OpenIPApi combines geolocation, ASN data, Tor lists, proxy checks and active probing from 60+ active probing nodes to help you score risky IP addresses before they reach your product.
Try it — look up any IP address
One request, structured JSON response
$ curl https://api.openipapi.com/v1/lookup/8.8.8.8 \
-H "X-API-Key: YOUR_API_KEY"{
"ip": "8.8.8.8",
"geo": { "country_code": "US", "country": "United States" },
"network": { "asn": 15169, "as_name": "Google LLC" },
"threat": {
"is_vpn": false, "is_proxy": false, "is_tor": false,
"threat_score": 12
}
}60+
Probing nodes
240+
Countries covered
<50ms
Avg response time
99.9%
Uptime SLA
Most IP APIs just read a static database. We actively scan the internet to verify what every IP actually does.
They read from a MaxMind or similar database. The data says "Germany, Frankfurt, residential." That's it. They don't know if the IP runs a VPN, a proxy, or a Tor relay. They guess based on lists that can be weeks old.
Our 60+ nodes continuously scan IPs: port scanning, reverse DNS, TLS certificate inspection, SOCKS/HTTP proxy detection, VPN protocol fingerprinting. We verify what an IP does instead of guessing from a list.
What our probing nodes find
Country, region, city, postal code, timezone, and coordinates. 95–99% country accuracy, updated weekly from multiple sources.
ASN number, AS name, ISP, organization, and connection type — residential, datacenter, mobile, education, or government.
Active port scanning detects OpenVPN (1194), WireGuard (51820), IPSec (4500), and commercial VPN infrastructure via ASN + reverse DNS.
Detects open HTTP proxies (8080, 3128), SOCKS4/5 proxies (1080), and anonymous relay services through active handshake testing.
Real-time detection updated every hour from the official Tor Project exit list, cross-referenced with our own probing results.
Composite score 0–100 combining VPN/proxy/Tor flags, probing results, abuse reports, and known threat feeds into one number.
Dedicated fraud endpoint returns risk level (low/medium/high/critical) and actionable recommendation (allow/review/challenge/block).
Look up multiple IPs in a single request — 100 per request on Starter, 500 on Pro, 1,000 on Business, up to 5,000 on Enterprise. Ideal for processing access logs, fraud screening pipelines, and security audits.
Get the abuse contact email for any IP range. Essential for reporting abuse, filing takedowns, and automated incident response.
Drop-in MaxMind .mmdb binary database for offline and edge lookups. Country, ASN, and city-level databases refreshed daily. Works with any MaxMind DB reader.
Real-time HTTP POST notifications when an IP becomes VPN/Tor/proxy or crosses a threat threshold. HMAC-SHA256 signed payloads with replay protection.
Monitor specific IPs for status changes. Get email alerts when an address you care about turns into a VPN, Tor exit, or suddenly gains a high threat score.
Every company with users on the internet benefits from knowing what's behind an IP address.
A customer pays with a German credit card but the IP comes from a datacenter in Singapore. Without IP intelligence, you process the payment and eat the chargeback.
With OpenIPApi: flag datacenter IPs, detect VPNs on checkout, compare geo to billing country. Block fraud before it costs you.
Abusers create hundreds of free trial accounts using VPNs and datacenter IPs. Each fake account costs you server resources and skews your metrics.
With OpenIPApi: detect datacenter + VPN IPs at signup and require step-up verification for suspicious connections. Reduces automated trial abuse when combined with email verification, rate limiting, and account behavior checks.
Regulators require you to block users from restricted jurisdictions. If someone connects via VPN from a blocked country and you miss it, you face fines.
With OpenIPApi: verify country, detect VPNs and proxies, flag Tor. Ensure compliance is based on real connection data, not just what the user claims.
Account takeover attacks often show up as logins from a new country or through an anonymizing proxy. By the time you notice, the money is gone.
With OpenIPApi: detect impossible travel (login from Prague, then Lagos in 10 minutes), flag Tor and proxy usage, trigger step-up authentication.
Bots running in datacenters click your ads, draining your budget. Competitors use proxies to inflate your spend with zero real conversions.
With OpenIPApi: filter datacenter IPs from ad impressions, identify proxy and VPN traffic, only pay for clicks from real residential users.
Licensing agreements restrict content to specific regions. Users bypass restrictions with VPNs, putting your licensing deals at risk.
With OpenIPApi: enforce geo-restrictions with confidence. Detect VPN and proxy users trying to bypass region locks with our active probing data.
Our probing network continuously scans IPs to build threat intelligence that databases alone can't provide.
We scan for VPN ports (1194, 51820, 4500), proxy ports (1080, 3128, 8080), and service ports to fingerprint what the IP is running.
PTR records and TLS certificates reveal the true identity of the service behind an IP.
We attempt SOCKS5 handshakes, HTTP CONNECT tunnels, and protocol-specific probes to confirm whether a proxy or VPN is actually running.
All signals are combined into a threat score (0–100). Tor + VPN ports + datacenter ASN = high score. Residential + no flags = low score.
Beyond the API: a full dashboard with watchlists, webhooks, bulk tools, and offline databases.
/v1/lookup/{ip} — single IP with full geo + threat data/v1/lookup/batch — 100–5,000 IPs per request (plan-dependent)/v1/me — caller's own IP geolocation/v1/asn/{asn} — ASN detail and prefix list/v1/validate/{ip} — validate and classify any IP/v1/fraud/{ip} — fraud score + recommendation/v1/probe/{ip} — open ports, TLS cert, banners, reverse DNS/v1/proxy-attribution/{ip} — residential proxy / VPN provider attributionDrop-in MaxMind-compatible binary databases for offline and edge lookups. Works with any MMDB reader library.
Real-time HTTP POST notifications when an IP changes status. Configurable per-event and per-threshold.
vpn_detected, tor_detected, proxy_detected, high_threatX-OpenIPApi-Signature)Track specific IPs, CIDR blocks, or ASNs. Get notified the moment something you care about changes.
Attribute IPs to specific residential proxy pools and VPN providers. The fraud blind spot: "residential" IP that's actually a Bright Data or Hola exit node.
provider: "brightdata")treat_as_commercial_proxy, block_or_challenge, …)60+ dedicated probing nodes verify what an IP actually does in real time — not just what a stale database says.
One HTTP request. Structured JSON response with geolocation, network, threat data, and fraud scoring.
$ curl https://api.openipapi.com/v1/lookup/185.220.101.45 \
-H "X-API-Key: oip_your_key_here"
{
"ip": "185.220.101.45",
"geo": {
"country": "Germany",
"city": "Frankfurt am Main",
"timezone": "Europe/Berlin"
},
"network": {
"asn": 205100,
"isp": "F3 Netze",
"connection_type": "datacenter"
},
"threat": {
"is_tor": true,
"is_vpn": true,
"threat_score": 85,
"threat_categories": ["tor_exit_node", "known_abuser"]
}
}Feature-by-feature comparison with the largest IP intelligence providers.
| Feature | OpenIPApi | IPinfo | ipstack | MaxMind |
|---|---|---|---|---|
| Geolocation | ||||
| ASN / ISP data | ||||
| Connection type | — | — | ||
| Active probing | — | — | — | |
| VPN detection | Add-on | — | — | |
| Proxy detection | Add-on | — | — | |
| Tor detection | Add-on | — | — | |
| Threat score | — | — | — | |
| Fraud scoring | — | — | — | |
| Abuse contact | — | — | ||
| Batch API | — | |||
| MMDB download | Paid only | — | ||
| Webhooks & watchlist | — | — | — | |
| Free tier | 10,000/mo | 50,000/mo | 100/mo | GeoLite2 |
| Starting price | $15/mo | $49/mo | $10/mo | $26/mo |
Comparison is based on publicly available pricing and feature information as of May 2026 and may change over time. Always verify current vendor pricing before making a purchasing decision.
Use official OpenIPApi SDKs hosted directly by OpenIPApi. No third-party package registry required.
JavaScript / TypeScript
import { OpenIPApi } from '/sdk/javascript/openipapi.js';
const client = new OpenIPApi('YOUR_KEY');
const data = await client.lookup('8.8.8.8');
console.log(data.threat?.is_vpn);Python
from openipapi import OpenIPApi
client = OpenIPApi("YOUR_KEY")
data = client.lookup("8.8.8.8")
print(data.get("threat", {}).get("is_vpn"))PHP
require __DIR__ . '/OpenIPApiClient.php';
$client = new OpenIPApiClient('YOUR_KEY');
$data = $client->lookup('8.8.8.8');
echo !empty($data['threat']['is_vpn']) ? 'yes' : 'no';These SDKs are hosted directly by OpenIPApi. Package registry versions for npm, PyPI and Packagist may be added later.
10,000 free lookups every month. No credit card required.
Paid plans start at $15/month — geolocation, threat signals, and active probing in one API.
Part of the Open API ecosystem