Enter any IPv4 or IPv6 address to instantly check whether it is a known Tor exit node. Our database is refreshed every hour directly from the Tor Project's official consensus — the same source security teams worldwide rely on.
Enter any IPv4 or IPv6 address
Tor (The Onion Router) is a free, volunteer-operated anonymity network. Understanding how it works explains why exit node detection is the key to Tor-aware fraud prevention.
Tor routes internet traffic through a chain of three volunteer-operated relays. Each relay unwraps one layer of encryption — like peeling an onion — so no single node ever knows both who sent a request and where it is going. This design provides strong anonymity at the cost of speed.
The exit node (or exit relay) is the final relay in the Tor circuit. It is the node that actually connects to the destination website on behalf of the user. From the destination's perspective, the exit node's IP address is the request source — the user's real IP stays hidden behind the circuit.
Unlike VPNs and proxies, Tor exit nodes are publicly listed. The Tor Project publishes an official machine-readable consensus document every hour that enumerates every active exit relay. This makes Tor detection uniquely reliable — we simply check IPs against the authoritative source.
How a Tor Circuit Works
Tor exit node detection is a core signal in fraud prevention pipelines. Here is how security teams put it to work.
Flag or challenge account signups, logins, and checkout sessions arriving from Tor exit nodes. Fraudsters and credential-stuffing bots frequently route through Tor to evade IP-based blocks — detecting exit nodes removes this anonymity layer.
Financial institutions and regulated services must log and report anonymisation tool usage under KYC/AML frameworks. Tagging Tor-originated transactions creates the audit trail regulators require without blocking users outright.
Streaming platforms and content distributors enforce geo-restrictions via IP geolocation. Tor exit nodes break this because the exit location replaces the user's true location. Detecting Tor traffic preserves licence boundaries.
Step-up authentication workflows use Tor detection as a high-risk signal. A login from a Tor exit node — especially one that does not match a user's typical location — warrants an MFA challenge or temporary account hold pending verification.
Click farms and ad fraud bots rotate through Tor exit nodes to generate fraudulent impressions and clicks. Filtering Tor traffic before billing advertisers or crediting conversions keeps your analytics clean.
Tor is also used by journalists, activists, abuse survivors, and security researchers with entirely legitimate needs. Consider flagging rather than hard-blocking in most contexts — require extra verification steps instead of a flat refusal. Reserve outright blocking for the highest-risk transaction types.
Integrate real-time Tor exit node checks directly into your application. Simple REST API returning JSON — no SDK or parsing required.
https://ip-api.io/api/v1/tor/{ip}
Returns whether the IP is a current Tor exit node and the total count of known exit nodes.
Rate limited by IP address — no API key required for free-tier use.
Add ?api_key=YOUR_KEY for higher rate limits.
{
"ip": "185.220.101.50",
"is_tor": true,
"tor_node_count": 1247
}ip
The IP address that was checked.
is_tor
true if the IP is a known Tor exit node in the current consensus; false otherwise.
tor_node_count
Total number of Tor exit nodes currently in our database. Refreshed every hour from the official Tor consensus.
# Check if an IP is a Tor exit node
curl "https://ip-api.io/api/v1/tor/185.220.101.50"
# With API key for higher rate limits
curl "https://ip-api.io/api/v1/tor/185.220.101.50?api_key=YOUR_API_KEY"import requests
def check_tor_node(ip: str) -> dict:
response = requests.get(f"https://ip-api.io/api/v1/tor/{ip}")
response.raise_for_status()
data = response.json()
status = "TOR EXIT NODE" if data["is_tor"] else "clean"
print(f"IP: {data['ip']}")
print(f"Status: {status}")
print(f"Known exit nodes: {data['tor_node_count']}")
return data
check_tor_node("185.220.101.50")const response = await fetch(
"https://ip-api.io/api/v1/tor/185.220.101.50"
);
const data = await response.json();
console.log(`IP: ${data.ip}`);
console.log(`Is Tor: ${data.is_tor}`);
console.log(`Known exit nodes: ${data.tor_node_count}`);
if (data.is_tor) {
// Flag session for additional verification
requireExtraVerification();
}Start using IP-API.io to make your website safer and more user-friendly. Keep out unwanted bots, show visitors content that's relevant to where they are, and spot risky IP addresses quickly. It's perfect for making online shopping more personal and keeping your site secure. Get started today with one of the plans!
Common questions about Tor detection and the ip-api.io Tor Detection API
A Tor exit node (also called an exit relay) is the final relay in the Tor network that forwards traffic from the Tor circuit out to the open internet. When a user browses through Tor, their traffic passes through three relays — guard, middle, and exit. The exit node is the one whose IP address appears as the source of requests to websites, making it the relay most associated with user activity even though the user's real IP remains hidden inside the circuit.
Use the free tool at the top of this page: enter any IPv4 or IPv6 address and click
Check IP. For programmatic access, call our REST API:
GET https://ip-api.io/api/v1/tor/{ip}. The response includes
is_tor (true/false) and tor_node_count (the current total of
known exit nodes). No API key is required for free-tier use.
Not necessarily. Tor is used both by people with entirely legitimate privacy needs — journalists, activists, abuse survivors, whistleblowers — and by bad actors trying to conceal fraudulent activity. A balanced approach is to flag rather than block: require additional verification (CAPTCHA, email confirmation, phone number) for sessions arriving from Tor exit nodes rather than refusing them entirely. Reserve hard-blocking for the highest-risk operations such as financial transactions or account recovery flows.
Our Tor exit node list is refreshed every hour from the Tor Project's official consensus data. The Tor consensus itself updates approximately every hour, so our database reflects the live state of the Tor network within one hour of any change — nodes leaving or joining the exit relay pool appear in our results within that window.
The Tor Project publishes the official exit node list at
check.torproject.org/torbulkexitlist.
Our API augments this with a simple JSON lookup endpoint so you can check individual IPs
programmatically without parsing the raw text list yourself. The tor_node_count
field in every API response tells you how many exit nodes are currently in our database.
Tor routes traffic through a chain of three volunteer-operated relays, providing strong anonymity at the cost of speed. VPNs route traffic through a single server operated by a commercial provider, offering moderate anonymity and better performance. Proxies are single forwarding servers, typically with no encryption. From a fraud-prevention perspective, all three mask the user's real IP — but Tor exit nodes are publicly listed (making detection straightforward), while VPN and proxy detection requires broader threat intelligence feeds. For combined detection, see our Fraud Detection API.
Explore how IP-API.io can enhance your security, provide robust bot protection, and improve IP geolocation accuracy for your applications.
Contact SupportCustomize your experience with tailored plans that fit your IP security and geolocation needs.
Email Us