Documentation


Please always use the following API endpoint api.ipapi.is

ipapi.is provides useful meta-information for IPv4 and IPv6 addresses. For example, the API response includes the organization associated with the IP address, ASN meta-data, geolocation intelligence, and the raw WHOIS data for the IP address.

Furthermore, the API response enables the derivation of security information for each IP address. For instance, it indicates whether an IP address belongs to:

  • a hosting provider (is_datacenter)
  • is a TOR exit node (is_tor)
  • if an IP address is a proxy server exit node (socks4, socks5, or http proxy) (is_proxy)
  • is a VPN exit node (is_vpn)
  • or is linked to an IP address that has engaged in abusive actions (is_abuser)

The API places a strong emphasis on hosting detection. A sophisticated hosting detection algorithm has been developed to achieve a high detection rate. Thousands of different hosting providers around the globe are tracked. WHOIS records, public IP ranges from hosting providers, and a proprietary hosting discovery algorithm are used to determine whether an IP address belongs to a hosting provider.

ipapi.is claims to possess the most effective hosting detection algorithm in the IP address provider space. This success is primarily due to the process of downloading and analyzing websites of all major organizations that own IP addresses on the Internet.

ipapi.is also includes accurate and comprehensive ASN meta-data. The API includes raw WHOIS data for each active ASN. API fields such as the type field included in the company or asn output object are determined by analyzing the company (organization) that owns the autonomous system or IP range. ipapi.is differentiates between the following company (organization) types:

  • hosting - The ASN or network is owned by a hosting provider (Example: 37.148.167.137)
  • education - The ASN or network is affiliated with a university or another educational institution (Example: 128.146.65.112)
  • government - The ASN or network is part of a governmental institution (Example: 192.91.184.0)
  • banking - The ASN or network is associated with a banking or financial institution (Example: 199.67.175.0)
  • isp - The ASN or network belongs to an Internet Service Provider (ISP) (Example: 108.15.237.36)
  • business - If the type does not fit any of the above categories, it is classified under the generic business type (Example: 17.133.85.230)

# Quickstart


In order to lookup any IP address, use the following API endpoint: https://api.ipapi.is?q=3.5.140.2

Lookup your own IP address by omitting the query string (no q parameter): https://api.ipapi.is

Usage with JavaScript:

fetch('https://api.ipapi.is?q=23.236.48.55')
  .then(res => res.json())
  .then(res => console.log(res));

Usage with NodeJS:

const https = require('https');

https.get('https://api.ipapi.is/', (res) => {
  let data = '';

  res.on('data', (chunk) => {
    data += chunk;
  });

  res.on('end', () => {
    console.log(JSON.parse(data));
  });

}).on('error', (err) => {
  console.error('Error:', err.message);
});

Usage with curl:

curl 'https://api.ipapi.is?q=32.5.140.2'

# Data Sources


ipapi.is utilizes the following sources for API data:

  • Public WHOIS records from Regional Internet Registries (RIRs) such as RIPE NCC, APNIC, and ARIN. For privacy reasons, the public and downloadable WHOIS databases from the five RIRs are often incomplete. Therefore, millions of IP ranges and ASNs are periodically queried with a whois client to keep ipapi.is up-to-date.
  • Public BGP routing table data is used to source ASN data and to obtain the routes (prefixes) for active ASN.
  • Public IP blocklists, such as firehol/blocklist-ipset and stamparm/ipsum, are used to identify the is_abuser flag.
  • The API employs a proprietary datacenter/hosting detection algorithm. Accurate hosting detection is achieved by aggregating data from many different sources, including:
  • The API leverages IP threat data from various public honeypots and a own honeypot server network.
  • A proprietary geolocation database was developed from scratch. Geolocation data is primarily sourced from WHOIS data. For instance, some Regional Internet Registries like APNIC support the geofeed and geoloc properties in WHOIS records. RIPE NCC also supports the geoloc attribute as of 2016.

# API Servers


ipapi.is is currently operational in three different geographical locations:

There is no significant benefit to using these dedicated server endpoints directly. Instead, by utilizing the endpoint https://api.ipapi.is/, the nearest server (in terms of latency) is automatically selected.

# API Features


  • Ready for Production: This API is stable and suitable for production use. Currently, ipapi.is operates from three different geographical locations (Germany, US East, Singapore) to minimize end-user latency. The API can handle millions of daily requests and is updated at least once a week.
  • Accuracy: The most reliable IP Address data comes from WHOIS data provided by Regional Internet Registries like RIPE NCC or ARIN. Consequently, ipapi.is prioritizes a WHOIS-first approach. IP data from third-party providers is considered less reliable.
  • Extensive Hosting Detection Support: Thousands of hosting providers are supported, ranging from Huawei Cloud Service to ServerMania Inc. Determine if an IP address is hosted using the is_datacenter property!
  • Always Updated: The API database is automatically updated at least weekly.
  • ASN Support: The API provides autonomous system information for each IP address queried.
  • Company Support: The API offers organizational information for each IP address looked up.
  • Bulk IP Lookups: Query up to 100 IP addresses per API call.
  • Offline API Usage (Download): Download the complete ipapi.is package and host it on your own infrastructure. Visit the pricing page for more details.

# Geolocation Database

ipapi.is is a geolocation data provider. The Geolocation Database is available for free download and serves as the primary data source for the commercial ipapi.is API. This database includes geolocation information for a significant portion of the IPv4 address space and many IPv6 networks. The geolocation database is updated several times per week. While the accuracy of the geolocation data is high for country-level information, it is not recommended to rely solely on city-level geolocation accuracy for mission-critical applications.

The geolocation database is provided as a large CSV file with the following fields:

  • ip_version - Indicates either 4 (IPv4) or 6 (IPv6), determining the IP type of the network. Example: "4"
  • start_ip - The first IP address in the network range. Example: "44.31.140.0"
  • end_ip - The last IP address in the network range. Example: "44.31.140.255"
  • continent - The continent represented as a two-letter code. Example: "NA"
  • country_code - The ISO 3166-1 alpha-2 country code, specifying the country-specific geolocation of the IP address. Example: "US"
  • country - The full name of the country. Example: "United States"
  • state - The state or administrative area for the queried IP address. Example: "California"
  • city - The city associated with the IP address. Example: "Fremont"
  • zip - The postal code (zip code) for the IP. Example: "94720"
  • timezone - The timezone associated with the IP. Example: "America/Los_Angeles"
  • latitude - The geographical latitude of the IP address. Example: "37.54827"
  • longitude - The geographical longitude of the IP address. Example: "-121.98857"
  • accuracy - Indicates the estimated accuracy of the geolocation information, with entries rated from 1 (very high accuracy) to 5 (very low accuracy).
    • accuracy = 1 - Very high accuracy, typically reliable at the city level.
    • accuracy = 2 - High accuracy, generally reliable at the city level.
    • accuracy = 3 - Medium accuracy, not reliable at the city level.
    • accuracy = 4 - Low accuracy, usually accurate at the country level.
    • accuracy = 5 - Very low accuracy, expected to be accurate at the country level.
ipVersion,network,continent,country_code,country,state,city,zip,timezone,latitude,longitude,accuracy
ipv4,204.62.153.0 - 204.62.154.255,NA,US,United States,Ohio,Dayton,45412,America/New_York,39.75895,-84.19161,2
ipv4,131.78.0.0 - 131.78.255.255,NA,US,United States,Ohio,Columbus,43215,America/New_York,39.96118,-82.99879,4
ipv4,64.112.107.0 - 64.112.107.255,NA,US,United States,Texas,Crosbyton,79357,America/Chicago,33.66008,-101.23793,2
ipv4,192.172.223.0 - 192.172.223.255,NA,US,United States,Colorado,Boulder,80544,America/Denver,40.01499,-105.27055,1
ipv4,192.68.53.0 - 192.68.66.255,NA,CA,Canada,Ontario,Ottawa,K2P,America/Toronto,45.41117,-75.69812,4
ipv4,173.205.200.0 - 173.205.203.255,NA,US,United States,Indiana,Swayzee,46986,America/Indiana/Indianapolis,40.50837,-85.82554,2
ipv4,67.219.189.0 - 67.219.191.255,NA,CA,Canada,Ontario,Ottawa,K2P,America/Toronto,45.41117,-75.69812,3
ipv4,72.18.221.0 - 72.18.221.255,NA,US,United States,Florida,Panama City,32466,America/Chicago,30.15946,-85.65983,1
ipv4,23.153.216.0 - 23.153.216.255,NA,US,United States,Florida,Miami,33299,America/New_York,25.77427,-80.19366,2

# ASN Database

For offline ASN data access, the ASN Database is available for download. This database includes all AS numbers assigned and allocated by IANA, along with their respective metadata. The database is updated several times per week. For active ASNs (those with at least one route/prefix assigned), the database includes detailed metadata. For instance, the information provided for ASN 50673 would include:

{
  "asn": 50673,
  "abuser_score": "0.0029 (Low)",
  "descr": "SERVERIUS-AS, NL",
  "country": "nl",
  "active": true,
  "org": "Serverius Holding B.V.",
  "domain": "serverius.net",
  "abuse": "abuse@serverius.net",
  "type": "hosting",
  "created": "2010-09-07",
  "updated": "2022-11-15",
  "rir": "RIPE",
  "whois": "https://api.ipapi.is/?whois=AS50673",
  "prefixes": [
    "5.56.133.0/24",
    "5.178.64.0/21",
    "5.178.64.0/24",
    "5.188.12.0/22",
    "5.188.12.0/24",
    "5.188.13.0/24",
    // ...
  ],
  "prefixesIPv6": [
    "2001:67c:b0::/48",
    "2a00:1ca8::/32",
    "2a00:1ca8:77::/48",
    // ...
  ],
  "elapsed_ms": 0.59
}

The database is in JSON format. The key is the ASN as int and the value is an object with AS meta information such as the one above.

# How to download & parse the ASN database?

Download and unzip the ASN database:

cd /tmp
curl -O https://ipapi.is/data/ASN-Database-Sample.json

And parse with NodeJS:

let asnDatabase = require('./ASN-Database-Sample.json');
for (let asn in asnDatabase) {
  console.log(asn, asnDatabase[asn]);
}

# Hosting IP Ranges Database

The Hosting Database contains all known datacenter / hosting IP ranges of the Internet. A proprietary algorithm was developed to determine if a network belongs to a hosting provider.

The file format of the database is tab separated text file (.tsv), where each line of the file contains the company, network and domain of the hosting provider.

Example excerpt of the database:

Linode, LLC 178.79.160.0 - 178.79.167.255 www.linode.com
OVH Sp. z o. o. 178.32.191.0 - 178.32.191.127 www.ovh.com
myLoc managed IT AG 46.245.176.0 - 46.245.183.255 www.myloc.de

# How to download & parse the Hosting IP Ranges Database?

Download and unzip the Hosting Ranges database:

cd /tmp
curl -O https://ipapi.is/data/HostingRangesIPv4-Sample.csv

And parse with nodejs:

const fs = require('fs');
  
let hostingRanges = fs.readFileSync('hostingRanges.tsv').toString().split('\n');
for (let line of hostingRanges) {
  let [company, network, domain] = line.split('\t');
  console.log(company, network, domain);
}

# API Response Format


The API output format is explained best by walking through an example. Most of the returned API output information is self-explanatory.

The API example lookup below is how a typical API response looks like. The IP 107.174.138.172 was queried with the API call https://api.ipapi.is?q=107.174.138.172:

{
  "ip": "107.174.138.172",
  "rir": "ARIN",
  "is_bogon": false,
  "is_mobile": false,
  "is_crawler": false,
  "is_datacenter": true,
  "is_tor": true,
  "is_proxy": true,
  "is_vpn": true,
  "is_abuser": true,
  "company": {
    "name": "HostPapa",
    "abuser_score": "0.0054 (Low)",
    "domain": "www.hostpapa.com",
    "type": "hosting",
    "network": "107.172.0.0 - 107.175.255.255",
    "whois": "https://api.ipapi.is/?whois=107.172.0.0"
  },
  "abuse": {
    "name": "HostPapa",
    "address": "Buffalo, NY, 14202, US",
    "country": "US",
    "email": "net-abuse-global@hostpapa.com",
    "phone": "+1-905-315-3455"
  },
  "datacenter": {
    "datacenter": "HostPapa",
    "network": "107.174.138.0/24",
    "country": "US",
    "region": "US-NY",
    "city": "Buffalo"
  },
  "asn": {
    "asn": 36352,
    "abuser_score": "0.0033 (Low)",
    "route": "107.174.138.0/24",
    "descr": "AS-COLOCROSSING, US",
    "country": "us",
    "active": true,
    "org": "HostPapa",
    "domain": "www.hostpapa.com",
    "abuse": "net-abuse-global@hostpapa.com",
    "type": "hosting",
    "created": "2005-12-12",
    "updated": "2024-01-04",
    "rir": "ARIN",
    "whois": "https://api.ipapi.is/?whois=AS36352"
  },
  "location": {
    "continent": "NA",
    "country": "United States",
    "country_code": "US",
    "state": "New York",
    "city": "Buffalo",
    "latitude": 42.88645,
    "longitude": -78.87837,
    "zip": "14205",
    "timezone": "America/New_York",
    "local_time": "2024-05-23T09:38:38-04:00",
    "local_time_unix": 1716471518,
    "is_dst": true,
    "accuracy": 1
  },
  "elapsed_ms": 0.48
}

In the following sections, the different parts of the API response are explained in-depth.

In general, the API output can be divided into several distinctive parts:

  • Top-Level API Output - This provides generic output and threat intelligence information for the queried IP address.
  • The datacenter object - Present only if the queried IP address belongs to a hosting provider, the datacenter object contains meta information about the hosting provider or datacenter.
  • The company object - Most IP addresses are associated with an organization or company. The company object contains meta information about the organization that owns or has administrative control over the queried IP address.
  • The asn object - Most IP addresses are part of an Autonomous System (AS). The asn object provides meta information about the Autonomous System.
  • The location object - Often, it is possible to geolocate IP addresses. The location object includes geographical information for the queried IP address, indicating the part of the world where the IP address is used.

# Top Level API Output

The top level API output looks as follows for the IP address 107.174.138.172:

{
  "ip": "107.174.138.172",
  "rir": "ARIN",
  "is_bogon": false,
  "is_mobile": false,
  "is_crawler": false,
  "is_datacenter": true,
  "is_tor": true,
  "is_proxy": true,
  "is_vpn": false,
  "is_abuser": true,
}

The explanation for the top-level API fields is as follows:

# ip - The API query

The field ip has the datatype string.

This field represents the IP address that was looked up. In the example above, it was 107.174.138.172.

If no IP address was specified (Example: https://api.ipapi.is), the client's own IP address is looked up, and the field ip is set to the client's public IP address.

# rir - The Regional Internet Registry (RIR) for this IP

The field rir has the datatype string.

It specifies which Regional Internet Registry (RIR) the IP address belongs to. Here, it belongs to ARIN, which is the RIR responsible for North America. In total, there are five different RIRs for various areas of the world:

Figure 1: The five different Regional Internet Registries (Source)

# is_bogon - Whether the IP is bogon (non-routable)

The field is_bogon has the datatype boolean.

It determines if the IP address is bogon. Bogon IP Addresses are those not assigned or allocated by IANA or any RIR (Regional Internet Registry). For example, the loopback IP 127.0.0.1 is a special/bogon IP address. The IP address 107.174.138.172 is not bogon, hence it is set to false in this case.

Generally, there is no good reason to query bogon IP addresses, as they are local or special IP addresses that exist in every local network and have no unique significance on the Internet.

# is_mobile - Whether the IP is mobile (belongs to a mobile ISP)

The field is_mobile has the datatype boolean.

It determines if the IP address belongs to a mobile Internet Service Provider, such as AT&T Wireless or T-Mobile. Knowing whether an IP address belongs to a mobile ISP is often crucial for security purposes.

For example, Carrier-grade NATs are commonly used in mobile networks, meaning many distinct clients can share the same public IP address. Therefore, rate limiting or banning mobile IP addresses is not advisable, as it could also block legitimate clients sharing the same mobile public IP address.

Other reasons for identifying if an IP originates from a mobile ISP include:

  • Certain services being exclusively accessible to mobile clients
  • Anticipating reduced Internet speed often associated with mobile clients

The IP address 107.174.138.172 does not belong to a mobile ISP, hence it is set to false in this instance.

As of February 2024, the API does not fully detect all mobile IP ranges. The mobile coverage is not good, but the false positive rate is rather low.

# is_crawler - Whether the IP belongs to a crawler / spider / good bot

The field is_crawler is either set to false or, if the IP belongs to a crawler, it is set to a string such as "GoogleBot" or "BingBot".

Some Examples:

This field can be used to check whether the IP address belongs to a search engine crawler / bot that you might want to allow on your website or app. Currently, the following crawlers / good bots are detected:

  • TwitterBot
  • GoogleBot
  • BingBot
  • AhrefsBot
  • DuckDuckGoBot
  • FacebookBot
  • PingdomBot
  • RssApiBot
  • StripeWebhook
  • TelegramBot
  • UptimeRobot
  • CommonCrawlBot
  • EmbedlyBot
  • SemRushBot
  • AmazonBot
  • SemanticScholarBot
  • SlackBot
  • Applebot
  • GoogleBotImage
  • APIsGoogle
  • ArchiveBot
  • ByteSpider
  • LinkedInBot
  • ArchiveOrgBot
  • DiscordBot
  • MastodonBot
  • HubSpotBot
  • YouBot
  • YandexBot
  • NextCloudBot
  • PinterestBot
  • SlurpBot
  • MailRuBot
  • Facebookexternalhit
  • ZoomBot
  • BingPreviewBot
  • WhatsAppBot
  • AdsBotGoogle
  • GoogleBotMobile
  • MediapartnersGoogle
  • WordPressBot
  • DuckDuckBot
  • BaiduSpider

# is_datacenter - Whether the IP belongs to a Hosting Provider

The field is_datacenter has the datatype boolean.

It specifies whether the IP address belongs to a datacenter (hosting provider) or not. In this example, the value is true, since 107.174.138.172 belongs to the hosting provider ColoCrossing.

The definition of what constitutes a datacenter (hosting provider) is quite lenient on ipapi.is and includes all of the following categories:

In other words, every organization that allows third parties to quickly and anonymously obtain hosting resources or access to IP addresses is considered a hosting provider.

If the IP address belongs to a datacenter, then the datacenter object will also be present in the API output.

The datacenter/hosting detection quality of ipapi.is is one of its core strengths. If this value is true, you can rely on the fact that the IP address belongs to a hosting provider.

For a full list of hosting providers, click on the button below.

# is_tor - Whether the IP is a TOR Exit Node

The field is_tor has the datatype boolean.

If the field is_tor is true, the IP address is a TOR exit node. TOR exit node detection is very accurate, so you can rely on the value of is_tor. The API detects most TOR exit nodes reliably.

If the is_tor field is true, it is recommended to either challenge the client with this IP address with a captcha or block them from accessing critical resources.

This is because the TOR network is often used by cybercriminals for malicious activities, and if you are running a critical service, you might want to prevent TOR clients from accessing it.

# is_proxy - Whether the IP is a Proxy Exit Node

The field is_proxy has the datatype boolean.

The field determines whether the IP address is a proxy. In this example, the IP https://api.ipapi.is/?q=107.174.138.172 is a proxy. Generally, the flag is_proxy only covers a subset of all proxies on the Internet. In other words, ipapi.is cannot reliably detect residential and mobile proxies.

Proxy and VPN detection that follows an offline-based approach is not very accurate. Why is that the case? The following example explains why there is a limit to the accuracy that can be achieved:

Let's assume a threat actor sets up a proxy server on a cheap hosting instance and starts using the proxy server for nefarious use cases. How can any offline proxy database contain the information immediately that this IP address belongs to a proxy server?

The answer is: Offline databases cannot know this. The only reliable way to detect proxies and VPNs is to observe their networking behavior when they are actually used (live).

Proxy databases can only be populated over time, after the threat actor has used the proxy server repeatedly on websites or honeypots. Therefore, these proxy databases are often outdated, lag behind, or contain false information.

Nevertheless, ipapi.is strives to be as accurate as possible by using many different sources that publish proxy IP addresses. Example source: firehol_anonymous.netset from the FireHOL project.

# is_vpn - Whether the IP is a VPN Exit Node

The field is_vpn determines whether the IP address is a VPN Exit Node and has datatype boolean or string.

The is_vpn field can have two different data types, depending on whether the specific VPN service can be detected or not. To give some examples:

  • boolean (false) - 67.170.172.12 is not associated with an VPN, therefore the field is_vpn is set to false
  • string ("Mullvad") - 146.70.128.244 belongs to the VPN service Mullvad, therefore the field is_vpn is set to the string value "Mullvad"
  • boolean (true) -The IP 172.240.248.0 is known to be a VPN exit node, but it is not known to which service specifically. Therefore the field is_vpn is set to the generic truthy value true

The field is_vpn covers a constantly growing subset of all VPNs on the Internet. Due to our systematic approach to finding VPN exit nodes, the VPN coverage of the API is constantly growing and becoming more accurate on a daily basis.

# is_abuser - Whether the IP committed abusive actions

The field is_abuser has the datatype boolean.

The field is_abuser is true if the IP address has committed abusive actions, as was the case with 107.174.138.172. Various IP blocklists and threat intelligence feeds are used to populate the is_abuser flag.

Open source and proprietary blocklists are used in the API to populate the is_abuser flag. The flag does not differentiate the type of abusive action; the IP could have been involved in activities like viruses, bots, crawlers, scrapers, or worms.

If the is_abuser attribute is true, it is advisable to either challenge the client with this IP address with a captcha or block them from accessing critical resources.

Example data source for abusive IP addresses: firehol_abusers_1d.netset

# elapsed_ms - The internal processing time for the API lookup

The field elapsed_ms has the datatype float.

This field indicates the amount of internal processing time, measured in milliseconds (ms), spent handling the API query. This particular lookup took only 0.9ms, which is quite fast.

On average, IP lookups on ipapi.is take about 1.2ms of processing time.

# The datacenter object

Example API output for the datacenter object:

"datacenter": {
  "datacenter": "HostPapa",
  "domain": "www.hostpapa.com",
  "network": "107.172.0.0 - 107.175.255.255"
}

If the IP address belongs to a datacenter/hosting provider, the API response will include a datacenter object with at least the following attributes:

  • datacenter - string - to which datacenter the IP address belongs. For a full list of datacenters, check the hosting providers table page. In this case, the datacenter's name is HostPapa.
  • domain - string - The domain name of the hosting provider company
  • network - string - the network this IP address belongs to (In the above case: 107.172.0.0 - 107.175.255.255)

Most IP's don't belong to a hosting provider. In those cases, the datacenter object will not be present in the API output.

For a couple of large cloud providers, such as Google Cloud, Amazon AWS, DigitalOcean or Microsoft Azure (and many others), the datacenter object is more detailed.

Amazon AWS example:

{
  "ip": "3.5.140.2",
  "datacenter": {
    "datacenter": "Amazon AWS",
    "network": "3.5.140.0/22",
    "region": "ap-northeast-2",
    "service": "EC2",
    "network_border_group": "ap-northeast-2"
  }
}

DigitalOcean example:

{
  "ip": "167.99.241.130",
  "datacenter": {
    "datacenter": "DigitalOcean",
    "code": "60341",
    "city": "Frankfurt",
    "state": "DE-HE",
    "country": "DE",
    "network": "167.99.240.0/20"
  },
}

Linode example:

{
  "ip": "72.14.182.54",
  "datacenter": {
    "datacenter": "Linode",
    "name": "US-TX",
    "city": "Richardson",
    "country": "US",
    "network": "72.14.182.0/24"
  },
}

# The company object

Example API output for the company object:

"company": {
  "name": "HostPapa",
  "abuser_score": "0.0062 (Low)",
  "domain": "www.hostpapa.com",
  "type": "hosting",
  "network": "107.172.0.0 - 107.175.255.255",
  "whois": "https://api.ipapi.is/?whois=107.172.0.0"
},

Most IP addresses can be associated with an organization or company. The API uses WHOIS information to infer which organization is the administrative owner of a certain IP address.

The owner of an IP address is stored in the databases of the five Regional Internet Registies (RIR'rs). For example, IP address ownership in RIPE NCC is handled with inetnum (IPv4) and inet6num (IPv6) objects. In ARIN, IP address ownership can be inferred from NetRange objects.

Since the example IP 107.174.138.172 falls into the administrative realm of ARIN, the corresponding WHOIS record is obtained with whois -h whois.arin.net 107.174.138.172 and yields:

NetRange:       107.172.0.0 - 107.175.255.255
CIDR:           107.172.0.0/14
NetName:        CC-17
NetHandle:      NET-107-172-0-0-1
Parent:         NET107 (NET-107-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36352
Organization:   HostPapa (HOSTP-7)
RegDate:        2013-12-27
Updated:        2024-02-02
Comment:        Geofeed https://geofeeds.oniaas.io/geofeeds.csv
Ref:            https://rdap.arin.net/registry/ip/107.172.0.0


OrgName:        HostPapa
OrgId:          HOSTP-7
Address:        115 George St.
Address:        Suite 511
City:           Oakville
StateProv:      ON
PostalCode:     L6J 0A2
Country:        CA
RegDate:        2016-06-06
Updated:        2024-02-02
Ref:            https://rdap.arin.net/registry/entity/HOSTP-7


OrgTechHandle: NETTE9-ARIN
OrgTechName:   NETTECH
OrgTechPhone:  +1-905-315-3455 
OrgTechEmail:  net-tech-global@hostpapa.com
OrgTechRef:    https://rdap.arin.net/registry/entity/NETTE9-ARIN

OrgAbuseHandle: NETAB23-ARIN
OrgAbuseName:   NETABUSE
OrgAbusePhone:  +1-905-315-3455 
OrgAbuseEmail:  net-abuse-global@hostpapa.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETAB23-ARIN

RTechHandle: NETTE11-ARIN
RTechName:   NETTECH-COLOCROSSING
RTechPhone:  +1-800-518-9716 
RTechEmail:  support@colocrossing.com
RTechRef:    https://rdap.arin.net/registry/entity/NETTE11-ARIN

RAbuseHandle: NETAB27-ARIN
RAbuseName:   NETABUSE-COLOCROSSING
RAbusePhone:  +1-800-518-9716 
RAbuseEmail:  abuse@colocrossing.com
RAbuseRef:    https://rdap.arin.net/registry/entity/NETAB27-ARIN

The company object is sourced from inetnum or NetRange WHOIS objects. The OrgName from the WHOIS record above is mapped to the name attribute of the the company object.

Most API lookups will have an company object with the following attributes:

  • name - string - The name of the organization (company) obtained from the corresponding WHOIS database entry
  • abuser_score - string - This field represents the quota of abusive IP addresses of the network belonging to the organization (company). The higher this number is, the more abusive the whole network is.
  • domain - string - The domain name of the organization (company)
  • type - string - The type for this organization (company), this is either hosting, education, government, banking, business or isp
  • network - string - The network for which the organization (company) has ownership
  • whois - string - An url to the WHOIS record for the network of this IP address

# The abuse object

Example API output for the abuse object:

"abuse": {
  "name": "HostPapa",
  "address": "Buffalo, NY, 14202, US",
  "country": "US",
  "email": "net-abuse-global@hostpapa.com",
  "phone": "+1-905-315-3455"
},

The abuse object contains abuse information about the organization that owns the queried IP address.

Most IP addresses can be associated with an organization or company. The API uses WHOIS information to determine which organization is the administrative owner of the queried IP address.

The data provided in the abuse object helps to get in touch by phone or email with the organization responsible for a certain IP network.

The abuse data always refers to the same network specified in the company.network field.

Most API lookups will include an abuse object with the following attributes:

  • name - string - The abuse contact name, the name of the individual or entity that receives abuse complaints about the network specified in company.network.
  • address - string - The abuse contact address. This is the physical address of the abuse contact for the entity that owns the network specified in company.network.
  • country - string - The country in which the abuse contact resides.
  • email - string - The abuse contact email. This email address handles abuse complaints about incidents associated with the network specified in company.network.
  • phone - string - The abuse contact phone number. This phone number handles abuse complaints about incidents associated with the network specified in company.network.

# The asn object

Example API output for the asn object:

"asn": {
  "asn": 36352,
  "abuser_score": "0.0071 (Low)",
  "route": "107.174.138.0/24",
  "descr": "AS-COLOCROSSING, CA",
  "country": "ca",
  "active": true,
  "org": "ColoCrossing",
  "domain": "www.colocrossing.com",
  "abuse": "abuse@colocrossing.com",
  "type": "hosting",
  "created": "2005-12-12",
  "updated": "2013-01-08",
  "rir": "ARIN",
  "whois": "https://api.ipapi.is/?whois=AS36352"
},

Most IP addresses can be associated with an Autonomous System (AS). Similar to the company object, the core data to populate the asn object originates from WHOIS data. For example, in order to find the corresponding information for ASN 36352, the WHOIS query whois -h whois.arin.net as36352 yields:

ASNumber:       36352
ASName:         AS-COLOCROSSING
ASHandle:       AS36352
RegDate:        2005-12-12
Updated:        2024-01-04    
Ref:            https://rdap.arin.net/registry/autnum/36352


OrgName:        HostPapa
OrgId:          HOSTP-7
Address:        115 George St.
Address:        Suite 511
City:           Oakville
StateProv:      ON
PostalCode:     L6J 0A2
Country:        CA
RegDate:        2016-06-06
Updated:        2024-02-02
Ref:            https://rdap.arin.net/registry/entity/HOSTP-7


OrgAbuseHandle: NETAB23-ARIN
OrgAbuseName:   NETABUSE
OrgAbusePhone:  +1-905-315-3455 
OrgAbuseEmail:  net-abuse-global@hostpapa.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETAB23-ARIN

OrgTechHandle: NETTE9-ARIN
OrgTechName:   NETTECH
OrgTechPhone:  +1-905-315-3455 
OrgTechEmail:  net-tech-global@hostpapa.com
OrgTechRef:    https://rdap.arin.net/registry/entity/NETTE9-ARIN

WHOIS data such as the one from above is used to populate the asn object. For example, the OrgName (HostPapa) from the WHOIS record above is mapped to name attribute of the the asn object.

The asn object provides the following attributes:

  • asn - int - The AS number (ASN)
  • abuser_score - string - This field represents the quota of abusive IP addresses in all routes of the ASN. The higher this number is, the more abusive the whole ASN is.
  • route - string - The IP route (prefix) in CIDR network format
  • descr - string - An informational description of the AS
  • country - string - The origin country of the AS (administratively)
  • active - string - Whether the AS is active (active means that there is at least one route administered by the AS)
  • org - string - The organization (Based on WHOIS data) responsible for this AS
  • domain - string - The domain of the organization to which this AS belongs
  • abuse - string - The email address to which abuse complaints for this organization should be sent (Based on WHOIS data)
  • type - string - The type for this ASN, this is either hosting, education, government, banking, business or isp
  • created - string - When the ASN was established (Based on WHOIS data)
  • updated - string - The last time the ASN was updated (Based on WHOIS data)
  • rir - string - To which Regional Internet Registry the ASN belongs administratively
  • whois - string - An url to the WHOIS information for this ASN

For inactive autonomous systems, most of the above information is not available.

# The location object

Example API output for the location object:

"location": {
  "continent": "NA",
  "country": "United States",
  "country_code": "US",
  "state": "New York",
  "city": "Buffalo",
  "latitude": 42.886,
  "longitude": -78.878,
  "zip": "14205",
  "timezone": "America/New_York",
  "local_time": "2024-02-10T13:24:14-05:00",
  "local_time_unix": 1707589454,
  "is_dst": false
},

The API provides geolocation information for the looked up IP address. The location object includes the following attributes:

  • continent - string - The continent as two letter code such as NA for North America
  • country - string - The full name of the country
  • country_code - string - The ISO 3166-1 alpha-2 country code to which the IP address belongs. This is the country specific geolocation of the IP address.
  • state - string - The state / administrative area for the queried IP address
  • city - string - The city to which the IP address belongs
  • latitude - float - The geographical latitude for the IP address
  • longitude - float - The geographical longitude for the IP address
  • zip - string - The zip code for this IP
  • timezone - string - The timezone for this IP
  • local_time - string - The local time for this IP in human readable format
  • local_time_unix - int - The local time for this IP as unix timestamp
  • is_dst - boolean - Whether daylight saving time (DST) is active in the geographical region of this IP address
  • other - array - (Optional) - If there are multiple possible geographical locations, the attribute other is included in the API response. It contains an array of ISO 3166-1 alpha-2 country codes which represent the possible other geolocation countries.

A proprietary geolocation database was built from scratch in order to source the location object.

# API Endpoints


The IP API currently has two endpoints. One endpoint (GET) handles lookups for single IP addresses, the other endpoint (POST) handles the lookup of up to 100 IP addresses (Batch lookup).

# GET Endpoint - Lookup a single IP Address or ASN

This GET endpoint allows to lookup a single IPv4 or IPv6 address by specifying the query parameter q. Example: q=142.250.186.110. You can also lookup ASN numbers by specifying the query q=AS209103

# POST Endpoint - Query up to 100 IP Addresses in one API call

You can also make a bulk API lookup with up to 100 IP addresses (Either IPv4 or IPv6) in one single request.

  • Endpoint - https://api.ipapi.is
  • Method - POST
  • Content-Type - Content-Type: application/json
  • Parameter - ips - An array of IPv4 and IPv6 addresses to lookup

For example, in order to lookup the IP addresses

  • 162.158.0.0
  • 2406:dafe:e0ff:ffff:ffff:ffff:dead:beef
  • 162.88.0.0
  • 20.41.193.225

You can use the following POST API request with curl:

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{"ips": ["162.158.0.0", "2406:dafe:e0ff:ffff:ffff:ffff:dead:beef", "162.88.0.0", "20.41.193.225"]}' \
  https://api.ipapi.is

This is how you would make the POST request with JavaScript using fetch():

const IPs = [
  '162.158.0.0',
  '2406:dafe:e0ff:ffff:ffff:ffff:dead:beef',
  '162.88.0.0',
  '20.41.193.225'
];

fetch('https://api.ipapi.is', {
  method: 'POST',
  headers: {
    'Accept': 'application/json, text/plain, */*',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ ips: IPs })
}).then(res => res.json())
  .then(res => console.log(res));