GeoQ
Free API key

Detect · iCloud Private Relay

Stop scoring Apple users as fraud.

iCloud Private Relay exits sit in hosting-style ranges, so a naive datacenter rule scores a real iPhone user like a server. GeoQ's is_relay signal recognises Apple's published relay ranges and caps the risk score at 20 — the false-positive reducer, not another block rule.

Fact + limit: is_relay identifies the relay exit. It tells you the network kind is benign — it doesn't authenticate the user.

The false positive it fixes

Private Relay routes a user's traffic through partner infrastructure. The exit IP looks like a datacenter, which is exactly the kind of range fraud rules treat as suspicious. Without a relay signal, you either block legitimate Apple traffic or loosen your datacenter rule for everyone.

With is_relay, you keep the strict datacenter rule and carve out the one benign case explicitly. The score for a relay exit is capped at 20 (low), and benign_network_kind appears in reasons[] so the decision is auditable.

In your code

const res = await fetch("https://api.geoq.io/v1/check?ip=104.28.0.1", {
  headers: { "x-api-key": process.env.GEOQ_KEY },
});
const { signals, risk } = await res.json();

// A real Apple user on Private Relay — don't treat as fraud.
if (signals.is_relay) {
  // relay_provider === "icloud"; risk.score is capped at 20.
  allowWithLightFriction(); // e.g. skip the hard block, keep the captcha
}

What sets the signal

FieldMeaning
is_relayTrue if the IP is an Apple iCloud Private Relay egress.
relay_provider"icloud" for Apple's relay; null otherwise.
risk.reasons[]Includes benign_network_kind when the cap applies.
evidence.relayauthoritative — from Apple's own published ranges.

FAQ

iCloud Private Relay detection — FAQ

How do you detect iCloud Private Relay?
We match the IP against Apple's published list of iCloud Private Relay egress ranges. Apple publishes these specifically so operators can recognise relay traffic, so the is_relay signal carries the authoritative evidence label, with relay_provider: "icloud". Ranges are refreshed daily.

Why does relay traffic look like a datacenter?
iCloud Private Relay routes traffic through partner infrastructure, so the exit IP often sits in a hosting-style range and would otherwise score connection_type === "datacenter". That's the false positive: a real Apple user on an iPhone, scored like a server. The is_relay signal is what tells the two apart.

Does GeoQ block relay users?
No — GeoQ never blocks anyone; it returns signals. is_relay is a benign network kind: when it's true, the risk score is capped at 20 and benign_network_kind is added to reasons[]. You still see every signal that fired, but the headline score won't push a genuine Apple user into your fraud bucket. See the risk-score methodology.

Can I still see the underlying signals?
Yes. The cap changes the score, not the data. If the IP is also datacenter, connection_type still reads datacenter and that reason is still in reasons[]. You decide whether to treat a relay exit as low-risk for your use case.

What's the difference between a relay and a VPN?
A VPN is a commercial anonymising service; is_vpn adds +30 to the score. iCloud Private Relay is a privacy feature built into Apple's OS that doesn't let the user pick an exit country to evade geo rules. We treat relay as benign and VPN as a risk signal — they're separate fields, so you can handle them separately.

How fresh is the relay range data?
We refresh from Apple's published egress ranges daily. We state the cadence rather than claiming the data is current to the second.

Related

satellite

Detect Starlink and other satellite IPs — another benign network kind.

 guide

The full playbook for cutting IP false positives.

 methodology

Sources, cadence and the published risk weights.

Get a free key — 5,000 lookups/day, no card.

Every signal and the same risk score as every paid plan. Upgrade only when you outgrow it.

Get your free API key Read the quickstart