodes, bots, and malicious traffic for any IP address — powered by continuously updated IP threat intelligence data.
The APIFreaks IP Security API gives you a complete risk profile for any IP address. Whether you are building IP fraud detection into a checkout flow, blocking automated abuse at login, or running threat intelligence across millions of events, this API returns the information you need to make a confident decision without stitching together multiple data sources.
A single request returns a threat score from 0 to 100, along with VPN detection, proxy detection, Tor exit node identification, bot and spam flags, and known attacker signals — plus the underlying network context such as ISP, ASN, geolocation, and timezone — depending on the fields you choose to include.
Two endpoints cover the full range of use cases: a single-IP lookup for real-time decision-making and a bulk endpoint that accepts up to 50,000 IP addresses in one request, built for batch processing pipelines, security audits, and offline enrichment workflows.
threat_score that summarizes all security signals detected for the IP. Low scores indicate little to no observed risk. High scores reflect multiple or strong risk indicators such as active VPN usage, proxy routing, known attacker history, and bot behaviour. You can use this score as a single decision-making signal — for example, allow scores below 20, challenge scores between 20 and 60, and block scores above 60 — without evaluating individual flags in your application logic.is_vpn flag. Use VPN detection to enforce geo-restrictions, comply with content licensing agreements, and identify high-anonymity sessions that warrant additional verification steps. The proxy_type field provides further detail when a specific VPN-related type of proxy is identified.is_proxy flag covers datacenter proxies, residential proxies, HTTP proxies, and other proxy types identified in the proxy_type field. The proxy_provider field names the provider when available, which is particularly useful for fraud teams that maintain blocklists by provider. Residential proxies — which route traffic through consumer ISP connections — are included in detection coverage, catching abuse that standard datacenter-only detection misses.is_tor flag identifies IP addresses that are known Tor exit nodes at the time of the request. Tor traffic indicates a high intent to remain anonymous and is commonly used by threat actors to evade IP-based blocking. Applications that serve regulated content, handle financial transactions, or require verified identity should treat Tor traffic with elevated scrutiny.is_bot flag identifies IP addresses associated with automated tools including scanners, credential stuffing frameworks, web scrapers, and other non-human traffic sources. The is_spam flag surfaces IP addresses linked to spam campaigns and email abuse. Both flags feed directly from threat intelligence feeds updated on an ongoing basis.is_known_attacker flag marks IP addresses observed conducting malicious activity such as brute force attacks, port scans, vulnerability probes, or DDoS participation. This flag draws from curated threat feeds and honeypot telemetry, not just static blocklists.threat_score, is_known_attacker, is_spam, and is_bot flags together form a comprehensive IP reputation profile. As an IP reputation API, each response reflects the current standing of the IP address across multiple threat intelligence sources — not a cached score from a daily batch run. You can act on reputation data at login, checkout, API ingestion, or any other entry point where traffic quality matters.threat_score gives you a single threshold to act on across all these scenarios.is_anonymous flag consolidates VPN, proxy, and Tor signals into a single flag for cases where your application simply needs to know whether the IP is attempting to obscure its true origin, regardless of the specific method used.is_cloud_provider flag and cloud_provider field identify IP addresses belonging to cloud infrastructure providers such as AWS, Google Cloud, Azure, Hetzner, etc. Cloud IPs are rarely end-user connections and often indicate automated traffic, API integrations, or server-to-server calls originating from cloud workloads.Most IP security data providers crawl and refresh their threat datasets once per day or once per hour. The APIFreaks IP Security API is backed by crawlers that run continuously without interruption, meaning VPN exit nodes, proxy infrastructure, Tor relays, and attacker-associated IP ranges are identified and reflected in API responses as soon as they are detected — not hours later. For applications making real-time access decisions, this makes a direct difference: an IP that joined a botnet campaign or started operating as a proxy exit node in the last few minutes is already flagged, not waiting for the next scheduled crawl.
POST /ip/security endpoint accepts a JSON array of up to 50,000 IP addresses and returns a security profile for each one. Bulk processing is designed for security audits on existing datasets, log enrichment workflows, threat hunting across historical traffic, and any scenario where real-time single-IP lookups are not practical.fields parameter to return only the fields your application needs, reducing payload size and parsing overhead. Use the excludes parameter to strip out objects or fields you do not need. Both parameters accept dot-notation paths (e.g., security.threat_score) for field-level control.Chargebacks, coupon abuse, and account takeovers frequently originate from IP addresses routed through proxies, VPNs, or Tor. Integrating this IP fraud detection API at checkout and account creation lets you flag high-risk sessions before a transaction completes, without adding friction to legitimate customers. The threat_score gives you a single threshold to act on, while individual flags (is_proxy, is_known_attacker) let you tailor your response to the specific risk type. Because threat data is refreshed continuously rather than on a scheduled crawl, newly active fraud infrastructure is reflected in the API response in real time.
Automated traffic — scrapers, credential stuffers, and click fraud bots — has become a significant operational cost. The is_bot flag, combined with cloud provider detection (is_cloud_provider), quickly identifies machine-originated traffic. Most bot operations run out of cloud or hosting infrastructure, making cloud provider detection a lightweight but effective first filter.
Free trials, review platforms, voting systems, and referral programmes are abused by users who create multiple accounts from anonymised IP addresses. Detecting proxies, VPNs, and Tor connections during account registration lets you enforce usage limits without relying solely on device fingerprinting or email verification.
$ pip install requests
| Parameter | Required | Type | Default | Description |
|---|---|---|---|---|
| ip | No | String | - | A valid IPv4 or IPv6 address to look up. If omitted, the API uses the public IP of the requesting client. |
| fields | No | String | - | Comma-separated list of fields to return. Supports dot notation (e.g. security.threat_score). |
| excludes | No | String | - | Comma-separated list of fields to remove from the response. Supports dot notation (e.g. security.is_tor). |
$ pip install requests
The POST request body must be in JSON format and should contain an ips array of valid IPv4 or IPv6 addresses. Optional parameters fields and excludes are passed as query parameters in the URL.
{
"ips": [
"8.8.8.8",
"1.1.1.1",
"45.33.32.156"
]
}A single bulk request can contain up to 50,000 IP addresses. Requests exceeding this limit will be rejected. For datasets larger than 50,000 IPs, split them into batches and send multiple requests.| HTTP Status | Reasons |
|---|---|
| 400 | Provided IP address is not valid. |
| 404 | Provided IP address doesn't exist in our database. |
| 423 | The IP address is a bogon IP address. |
| 400 | Please provide data in required format in request body. |
Fraud teams commonly integrate proxy and VPN detection at the authentication layer to flag sessions that are deliberately obscuring their true origin. The following request checks a single IP and returns only the security object, keeping the response small and latency low.
# Response { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Google LLC" } }curl -X 'GET' 'https://api.apifreaks.com/v1.0/ip/security?ip=8.8.8.8&fields=security&apiKey=API-KEY'
If you have a dataset of IP addresses to retroactively screen — for example, after a suspected account takeover campaign — the bulk endpoint lets you process up to 50,000 IPs in a single request.
# Response [ { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Google LLC" } }, { "ip": "1.1.1.1", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Cloudflare, Inc." } }, { "ip": "45.33.32.156", "security": { "threat_score": 5, "is_tor": false, "is_proxy": false, "proxy_provider_names": [], "proxy_confidence_score": 0, "proxy_last_seen": "", "is_residential_proxy": false, "is_vpn": false, "vpn_provider_names": [], "vpn_confidence_score": 0, "vpn_last_seen": "", "is_relay": false, "relay_provider_name": "", "is_anonymous": false, "is_known_attacker": false, "is_bot": false, "is_spam": false, "is_cloud_provider": true, "cloud_provider_name": "Linode" } } ]curl -X 'POST' 'https://api.apifreaks.com/v1.0/ip/security?apiKey=API-KEY' \ -H 'Content-Type: application/json' \ -d '{"ips":["8.8.8.8","1.1.1.1","45.33.32.156"]}'
The response is a JSON array in the same order as your input. Process it by index to match results back to your original dataset.
For high-volume real-time applications, use the fields parameter to return only the fields your application reads.
# Response { "ip": "8.8.8.8", "security": { "threat_score": 5, "is_proxy": false, "is_vpn": false, "vpn_confidence_score": 0 } }curl -X 'GET' 'https://api.apifreaks.com/v1.0/ip/security?ip=8.8.8.8&fields=security.threat_score,security.is_vpn,security.is_proxy,security.vpn_confidence_score&apiKey=API-KEY'
The threat_score field provides a single number summarizing the security signals associated with an IP address. The scale runs from 0 to 100. Here is how to interpret each range and what actions are typically appropriate:
| Score Range | Risk Level | Recommended Action |
|---|---|---|
| 0–19 | Low | Allow with standard controls. Log for pattern analysis over time. |
| 20–44 | Medium | Combine with other signals before acting. Consider soft challenges for sensitive actions. |
| 45–74 | Elevated | Require additional verification (MFA, CAPTCHA). Block access to high-value actions such as withdrawals or account changes. |
| 75–100 | High | Block or quarantine. These scores reflect multiple strong signals (e.g. known attacker + active proxy + Tor). |
Threat scores are not static. An IP address can shift between ranges as new intelligence is gathered. For real-time applications, always call the API at decision points rather than caching results for extended periods.
is_proxy flag covers residential proxies in addition to datacenter and HTTP proxies. The proxy_type field identifies the proxy category, and the proxy_provider field names the provider when identified. Residential proxy detection is important because residential IPs look like legitimate consumer connections on the surface, making them the preferred choice for sophisticated fraud operations.POST /ip/security endpoint accepts up to 50,000 IP addresses per request. For datasets larger than 50,000 IPs, split your list into batches and send multiple requests. Refer to the pricing plans for information on how bulk requests are counted against your usage.is_proxy specifically flags IP addresses routing through a proxy service. is_anonymous is a broader flag that returns true whenever any anonymizing technology is detected — VPN, proxy, or Tor. Use is_proxy when you need to act specifically on proxy traffic. Use is_anonymous when any form of anonymization should trigger the same response.To perform an VPN Proxy Detection API request through the API, you will need API credits. Credits are only deducted for successful queries, defined by a 2xx status code. If a request results in a 4xx or 5xx status code, no credits will be deducted, and any credits already charged will be refunded.
5 credits.5 credits per successfully retrieved result.Utilize the Credits Usage API to efficiently monitor your recent consumption of both one-off and subscription credits. This API provides a streamlined way to track and manage your credit usage, ensuring you stay informed about your remaining balance and can optimize your resource allocation effectively.