How to Get the User IP Address in Next.js App Router
A developer guide to reading the real client IP in Next.js 14 App Router using headers(), middleware, and edge runtime considerations.
Read proxy headers on the server
In the App Router, read request headers from server components, route handlers, or server actions when the runtime provides them. A simple helper can start with `const list = headers().get("x-forwarded-for"); const ip = list?.split(",")[0]?.trim();` and fall back to `x-real-ip` or platform-specific headers.
Do not expect browser-side code to know the real public IP without calling a server or lookup service. The client sees its network APIs, while the server sees the connection metadata and proxy headers.
Middleware and route handlers
Middleware can inspect `request.headers.get("x-forwarded-for")`, `request.headers.get("x-real-ip")`, or provider headers before rewriting, redirecting, or adding request context. Keep middleware light because it runs on every matched request.
In an App Router API route, use `export async function GET(request: Request) { const forwarded = request.headers.get("x-forwarded-for"); return Response.json({ ip: forwarded?.split(",")[0]?.trim() ?? null }); }`. Validate and normalize the value before storing or enforcing rules.
Platform differences
Vercel, Cloudflare, load balancers, and reverse proxies may set different headers such as `x-forwarded-for`, `x-real-ip`, `cf-connecting-ip`, or vendor-specific equivalents. Document which proxy you trust and which header wins.
If you deploy behind multiple proxies, only trust forwarded headers from infrastructure you control. For manual verification, compare the captured IP with Crafzo and confirm the location and ISP match expectations.
Implementation details developers should not skip
A reliable IP workflow starts with normalization and validation. Accept both IPv4 and IPv6, reject malformed input, and decide how your application should treat private, loopback, link-local, and reserved addresses before calling external services.
Logging should preserve enough context to explain a decision later: timestamp, normalized IP, endpoint, account or token when appropriate, risk fields, and the action taken. Avoid logging unrelated personal data simply because it is available.
Production enforcement works best when IP intelligence is one input into a broader policy engine. Combine IP risk with account limits, device trust, authentication signals, request cost, and business-specific rules.
For a live example, run the relevant address through Crafzo IP Lookup or open the What Is My IP Address to compare the article guidance with real lookup fields.
Signals to compare before acting
| Signal | What to check | Practical use |
|---|---|---|
| Validation | Does the input parse as IPv4 or IPv6, and is it public when public lookup is required? | Prevents wasted API calls and confusing results. |
| Normalization | Are IPv6 compression and string casing handled consistently? | Makes logs, cache keys, and rules easier to compare. |
| Caching | Can non-sensitive lookup fields be cached briefly without hiding freshness problems? | Reduces cost and latency while preserving correctness. |
| Fallbacks | What happens when an enrichment provider times out or rate-limits? | Keeps user workflows resilient during provider issues. |
Practical checklist
- Validate IP input before external requests.
- Design fallbacks for rate limits and provider outages.
- Log reason codes for automated decisions.
- Test IPv6 paths, not only IPv4 examples.
Frequently Asked Questions
Why does headers() return undefined for IP?
Next.js does not create a universal IP field for every environment. You usually need to read proxy headers, and local development may not include them.
How do I get IP in an API route with App Router?
Use the `Request` object inside `app/api/.../route.ts` and read headers such as `x-forwarded-for` or `x-real-ip`. Split `x-forwarded-for` carefully and trust it only behind known proxies.
Does Vercel add a real IP header?
Vercel commonly forwards client IP information through standard proxy headers. Check your current deployment headers because edge, serverless, and custom proxy setups can differ.
Check an IP Address Now
Use the free Crafzo IP Lookup tool to check IP location, risk score, and AI-powered IP health.
Open IP lookup