Tor Detection API
Real-Time Tor Exit Node Checks.
Check any IPv4 or IPv6 address against the live Tor consensus in real time. Refreshed hourly from the official Tor Project data — the same source relied on by security teams worldwide.
How Tor Exit Node Detection Works
Tor exit nodes are the only point in the Tor circuit that is publicly listed. Here is why that makes detection uniquely reliable.
The Onion Router
Tor routes internet traffic through a chain of three volunteer-operated relays. Each relay unwraps one layer of encryption — like peeling an onion — so no single node ever knows both who sent a request and where it is going. This design provides strong anonymity at the cost of speed.
What Is an Exit Node?
The exit node (or exit relay) is the final relay in the Tor circuit. It is the node that actually connects to the destination website on behalf of the user. From the destination's perspective, the exit node's IP address is the request source — the user's real IP stays hidden behind the circuit.
Why Exit Nodes Are Detectable
Unlike VPNs and proxies, Tor exit nodes are publicly listed. The Tor Project publishes an official machine-readable consensus document every hour that enumerates every active exit relay. This makes Tor detection uniquely reliable — we simply check IPs against the authoritative source.
API Documentation & Code Examples
One endpoint returns whether any IP is a current Tor exit node plus the live count of known nodes. Integrate into any security pipeline in minutes.
GET /api/v1/tor/{ip}?api_key={key}
# Check if an IP is a Tor exit node
curl "https://ip-api.io/api/v1/tor/185.220.101.50?api_key=YOUR_API_KEY"
{
"ip": "185.220.101.50",
"is_tor": true,
"tor_node_count": 1247
}
GET /api/v1/tor/{ip}?api_key={key}
async function checkTorNode(ip) {
const res = await fetch(
`https://ip-api.io/api/v1/tor/${ip}?api_key=YOUR_API_KEY`
);
const data = await res.json();
console.log(data.is_tor); // true
console.log(data.tor_node_count); // 1247
return data;
}
{
"ip": "185.220.101.50",
"is_tor": true,
"tor_node_count": 1247
}
GET /api/v1/tor/{ip}?api_key={key}
import requests
res = requests.get(
"https://ip-api.io/api/v1/tor/185.220.101.50",
params={"api_key": "YOUR_API_KEY"}
)
data = res.json()
print(data["is_tor"]) # True
print(data["tor_node_count"]) # 1247
{
"ip": "185.220.101.50",
"is_tor": true,
"tor_node_count": 1247
}
Why Detect Tor Traffic
Tor exit node detection is a core signal in fraud prevention pipelines. Here is how security teams put it to work.
Fraud Prevention
Flag or challenge account signups, logins, and checkout sessions arriving from Tor exit nodes. Fraudsters and credential-stuffing bots frequently route through Tor to evade IP-based blocks — detecting exit nodes removes this anonymity layer.
Compliance & Audit
Financial institutions and regulated services must log and report anonymisation tool usage under KYC/AML frameworks. Tagging Tor-originated transactions creates the audit trail regulators require without blocking users outright.
Content Licensing
Streaming platforms and content distributors enforce geo-restrictions via IP geolocation. Tor exit nodes break this because the exit location replaces the user's true location. Detecting Tor traffic preserves licence boundaries.
Account Security
Step-up authentication workflows use Tor detection as a high-risk signal. A login from a Tor exit node — especially one that does not match a user's typical location — warrants an MFA challenge or temporary account hold pending verification.
Ad Fraud & Bot Detection
Click farms and ad fraud bots rotate through Tor exit nodes to generate fraudulent impressions and clicks. Filtering Tor traffic before billing advertisers or crediting conversions keeps your analytics clean.
Legitimate Tor Use
Tor is also used by journalists, activists, abuse survivors, and security researchers with entirely legitimate needs. Consider flagging rather than hard-blocking in most contexts — require extra verification steps instead of a flat refusal. Reserve outright blocking for the highest-risk transaction types.
Tor Detection — FAQs
Common questions about Tor detection and the ip-api.io Tor Detection API.
What is a Tor exit node?
A Tor exit node (also called an exit relay) is the final relay in the Tor network that forwards traffic from the Tor circuit out to the open internet. When a user browses through Tor, their traffic passes through three relays — guard, middle, and exit. The exit node is the one whose IP address appears as the source of requests to websites, making it the relay most associated with user activity even though the user's real IP remains hidden inside the circuit.
How do I check if an IP is a Tor exit node?
Use the free tool at the top of this page: enter any IPv4 or IPv6 address and click Check IP. For programmatic access, call our REST API: GET https://ip-api.io/api/v1/tor/{ip}. The response includes is_tor (true/false) and tor_node_count (the current total of known exit nodes). No API key is required for free-tier use.
Should I block Tor users?
Not necessarily. Tor is used both by people with entirely legitimate privacy needs — journalists, activists, abuse survivors, whistleblowers — and by bad actors trying to conceal fraudulent activity. A balanced approach is to flag rather than block: require additional verification (CAPTCHA, email confirmation, phone number) for sessions arriving from Tor exit nodes rather than refusing them entirely. Reserve hard-blocking for the highest-risk operations such as financial transactions or account recovery flows.
How often is your Tor data updated?
Our Tor exit node list is refreshed every hour from the Tor Project's official consensus data. The Tor consensus itself updates approximately every hour, so our database reflects the live state of the Tor network within one hour of any change — nodes leaving or joining the exit relay pool appear in our results within that window.
Can I get a list of all Tor exit nodes?
The Tor Project publishes the official exit node list at check.torproject.org/torbulkexitlist. Our API augments this with a simple JSON lookup endpoint so you can check individual IPs programmatically without parsing the raw text list yourself. The tor_node_count field in every API response tells you how many exit nodes are currently in our database.
What's the difference between Tor, VPN, and proxies?
Tor routes traffic through a chain of three volunteer-operated relays, providing strong anonymity at the cost of speed. VPNs route traffic through a single server operated by a commercial provider, offering moderate anonymity and better performance. Proxies are single forwarding servers, typically with no encryption. From a fraud-prevention perspective, all three mask the user's real IP — but Tor exit nodes are publicly listed (making detection straightforward), while VPN and proxy detection requires broader threat intelligence feeds. For combined detection, see our Fraud Detection API.
Simple, transparent pricing
Start small, scale as you grow. No hidden fees.
Detect Tor users in real time
Check any IP against the live Tor consensus, refreshed hourly from official Tor Project data — the same source trusted by security teams worldwide.