IP Reputation API: Detect VPNs, Proxies, Tor Nodes and Bots for Any IP Address

The WhoisFreaks IP Reputation API scores any IPv4 or IPv6 address against real-time threat data and returns a composite threat score (0–100), VPN, proxy, Tor and bot classification, VPN and proxy provider names with confidence scores, district-level geolocation, ASN and ISP. JSON or XML in one call. Free tier: 500 credits, no card.

curl --location --request GET 'https://api.whoisfreaks.com/v1.0/security?apiKey=API_KEY&ip=8.8.8.8'

[
  {
    "ip": "8.8.8.8",
    "security": {
      "threat_score": 0,
      "is_tor": false,
      "is_proxy": false,
      "proxy_type": "",
      "proxy_provider": "",
      "is_anonymous": false,
      "is_known_attacker": false,
      "is_spam": false,
      "is_bot": false,
      "is_cloud_provider": false,
      "cloud_provider": ""
    },
    "location": {
      "continent_code": "NA",
      "continent_name": "North America",
      "country_code2": "US",
      "country_code3": "USA",
      "country_name": "United States",
      "country_name_official": "United States of America",
      "country_capital": "Washington, D.C.",
      "state_prov": "California",
      "state_code": "US-CA",
      "district": "Santa Clara",
      "city": "Mountain View",
      "locality": "Mountain View",
      "accuracy_radius": "",
      "zipcode": "94043-1351",
      "latitude": "37.42240",
      "longitude": "-122.08421",
      "is_eu": false,
      "geoname_id": "6301403",
      "country_emoji": "🇺🇸"
    },
    "country_metadata": {
      "calling_code": "+1",
      "tld": ".us",
      "languages": [
        "en-US",
        "es-US",
        "haw",
        "fr"
      ]
    },
    "network": {
      "asn": {
        "as_number": "AS15169",
        "organization": "Google LLC",
        "country": "US",
        "asn_name": "GOOGLE",
        "type": "BUSINESS",
        "domain": "about.google",
        "date_allocated": "",
        "allocation_status": "assigned",
        "num_of_ipv4_routes": "967",
        "num_of_ipv6_routes": "104",
        "rir": "ARIN"
      },
      "connection_type": "",
      "company": {
        "name": "Google LLC",
        "type": "",
        "domain": ""
      }
    },
    "currency": {
      "code": "USD",
      "name": "US Dollar",
      "symbol": "$"
    }
  }
]

1528+
TLDs
693M+
Active Domains
908M+
Domains Tracked
3877M+
WHOIS Records
5290M+
Host Names
16B+
DNS Records

What Is the IP Threat Score?

A score between 0 - 100 assigned to an IP address to represent the likelihood that it is associated with malicious activity.

How is the threat score calculated?

Every lookup returns a threat_score between 0 and 100. The score combines five risk signals:

VPN, proxy, or Tor exit node usage
Known attacker history including port scanning, brute-force, and DDoS participation
Spam and botnet reputation across abuse databases and spam-feed sources
Bot classification based on request behavior and network origin
Cloud or datacenter origin (AWS, GCP, Azure, DigitalOcean, OVH, Hetzner and similar)

Recommended Threat Score Thresholds

0–25Low risk. Standard traffic.

26–50Elevated risk. Apply CAPTCHA or rate limiting.

51–75High risk. Require step-up authentication.

76–100Block or reject. Known malicious or anonymizer.

Features

What the IP Reputation API Returns

Every successful lookup returns the fields below. All fields appear in the same JSON or XML response.

Request a Quote

Contact Sales

Composite Threat Score

A single 0–100 number combining VPN, proxy, Tor, spam, botnet, known-attacker, and datacenter signals. Set thresholds (block at 80+, step-up at 50–79, allow under 50) without rules per boolean field.

VPN Detection

is_vpn flags commercial VPN traffic and returns vpn_provider_names array (NordVPN, ExpressVPN, Surfshark) plus vpn_confidence_score 0-100 and vpn_last_seen timestamp.

Proxy Detection

is_proxy with proxy_provider_names array, is_residential_proxy for paid residential traffic, is_relay with relay_provider_name, is_anonymous for header-stripping proxies, plus proxy_confidence_score.

Tor Network Detection

is_tor flags Tor exit-node and relay traffic. Treated as a distinct category because Tor has no provider, no payment record, and a higher malicious-traffic base rate than commercial VPN networks.

Known-Attacker & Bot

is_known_attacker (port scanners, brute-force, DDoS), is_spam (Spamhaus, SpamCop, SORBS feeds), and is_bot (automated traffic behaviour). All pulled from continuously refreshed blocklists.

Cloud Detection

is_cloud_provider plus cloud_provider name (AWS, GCP, Azure, DigitalOcean, OVH, Hetzner). Score datacenter-origin traffic separately from residential to split server-to-server calls from human users.

ASN and Network

as_number, organization, type (HOSTING, ISP, BUSINESS), domain, date_allocated, RIR (ARIN, RIPE, APNIC, LACNIC), network route, is_anycast. Block hosting ASNs and anycast ranges over per-IP rules.

City-Level Geolocation

country (ISO 2 and 3, name, official, capital), state_prov, state_code, district, city, latitude, longitude, zipcode, accuracy_radius, confidence rating, is_eu, timezone, currency, country_emoji.

Use Cases

IP Reputation in Action

Where teams use the IP Reputation API to decide whether to allow, challenge, or block traffic.

Signup Fraud Prevention

Reject or step-up signups originating from VPNs, anonymous proxies, Tor exits, and known-attacker IPs. Score every new signup IP inline with one API call before account is created.

Account Takeover Defense

Block or challenge login attempts when the IP returns a threat_score above your threshold or matches is_known_attacker or is_bot. Pair with device fingerprinting for higher signal.

Transaction Risk Scoring Model

Feed threat_score, is_tor, is_anonymous, and is_cloud_provider into the fraud-rule engine. Treat all datacenter and Tor traffic as elevated risk on card-not-present checkout flows.

SIEM and SOAR Enrichment

Enrich each inbound IP indicator with composite threat score, VPN/proxy classification, ASN, and geolocation before routing to analysts. Drop or auto-close alerts below thresholds.

Bot Filtering for Ads Tech

Filter datacenter and proxy IPs out of session counts, click-through metrics, and ad impressions. The is_bot and is_cloud_provider flags isolate non-human traffic from human users.

Email Sender Reputation Checks

Verify the reputation of inbound and outbound mail server IPs before delivery. Combine threat_score, is_spam, and is_known_attacker to gate sender filtering with DMARC enforcement.

Start using our Security Lookup API to uncover IP threats and phishing domains, stay ahead of attackers, and mitigate risk.

Request Demo

Integrations

Where the IP Reputation API Fits in Your Stack

Official Python, Go, Node.js, Java, PHP, Ruby, C#, Swift, C++, and cURL clients are published with copy-paste examples for each language. Embed VPN, proxy, and Tor classification into login, signup, checkout, and API-gateway code in under 30 lines.

No-code routing through Zapier, Make, and n8n sends high-threat-score events to Slack, PagerDuty, or Jira based on score thresholds.

Splunk, Microsoft Sentinel, Elastic, and SOAR playbooks ingest threat_score, is_known_attacker, and is_tor as IoC fields to trigger blocking, escalation, and investigation workflows.

Explore Integrations

Explore SDK

FAQs

FAQs about the IP Reputation API: risk signals and reputation fields

What is a Proxy?

A proxy server acts as an intermediary between a user's device and the target website. When a user sends a request, it first goes to the proxy server, which then forwards the request to the destination site. The response from the website is sent back through the proxy and finally delivered to the user's device. While it masks the user's original IP address, it typically doesn’t encrypt the data being transmitted. Proxies are commonly used to bypass geo-restrictions or access region-specific content.

What is a VPN and what does it do?

A VPN (Virtual Private Network) is a service that encrypts your internet traffic by creating a secure tunnel between your device and a remote server. This process hides your real IP address and routes your data through the VPN server, making it appear as if you're browsing from a different location. Unlike a proxy, a VPN not only masks your IP and changes your virtual location but also ensures your online activity and sensitive data remain private and protected from prying eyes, offering a higher level of anonymity and security.

What is TOR used for in online privacy?

Tor (The Onion Router) is an open-source network designed to enhance online privacy by offering multiple layers of anonymity. It works by encrypting user requests in several layers and routing them through a random sequence of volunteer-operated servers known as nodes. This process hides the user's original IP address and makes it extremely difficult to trace the origin and destination of the traffic. The layered encryption similar to the layers of an onion ensures strong anonymity, making Tor a popular choice for users seeking to keep their online activities private.

How does TOR differ from VPNs and proxies?

TOR differs from VPNs and proxies primarily in how it routes and protects your internet traffic. TOR uses multiple layers of encryption and sends your data through a series of volunteer-run nodes, making it very difficult to trace the origin or destination of your traffic. This multi-hop design provides strong anonymity but can slow down browsing speeds.

In contrast, VPNs route your traffic through a single encrypted tunnel to a trusted server, masking your IP address and encrypting your data, which offers both privacy and better speed than TOR. Proxies simply act as intermediaries that forward your requests but usually don’t encrypt your data, offering less privacy and security.

Overall, TOR emphasizes anonymity through layered routing and encryption, VPNs focus on privacy and secure connections with better performance, and proxies mainly provide IP masking without strong encryption.

Proxy vs. VPN vs. TOR, which one should you choose?

Proxy: Directs your traffic through a middleman server, mainly masking your IP address. It’s useful for bypassing geo-restrictions but doesn’t provide strong encryption or privacy.
VPN: Encrypts your connection and conceals your online activities by routing traffic through a secure server. It offers a good balance of privacy, security, and speed, making it ideal for everyday use, secure browsing, and accessing restricted content.
TOR: Sends your data through multiple volunteer-run relays, providing the highest level of anonymity by obscuring your identity and location. However, it can be slower due to the multiple hops and is best suited for users who need maximum privacy, such as activists or journalists.

Choose a proxy for basic IP masking, a VPN for secure and private internet use with decent performance, and TOR when anonymity is the top priority despite slower speeds.

VPN vs. Proxy, which offers better security?

A VPN provides significantly better security than a proxy because it encrypts all your internet traffic, protecting your data from interception and eavesdropping. This encryption ensures that your online activities and sensitive information remain private, even on unsecured networks like public Wi-Fi.

On the other hand, a proxy only masks your IP address by routing your traffic through an intermediary server but usually doesn’t encrypt your data. This means your information can still be exposed to hackers or surveillance.

In summary, if security and privacy are important, a VPN is the better choice over a proxy.

How to get Free VPN/Proxy IPs data?

Many services offer VPN IP data, but whoisfreaks.com stands out by providing accurate and comprehensive information on VPN and proxy IPs, including details on spam, bots, TOR nodes, attackers, and anonymous IPs. The data is enriched with the names of proxy providers and cloud providers linked to each IP address. Additionally, it includes detailed location and network information, making it one of the most reliable sources for VPN and proxy data.

How to identify if an IP address is using a VPN or proxy?

To check if an IP address is associated with a VPN or proxy, you can use specialized IP intelligence services or databases that track and categorize IP addresses. These services analyze various factors such as IP ownership, usage patterns, and known VPN or proxy provider ranges. When you submit an IP address to such a service, it compares the address against its updated lists of VPNs, proxies, TOR nodes, and other anonymizing networks.

Additionally, some methods include checking for unusual traffic behavior, repeated requests from the same IP in short intervals, or IP addresses registered to data centers rather than residential ISPs common indicators of VPN or proxy use.

Using an API like the Security API from whoisfreaks.com can automate this process by providing real-time identification of VPN, proxy, and other suspicious IP addresses, helping you determine their status accurately and efficiently.

What does the IP Reputation API return for each IP?

Each call returns a composite threat score from 0 to 100, boolean flags for is_tor, is_proxy, is_anonymous, is_known_attacker, is_spam, is_bot, and is_cloud_provider, the proxy_type (VPN, PROXY, RELAY, OPENVPN, WIREGUARD, PRIVATEVPN), the proxy_provider name, the cloud_provider name when applicable, full ASN data (AS number, organization, RIR, route counts), and district-level geolocation. The full schema is documented in the IP Reputation API documentation.

Is bulk IP lookup supported by the IP Reputation API?

Yes. The bulk endpoint accepts up to 100 IPv4 or IPv6 addresses per request and returns the full reputation payload for every IP in one JSON or XML response. Each IP in the batch counts as one credit against your plan.

How often is the IP reputation data refreshed?

The IP Reputation API data is refreshed every 24 hours. Daily and monthly snapshot databases for offline ingestion are also available via the IP Reputation Database product.

What is the number of free API credits available for new users, and are these credits rate-limited?

We will provide 500 API credits to new users and yes, those credits have a rate-limiting of 10 requests per minute for Live APIs, 5 requests per minute for Bulk Domain Lookup, and 1 request per minute for Reverse/Historical Endpoints.

Do you provide any headers in API response regarding rate limiting?

Yes, there are following three header parameters in the response:

X-RateLimit-Allowed-Requests: Tells the max allowed API requests per minute on a specific plan.
X-RateLimit-Remaining-Requests: Tells the remaining API requests per minute for that plan.
X-RateLimit-Remaining-Time: Tells after how much time the API requests per minute will be reset.

Is this the same product as the IP Security API?

Yes. The IP Reputation API was previously branded as the IP Reputation API. The endpoint URL (api.whoisfreaks.com/v1.0/security), the request format, the response schema, and the credit consumption are unchanged. Only the visible product name is updated.