GeoQ
Free API key

Blog

Handling VPN users at a React signup — step up, don't block

· 8 min read · #React#signup#fraud

"Block VPN users" is one of the most common — and most counterproductive — fraud requests. Plenty of legitimate users are on a VPN right now: remote employees, travellers, the privacy-conscious. Hard-blocking them tanks conversion and punishes your best customers.

The better pattern: risk-score the signup, and add verification proportional to risk. Here's how to wire it into a React + Node flow.

Keep the key on the server

Your React app should never hold the GeoQ API key. The browser posts to your backend, and your backend calls GeoQ. So the IP check lives in your signup handler:

// POST /api/signup  (Node/Express, server-side — keep your key secret)
import { checkIp } from './geoq.js';

app.post('/api/signup', async (req, res) => {
  const { email, password } = req.body;
  let level = 'low';
  try {
    const r = await checkIp(req.ip);
    level = r.risk.level; // low | medium | high
  } catch { /* fail open */ }

  if (level === 'high') {
    const token = await issueEmailChallenge(email);
    return res.status(202).json({ status: 'verify', token });
  }
  const user = await createUser(email, password);
  res.json({ status: 'ok', user });
});

Note the response: a high-risk signup returns 202 with a verification step — not a 403. The user can still get in; they just prove themselves first.

React responds to risk, not to "VPN"

The front end doesn't need to know why a signup is risky — only what to do next. It branches on the server's status:

function SignupForm() {
  const [state, setState] = useState('idle');

  async function onSubmit(e) {
    e.preventDefault();
    setState('loading');
    const res = await fetch('/api/signup', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify(readForm(e.target)),
    });
    const data = await res.json();
    // 202 => extra verification, not a block
    setState(data.status === 'verify' ? 'verify' : 'done');
  }

  if (state === 'verify') return ;
  return 
{/* fields */}
;
}

A sensible risk ladder

  • low — create the account, no friction.
  • medium — allow, but require email verification before the first sensitive action.
  • high — require email/MFA verification up front; log the reasons for review.

The risk score already folds VPN, proxy, datacenter, Tor and bot signals into one number, so you tune one threshold instead of juggling five booleans.

Why not just block?

A determined attacker switches VPNs in seconds; a real customer just leaves. Blocking optimises against the wrong person.

Step-up verification raises the cost for attackers (they must pass a real challenge) while keeping the door open for genuine users. And it keeps you on the right side of the rule that an IP signal must not be the sole basis of an automated decision about a person — see our AUP.

Ship it

Grab a free API key (no card), read the quickstart, and see the VPN detection API page for more.

Signals are probabilistic, not facts. Don't make a sole-basis automated decision about a person — see the acceptable use policy.

Keep reading

20 January 2026

How to detect a VPN by IP address in Node.js

A copy-paste Express middleware that flags VPN/proxy/datacenter IPs and steps up verification — with an honest take on what the signal can and can't tell you.

 3 February 2026

What is an ASN — and why it matters for IP fraud

The ASN behind an IP tells you whether it's a home ISP, a cloud host or a sketchy network. Here's the concept, how to look it up, and how to use it.

Start with the free tier. No card.

1,000 lookups a day, every signal, the same transparent risk score. Upgrade only when you outgrow it.

Get your free API key Read the quickstart