Appearance
What is a user agent? The other thing every request reveals
Alongside your IP, every request you make carries a User-Agent header — a short self-introduction naming the software asking: curl/8.5.0, or the sprawling Mozilla/5.0 (…) string your browser sends. It's how servers decide what kind of answer to give — this site included: the reason curl ipconfig.io gets a bare IP while your browser gets a page is user-agent-aware content negotiation. Here's what the header does, how to read yours, and its honest place in the privacy picture.
Maintained by the ipconfig.io team · Reviewed 1 July 2026
See yours
bash
curl ipconfig.io/jsonThe user_agent object comes back parsed — product, version, and raw_value — reflecting whatever client asked. Run the same lookup in a browser tab and the JSON view shows the browser's string instead: same endpoint, two self-introductions.
json
"user_agent": {
"product": "curl",
"version": "8.5.0",
"raw_value": "curl/8.5.0"
}What servers do with it
- Adapt the response. The canonical example is the one you're using: ipconfig.io returns plain text to CLI tools and HTML to browsers by reading exactly this header (how the negotiation works). APIs, download pages ("detected: Linux 64-bit"), and legacy mobile sites all run variations.
- Count and classify. Server logs bucket traffic by client family — how operators know what fraction of visitors are curl, browsers, or PowerShell, and how analytics separates humans from declared bots.
- Filter. Crawlers announce themselves by UA (
Googlebot/…,GPTBot/…), androbots.txtpolicies key on those names. The header is honor-system, though — it's trivially spoofable (curl -A "anything"), so it's a label for the honest and a speed bump for the rest. Never security.
That last property cuts both ways for you as a user: a site treating your UA as truth is guessing politely, and a scraper claiming to be Chrome is lying cheaply. Rate limiting and abuse control fall back to the IP precisely because the UA can't be trusted.
The privacy angle, honestly
Your UA alone is weak identification — thousands of people share "latest Chrome on Windows 11" verbatim. The catch is fingerprinting: UA + screen size + timezone + fonts + canvas quirks multiplies into something near-unique, and the UA is one of the free ingredients. Browsers responded by freezing and trimming the string (Chrome's UA reduction, client hints served on request) — which is why modern UAs lie about OS versions and why the string keeps getting less informative. Meanwhile the Mozilla/5.0 prefix every browser still sends is pure archaeology: sites once served better pages to Netscape, so everyone impersonated it, forever.
Practical takeaways: don't build anything that trusts a UA; don't customize yours to something rare (a unique UA is anti-camouflage — the fingerprinting logic rewards blending in); and when scripting against public services, an honest, descriptive UA is basic etiquette.
Frequently asked questions
What is a user agent? The self-identification header on every request — tool name and version, or the browser's long Mozilla string.
See mine?curl ipconfig.io/json → the parsed user_agent object; same lookup in a browser shows the browser's.
Can it identify me? Not alone — but it's a standard ingredient in browser fingerprinting, which can.
Why Mozilla/5.0 everywhere? Compatibility fossils: every browser impersonated its predecessor. Parsing UAs stays messy because of it.
Next steps
- Can websites track you by IP? — the identifier hierarchy the UA feeds into.
- Get your public IP in code — the negotiation in action from scripts.
- API reference — how this site decides text vs JSON vs HTML.