📍

IP Threat Detection

Check if an IP belongs to a VPN, proxy, Tor node, or datacenter

GET 3 credits /v1/geo/ip-threat
curl "https://geo.toolkitapi.io/v1/geo/ip-threat?ip=185.220.101.1"
import httpx

resp = httpx.get(
    "https://geo.toolkitapi.io/v1/geo/ip-threat?ip=185.220.101.1",
)
print(resp.json())
const resp = await fetch("https://geo.toolkitapi.io/v1/geo/ip-threat?ip=185.220.101.1", {
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK
{
  "ip": "185.220.101.1",
  "is_anonymous": true,
  "is_anonymous_vpn": false,
  "is_hosting_provider": false,
  "is_public_proxy": false,
  "is_residential_proxy": false,
  "is_tor_exit_node": true,
  "is_datacenter": false,
  "threat_score": 40,
  "asn": 205100,
  "asn_name": "F3 Netze e.V."
}

Try It Live

Live Demo

Description

Check if an IP belongs to a VPN, proxy, Tor node, or datacenter

How to Use

1

1. Pass the IP address to check in the `ip` query parameter.

2

2. Send a GET request and inspect the boolean flags (`is_tor_exit_node`, `is_anonymous_vpn`, etc.).

3

3. Use the `threat_score` field (0–100) for quick risk triage — scores above 30 typically warrant additional verification.

4

4. Combine with the IP Geolocation Lookup endpoint for a complete risk profile including geographic context.

About This Tool

Use IP Threat Detection to determine whether a given IP address is associated with anonymisation services such as VPNs, public proxies, Tor exit nodes, residential proxies, or datacenter hosting. The endpoint returns boolean flags for each category plus a composite threat score from 0 (clean) to 100 (highest risk).

This is essential for fraud prevention, bot detection, and security workflows where you need to assess the trustworthiness of an incoming connection before processing a transaction or granting access.

The threat data is derived from MaxMind's Anonymous IP database combined with ASN-based datacenter heuristics.

Why Use This Tool

Frequently Asked Questions

How is the threat score calculated?
The score is a weighted composite: Tor exit nodes add 40 points, public proxies add 30, VPNs add 25, residential proxies add 15, and datacenter IPs add 10. The score is capped at 100.
How often is the threat data updated?
The underlying MaxMind databases are updated regularly. Datacenter ASN heuristics are maintained as part of the service configuration.
Can clean IPs still have a non-zero threat score?
Yes. An IP hosted in a datacenter but not flagged as a proxy will still receive 10 points for the datacenter classification.

Start using IP Threat Detection now

Get your free API key and make your first request in under a minute.