DEV Community

Cover image for How to detect VPN users on your website/app
Tal Tarik
Tal Tarik

Posted on

How to detect VPN users on your website/app

If you’re building a website or web app that needs to detect users connecting through a VPN—whether to prevent fraud, enforce geo-restrictions, or flag suspicious traffic—you can do it in just a few lines of code using IPLocate. IPLocate provides accurate threat detection by IP address, including VPN and proxy detection.

Below are some simple examples using Javascript to detect VPN usage via the IPLocate API. All you need is to sign up for a free API key (no card needed, free up to 1,000 requests per day).

Example: Detect VPN client-side with Javascript

const response = await fetch('https://www.iplocate.io/api/lookup/?apikey=YOUR_API_KEY');
const data = await response.json();

if (data.privacy && data.privacy.is_vpn) {
  console.log("This user is likely using a VPN.");
  // You can log, flag, or block the user here
} else {
  console.log("User is not using a VPN.");
}
Enter fullscreen mode Exit fullscreen mode

This fetches IP data for the current user and checks the privacy.is_vpn field—true means the IP is known to be part of a VPN network.

The response also includes other helpful fields like is_proxy, is_tor, and is_hosting, which you can use for additional filtering or analysis. See the API documentation for details on all available fields.

Example: Detect VPN server-side with Express.js

const express = require('express');
const fetch = require('node-fetch');

const app = express();
const API_KEY = 'YOUR_API_KEY';

app.get('/', async (req, res) => {
  const ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
  const url = `https://www.iplocate.io/api/lookup/${ip}?apikey=${API_KEY}`;

  try {
    const response = await fetch(url);
    const data = await response.json();

    if (data.privacy && data.privacy.is_vpn) {
      console.log(`VPN detected for IP: ${ip}`);
      // Handle VPN logic here
    } else {
      console.log(`No VPN detected for IP: ${ip}`);
    }

    res.send('Request processed.');
  } catch (err) {
    console.error('Error checking VPN status:', err);
    res.status(500).send('Error checking IP address.');
  }
});

app.listen(3000, () => console.log('Server running on port 3000'));
Enter fullscreen mode Exit fullscreen mode

You can find other code snippets — including Python, PHP, others, and IPLocate’s official client libraries — on their docs page.

Psst: I also recently wrote about which IP geolocation API is the best in 2025!

Top comments (8)

Collapse
 
perseque profile image
Perseque

Is the request per user? So if you have 1000 users, you will use up the 1000 request for the day?

Collapse
 
tallytarik profile image
Tal Tarik

That's correct, but a couple of extra points:

  1. A free API key gives you 1,000 requests a day. However, if you're using the API client-side, you could instead use the free tier without an API key. This has an even lower limit of 50 requests/day, BUT it is rate-limited by the IP address of your client rather than an API key. So each of your users can make 50 requests per day, which makes this effectively unlimited!

  2. While IPLocate is one of the less expensive IP intelligence APIs, I would also recommend caching either client-side or server-side. Their own blog has a good example of client-side caching with LocalStorage here: iplocate.io/blog/redirect-user-bas...

Collapse
 
crafael23 profile image
Claudio Vasquez

My guess would be inclined to a yes, but if thats the case, you could probably do some sort of caching to avoid unecessary refetches.

Collapse
 
ricorizz profile image
Rico Rizz

Yes, typically it's one request per user action. So if you have 1000 users, and each triggers one request, you’ll use 1000 requests that day. Always check the specific API’s rate limit rules, but that's the general idea!

Collapse
 
louis7 profile image
Louis Liu

Looks like it's per request. You can cache the result in your database or somewhere to reduce the usage.

Collapse
 
moopet profile image
Ben Sinclair

Could you give an example of a reason someone might want to do this?

Some comments may only be visible to logged-in visitors. Sign in to view all comments.