DOCS

Free Tor Checker: See if Any IP Is a Tor Exit Node Instantly

The Tor network anonymizes traffic by routing it through three volunteer relays. The last relay, the exit node, is the IP your server sees. Check whether any IP is a current Tor exit node in under 200ms. No signup required.
START FOR FREE
CONTACT SALES
Enter an IP address to start
Need inspiration? Try
73.162.0.1
Check IP
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Learn more about the free IP Lookup
Checking
5
You have used all your daily credits
Sign up to get more free validations
Please, input a correct IP address
Sign up to get more free validations
Results for
ip address
Is Tor:
Is Tor
Country:
Country
Is Proxy:
Is Proxy
Is VPN:
Is VPN:
Get free credits, more data, and faster results
CREATE A FREE ACCOUNT

What is a Tor exit node?

Tor (The Onion Router) is a free, volunteer-operated network that routes traffic through three randomly chosen relays before it reaches its destination. Each relay knows only its immediate neighbors, so no single point in the path can link a user to the sites they visit. The last relay in the path, the exit node, is what your server sees: the user's request appears to come from the exit node's IP, not from the user's real one.

The Tor Project publishes the full list of current exit nodes publicly, which is what makes Tor detection essentially deterministic: an IP either is a current exit node or it is not. There is no probabilistic signal to weigh, no behavioral inference required. The only quality variable is how fresh the underlying list is.

How Tor detection works

When you submit an IP address, the check runs three steps:

  1. 1. Tor exit list lookup. The IP is cross-referenced against the canonical Tor exit-node list published by the Tor Project. A direct match is the only signal needed; Tor exit detection does not rely on inference, and the underlying list is refreshed continuously as relay operators add and remove nodes.
  2. VPN and proxy cross-check. The check returns VPN and proxy signals alongside the Tor flag. An IP that is a Tor exit node is sometimes also flagged as a hosting IP (most exit relays run in datacenters) and may show overlapping VPN or proxy patterns. The combined picture is sharper than the Tor flag alone.
  3. Single-call response. The Tor flag returns alongside VPN, proxy, hosting, and country fields in one request. No separate calls per category, no orchestration.

Tor exit nodes are concentrated in some jurisdictions (Germany, France, Netherlands, US) and rare in others, so the country field is useful additional context for risk decisions. Most checks complete in under 200ms.

When to act on a Tor flag

Tor traffic is not malicious by default. Many legitimate users route through Tor for privacy, journalism, censorship circumvention, and personal safety. The flag is decision-relevant on some surfaces, not on others.

When the flag is decision-relevant: high-friction actions where the cost of letting an attack through is meaningful and step-up verification is reasonable. Account creation with payment data attached, sensitive transactions (financial transfers, password resets, KYC flows), login from a Tor exit when the legitimate user has never used Tor before, abuse and credential-stuffing investigation, geographic compliance use cases that require IP attribution, and scraping defense on rate-sensitive endpoints. Pair the Tor flag with VPN, proxy, and abuse-history signals — a Tor exit IP that is also flagged for abuse is meaningfully higher risk than one without.

When the flag is not the right basis to act: marketing pages, content reads, and public information; read-only documentation, status pages, and support content; markets where Tor is widely used to circumvent censorship; audiences that include journalists, researchers, activists, or people in vulnerable circumstances; any surface where the cost of a false-positive block exceeds the cost of an unsuccessful attack. Let Tor traffic through on these surfaces. If a specific endpoint is being abused, gate that endpoint rather than the whole site.

A Tor flag is not a verdict. It is one input among several. The Tor Project itself maintains the network specifically to support legitimate use cases (journalism, dissent, abuse-survivor privacy) alongside the smaller share of abusive traffic that any anonymizing service attracts. Calibrate accordingly.

Use cases for Tor detection

Signup fraud screening: Tor traffic on signup is a strong indicator of intent to mask the real source. Combine the Tor flag with VPN, proxy, and hosting status to filter the patterns most associated with fake accounts and policy violations, while keeping the rest of the page accessible to legitimate visitors.

Abuse and credential-stuffing investigation: When you are working a security incident, knowing whether the attacker IPs were Tor exits is a useful classification. The check fits cleanly into a SOAR pipeline or a manual investigation workflow alongside abuse-history and ASN data.

Sensitive transaction risk: Payment flows, password resets, and financial transfers benefit from step-up authentication when a Tor flag fires. Send the request through 2FA, SMS confirmation, or manual review rather than blocking outright. The flag widens the verification net, not the block list.

Scraping and automation defense: Some scraping operations rotate through Tor exits to evade rate limits. Detecting the Tor flag at the edge lets you apply tighter rate limiting, CAPTCHA challenges, or proof-of-work to suspect traffic without breaking access for human Tor users.

See what the API returns

Every Tor check returns a structured JSON response. The same data the tool above shows is available through the API, from one request to millions per month.

Response parameters

ip_address

String
The IP address submitted for geolocation.

security.is_vpn

Boolean
Whether the IP address is being used from a VPN.

security.is_proxy

Boolean
Whether the IP address is being used from a Proxy.

security.is_tor

Boolean
Whether the IP address is part of the TOR network.

security.is_hosting

Boolean
Whether the IP address is an internet service hosting IP address.

security.is_relay

Boolean
Whether the IP address is being used as a relay server.

security.is_mobile

Boolean
Whether the IP address belongs to a mobile network.

security.is_abuse

Boolean
Whether the IP address has been flagged for abusive behavior.

asn.asn

Integer
The Autonomous System Number (ASN) associated with the IP address.

asn.name

String
The name of the organization or ISP associated with the ASN.

asn.domain

String
The domain associated with the ASN.

asn.type

String
The type of organization, such as ISP or hosting.

company.name

String
The name of the company associated with the IP address.

company.domain

String
The company's domain name.

company.type

String
The type of company, such as ISP or hosting.

domains.domains

Array
A list of domains associated with the IP address.

location.city

String
City's name.

location.city_geoname_id

Integer
City's geoname ID.

location.region

String
State or province in which the city is located.

location.region_iso_code

Integer
State or province's ISO 3166-2 code.

location.region_geoname_id

String
State or province's geoname ID.

location.postal_code

String
ZIP or postal code.

location.country

String
Country's name.

location.country_code

Integer
Country's ISO 3166-1 alpha-2 code.

location.country_geoname_id

Integer
Country's geoname ID.

location.is_country_eu

Boolean
True if the country is in the EU, false if it is not.

location.continent

String
Continent's name.

location.continent_code

String
2 letter continent code: AF, AS, EU, NA, OC, SA, AN.

location.continent_geoname_id

Integer
Continent's geoname ID.

location.longitude

Float
Decimal of the longitude.

location.latitude

Float
Decimal of the latitude.

timezone.name

String
Timezone's name from the IANA Time Zone Database.

timezone.abbreviation

String
Timezone's abbreviation, also from the IANA Time Zone Database.

timezone.utc_offset

Integer
The UTC offset for the timezone.

timezone.local_time

String
Current time in the local time zone.

timezone.is_dst

Boolean
True if the location is currently in Daylight Savings Time (DST).

flag.emoji

String
Country's flag as an emoji.

flag.unicode

String
Country's flag in unicode.

flag.png

String
Link to a hosted version of the country's flag in PNG format.

flag.svg

String
Link to a hosted version of the country's flag in SVG format.

currency.name

String
The currency's name.

currency.code

String
The currency's code in ISO 4217 format.

currency.symbol

String
The currency's symbol.

API Endpoint

curl --request GET \
  --url https://ip-intelligence.abstractapi.com/v1

API Response

{
"ip_address": "185.197.192.65",
"security": {
    "is_vpn": true,
    "is_proxy": true,
    "is_tor": false,
	"is_hosting": false,
	"is_relay": false,
	"is_mobile": false,
	"is_abuse": false,
},
"asn": {
    "asn": 136787,
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"company": {
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"domains": {
	"domains": []
},
"location": {
    "city": "Miami",
    "city_geoname_id": 4164138,
    "region": "Florida",
    "region_iso_code": "FL",
    "region_geoname_id": 4155751,
    "postal_code": "33197",
    "country": "United States",
    "country_code": "US",
    "country_geoname_id": 6252001,
    "is_country_eu": false,
    "continent": "North America",
    "continent_code": "NA",
    "continent_geoname_id": 6255149,
    "longitude": -80.1946,
    "latitude": 25.7689,
},
"timezone": {
    "name": "America/New_York",
    "abbreviation": "EST",
    "utc_offset": -5,
    "local_time": "12:07:51",
    "is_dst": false,
},
"flag": {
    "emoji": "🇺🇸",
    "unicode": "U+1F1FA U+1F1F8",
    "png": "https://static.abstractapi.com/country-flags/US_flag.png",
    "svg": "https://static.abstractapi.com/country-flags/US_flag.svg",
},
"currency": {
    "name": "US Dollar",
    "code": "USD",
    "symbol": "$"
}
}
Powered by the IP Intelligence API · View pricing · See the full API reference

Tor Checker FAQ

What is Tor?

Tor (The Onion Router) is a free, volunteer-operated network that routes internet traffic through three randomly selected relays before it reaches its destination. Each relay knows only its immediate neighbors, so no single point in the path can link a user to the sites they visit. The Tor Project, a US-based nonprofit, maintains the software and the exit-node infrastructure. People use Tor for privacy, censorship circumvention, journalism, research, and other legitimate reasons, alongside the smaller fraction of abusive use that any anonymizing technology attracts.

What is a Tor exit node?

A Tor exit node is the last relay in the three-hop Tor circuit, the one that delivers the user's request to the public internet. The exit node's IP is what your server sees, not the user's real IP. The Tor Project publishes the full list of current exit nodes publicly, which is what makes Tor detection essentially deterministic: an IP either is a current exit node or it is not.

How does Tor detection work?

Abstract maintains a current copy of the public Tor exit-node list, refreshed continuously, and cross-references it against incoming IPs. When you submit an IP, the check returns true if the IP is a current Tor exit node, plus context like country, VPN signal, and proxy signal. The result returns in under 200ms.

Should I block all Tor traffic?

Usually no. Tor is used by journalists, activists, abuse survivors, researchers, and privacy-conscious users alongside the small fraction of abusive traffic. Blocking all Tor traffic by default cuts off legitimate users for marginal security gain on most surfaces. Where blocking or step-up verification is appropriate is on high-friction actions: account creation with payment data, sensitive transactions, financial transfers, and similar. For marketing pages, content reads, and public information, letting Tor traffic through is the right default.

What is the difference between Tor, a VPN, and a proxy?

Tor routes traffic through three volunteer relays for strong anonymity, but it is slower than the alternatives and the exit list is public. A VPN is a commercial service that encrypts and tunnels all traffic from a device through one remote server, faster than Tor and harder to detect across self-hosted setups. A proxy forwards specific requests through an intermediary IP, often without encryption. Abstract has separate checks for each.

Is the Tor Checker tool free?

Yes. The online tool is free with no signup required for individual lookups. For programmatic access, Abstract's IP Intelligence API offers a free tier with 1,000 requests per month. View pricing for higher-volume plans.

More IP intelligence tools

VPN Checker
Check whether an IP belongs to a known commercial VPN service.
Try it free
ASN Lookup
Find the network operator behind any IP
Try it free
Proxy Checker
Identify anonymous, transparent, and datacenter proxy connections.
Try it free
IP Abuse Check
Look up abuse reports and threat intelligence for any IP address.
Try it free
IP Lookup
Geolocate an IP address to its city, region, country, and ISP.
Try it free
Explore all Abstract tools
Get started
Need Tor detection for more than 1,000 requests?
stars rating
4.8 from 1,863 votes
The same check the tool above runs, available as an API.
get free api key
No credit card required