Detecting VPNs, Proxies, and Tor Exit Nodes via API
Why Anonymous Traffic Detection Matters
VPNs, proxies, and Tor exit nodes are legitimate privacy tools — but they're also used to bypass geo-restrictions, commit fraud, and abuse free-tier services. Detecting anonymous traffic lets you apply appropriate friction without blocking legitimate users.
VPN Detection
VPNs route traffic through a server in another location. Detection relies on:
- ASN analysis — VPN providers have recognisable Autonomous System Numbers
- IP reputation databases — known VPN exit IPs are tracked and flagged
- Hostname patterns — hostnames like
vpn-us-1.nordvpn.comare telltale
Proxy Detection
Open proxies and datacenter IPs (AWS, DigitalOcean, Vultr) are used for automated traffic. The API checks whether the IP belongs to a hosting provider rather than a residential or business ISP.
Tor Exit Node Detection
Tor exit node IPs are publicly listed by the Tor Project and updated regularly. The API checks against this list in real time.
API Usage
curl -X POST https://api.toolkitapi.io/v1/geo/ip-intelligence \
-H "X-API-Key: $API_KEY" \
-H "Content-Type: application/json" \
-d '{"ip": "198.51.100.1"}'
{
"ip": "198.51.100.1",
"country": "US",
"city": "New York",
"is_vpn": true,
"is_proxy": false,
"is_tor": false,
"is_datacenter": true,
"threat_score": 75,
"isp": "NordVPN"
}
Risk-Based Responses
Rather than blocking all anonymous traffic, use the threat_score to apply
graduated responses:
| Score | Suggested action |
|---|---|
| 0–30 | Allow |
| 31–60 | Add CAPTCHA or step-up auth |
| 61–80 | Require email verification |
| 81–100 | Block or manual review |
This approach minimises false positives while deterring automated abuse.