Documentation
- Lookup any IP address with: api.ipapi.is/?q=52.46.64.223
- Lookup any ASN: api.ipapi.is/?q=as20880
ipapi.is provides useful meta-information for IPv4 and IPv6 addresses and ASNs. For example, the API response includes the organization associated with the IP address, ASN meta-data, geolocation intelligence, and the raw WHOIS data for the IP address.
Furthermore, the API response provides security information for each IP address. For instance, it indicates whether an IP address belongs to:
- a hosting provider (
is_datacenter
) - is a TOR exit node (
is_tor
) - if an IP address is a proxy server exit node (socks4, socks5, or http proxy) (
is_proxy
) - is a VPN exit node (
is_vpn
) - or is linked to an IP address that has engaged in abusive actions (
is_abuser
)
The API places a strong emphasis on Hosting Detection and VPN Exit Node Enumeration.
A sophisticated hosting detection algorithm has been developed to achieve a high detection rate. Thousands of different hosting providers around the globe are tracked. WHOIS records, public IP ranges from hosting providers, and a proprietary hosting discovery algorithm are used to determine whether an IP address belongs to a hosting provider.
The VPN Exit Node Enumeration feature is crucial for identifying IP addresses that are part of VPN networks. This helps in detecting and preventing fraudulent activities, ensuring secure and reliable data transactions. For more details, visit the VPN Detection page.
ipapi.is also includes accurate and comprehensive ASN meta-data.
The API includes raw WHOIS data
for each active ASN. API fields such as the type
field included in the
company
or asn
output object are determined by analyzing the company
(organization)
that owns
the autonomous system or IP range. ipapi.is differentiates between the
following
company (organization)
types:
hosting
- The ASN or network is owned by a hosting provider (Example: 37.148.167.137)education
- The ASN or network is affiliated with a university or another educational institution (Example: 128.146.65.112)-
government
- The ASN or network is part of a governmental institution (Example: 192.91.184.0) banking
- The ASN or network is associated with a banking or financial institution (Example: 199.67.175.0)isp
- The ASN or network belongs to an Internet Service Provider (ISP) (Example: 108.15.237.36)business
- If the type does not fit any of the above categories, it is classified under the genericbusiness
type (Example: 17.133.85.230)
The remainder of this page is dedicated to explaining the API response format and how to use the API endpoints.
# Quickstart
In order to lookup any IP address, use the following API endpoint: https://api.ipapi.is?q=3.5.140.2
Lookup your own IP address by omitting the query string (no q
parameter): https://api.ipapi.is
Usage with JavaScript:
fetch('https://api.ipapi.is?q=23.236.48.55')
.then(res => res.json())
.then(res => console.log(res));
Usage with NodeJS:
const https = require('https');
const apiRequest = (ip, apiKey = '') => new Promise((resolve, reject) => {
const url = `https://api.ipapi.is/?q=${ip}${apiKey ? `&key=${apiKey}` : ''}`;
https.get(url, (res) => {
let data = '';
res.on('data', chunk => data += chunk);
res.on('end', () => {
try {
resolve(JSON.parse(data));
} catch (err) {
reject(new Error('Error parsing JSON: ' + err.message));
}
});
}).on('error', err => reject(new Error('Error: ' + err.message)));
});
apiRequest('32.43.11.44').then(console.log).catch(console.error);
Usage with curl
:
curl "https://api.ipapi.is/?q=32.43.11.44"
# Using the API with POST requests
You can also use the POST method to make API queries. This has the advantage of not sending the API Key
key
in the GET parameters, which can be more secure.
curl --header "Content-Type: application/json" \
--request POST \
--data '{"q": "32.5.140.2", "key": "your_api_key"}' \
https://api.ipapi.is
Omit the key
parameter to use the free tier:
curl --header "Content-Type: application/json" \
--request POST \
--data '{"q": "132.5.140.2"}' \
https://api.ipapi.is
You can also lookup multiple IP addresses with the POST method by providing an ips
array:
curl --header "Content-Type: application/json" \
--request POST \
--data '{"ips": ["32.5.140.2", "45.33.32.156", "104.28.64.25"], "key": "your_api_key"}' \
https://api.ipapi.is
Usage with JavaScript using fetch()
:
const data = {
ips: ["32.5.140.2", "45.33.32.156", "104.28.64.25"],
key: "your_api_key"
};
fetch('https://api.ipapi.is', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(data)
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));
# Data Sources
ipapi.is utilizes the following sources for API data:
- Public WHOIS records from Regional Internet Registries (RIRs) such as RIPE NCC, APNIC, and ARIN. For privacy reasons, the public and downloadable WHOIS databases
from the five RIRs are often incomplete. Therefore, millions of IP ranges and ASNs are periodically
queried with a
whois
client to keep ipapi.is up-to-date. - Public BGP routing table data is used to source ASN data and to obtain the routes (prefixes) for active ASN.
- Public IP blocklists, such as firehol/blocklist-ipset and stamparm/ipsum, are used to identify the
is_abuser
flag. - The API employs a proprietary datacenter/hosting detection algorithm. Accurate hosting detection is
achieved by aggregating data from many different sources, including:
- Manually labeling organizations as hosting providers (inefficient)
- Automatically labeling organizations as hosting providers based on the organization name, domain, website content, and HTML meta tags (efficient, but with a high rate of false positives and requiring scraping/crawling of millions of organization websites)
- Using self-published IP ranges from major cloud providers such as:
- Considering open-source projects that identify hosting IP addresses, such as github.com/client9/ipcat, github.com/Umkus/ip-index, or github.com/X4BNet/lists_vpn
- The API leverages IP threat data from various public honeypots and its own honeypot server network.
- A proprietary geolocation database was developed from scratch.
Geolocation data is primarily sourced from WHOIS data. For instance, some Regional Internet Registries
like APNIC support the
geofeed
andgeoloc
properties in WHOIS records. RIPE NCC also supports thegeoloc
attribute as of 2016. - ipapi.is also utilizes VPN Exit Node Enumeration to enhance its VPN detection capabilities. This involves identifying IP addresses that are known to be used as exit nodes for VPN services, as detailed on the VPN Detection page.
# API Servers
ipapi.is is currently operational in three different geographical locations:
- Server in Germany: https://de.ipapi.is/?q=104.28.64.25
- Server in US East: https://us.ipapi.is/?q=104.28.64.25
- Server in Singapore (Asia): https://sg.ipapi.is/?q=15.220.195.253
There is no significant benefit to using these dedicated server endpoints directly. Instead, by utilizing the endpoint https://api.ipapi.is/, the nearest server (in terms of latency) is automatically selected.
# API Features
- Ready for Production: This API is stable and suitable for production use. Currently, ipapi.is operates from three different geographical locations (Germany, US East, Singapore) to minimize end-user latency. The API can handle millions of daily requests and is updated at least once a week.
- Accuracy: The most reliable IP Address data comes from WHOIS data provided by Regional Internet Registries like RIPE NCC or ARIN. Consequently, ipapi.is prioritizes a WHOIS-first approach. IP data from third-party providers is considered less reliable.
- Extensive Hosting Detection Support: Thousands of hosting providers are supported, ranging
from "Huawei Cloud Service" to "ServerMania Inc". You can determine if an IP address is hosted using the
is_datacenter
field in the API output! - Always Updated: The API database is automatically updated at least weekly.
- ASN Support: The API provides autonomous system information for each IP address queried.
- Company Support: The API offers organizational information for each IP address looked up.
- Bulk IP Lookups: Query up to 100 IP addresses per API call.
- Offline API Usage (Download): Download the complete ipapi.is package and host it on your own infrastructure. Visit the pricing page for more details.
# Data Correction
The API is designed to be as accurate as possible. However, sometimes errors occur in the data. If you find an error in the data, please use the Data Correction page to report the error.
# API Response Format
The API output format is explained best by walking through an example. Most of the returned API output information is self-explanatory.
The API example lookup below is how a typical API response looks like. The IP 107.174.138.172
was queried with the API
call https://api.ipapi.is?q=107.174.138.172:
{
"ip": "107.174.138.172",
"rir": "ARIN",
"is_bogon": false,
"is_mobile": false,
"is_satellite": false,
"is_crawler": false,
"is_datacenter": true,
"is_tor": true,
"is_proxy": true,
"is_vpn": true,
"is_abuser": true,
"datacenter": {
"datacenter": "HostPapa",
"network": "107.174.138.0/24",
"country": "US",
"region": "US-NY",
"city": "Buffalo"
},
"company": {
"name": "HostPapa",
"abuser_score": "0.014 (Elevated)",
"domain": "hostpapa.com",
"type": "hosting",
"network": "107.172.0.0 - 107.175.255.255",
"whois": "https://api.ipapi.is/?whois=107.172.0.0"
},
"abuse": {
"name": "HostPapa",
"address": "Buffalo, NY, 14202, US",
"email": "net-abuse-global@hostpapa.com",
"phone": "+1-905-315-3455"
},
"asn": {
"asn": 36352,
"abuser_score": "0.0072 (Low)",
"route": "107.174.138.0/24",
"descr": "AS-COLOCROSSING, US",
"country": "us",
"active": true,
"org": "HostPapa",
"domain": "hostpapa.com",
"abuse": "net-abuse-global@hostpapa.com",
"type": "hosting",
"created": "2005-12-12",
"updated": "2024-01-04",
"rir": "ARIN",
"whois": "https://api.ipapi.is/?whois=AS36352"
},
"location": {
"is_eu_member": false,
"calling_code": "1",
"currency_code": "USD",
"continent": "NA",
"country": "United States",
"country_code": "US",
"state": "New York",
"city": "Buffalo",
"latitude": 42.88645,
"longitude": -78.87837,
"zip": "14205",
"timezone": "America/New_York",
"local_time": "2025-02-04T14:32:22-05:00",
"local_time_unix": 1738697542,
"is_dst": false
},
"elapsed_ms": 0.13
}
In the following sections, the different parts of the API response are explained in-depth.
In general, the API output can be divided into several distinctive parts:
- Top-Level API Output - This provides generic output and threat intelligence information for the queried IP address.
- The
datacenter
object - Present only if the queried IP address belongs to a hosting provider, thedatacenter
object contains meta information about the hosting provider or datacenter. - The
company
object - Most IP addresses are associated with an organization or company. Thecompany
object contains meta information about the organization that owns or has administrative control over the queried IP address. - The
asn
object - Most IP addresses are part of an Autonomous System (AS). Theasn
object provides meta information about the Autonomous System. - The
location
object - Often, it is possible to geolocate IP addresses. Thelocation
object includes geographical information for the queried IP address, indicating the part of the world where the IP address is used.
# Top Level API Output
The top level API output looks as follows for the IP address 107.174.138.172
:
{
"ip": "107.174.138.172",
"rir": "ARIN",
"is_bogon": false,
"is_mobile": false,
"is_satellite": false,
"is_crawler": false,
"is_datacenter": true,
"is_tor": true,
"is_proxy": true,
"is_vpn": true,
"is_abuser": true,
}
The explanation for the top-level API fields is as follows:
#
ip
- The API query
The field ip
has the datatype string
.
This field represents the IP address that was looked up. In the example above, it was
107.174.138.172
.
If no IP address was specified (Example: https://api.ipapi.is), the
client's own IP address is looked up, and the field ip
is set to the client's public IP
address.
#
rir
- The Regional Internet Registry (RIR) for this IP
The field rir
has the datatype string
.
It specifies which Regional Internet
Registry (RIR) the IP address belongs to. Here, it belongs to ARIN
, which is the RIR
responsible for North America. In total, there are five different RIRs for various areas of the world:

#
is_bogon
- Whether the IP is bogon (non-routable)
The field is_bogon
has the datatype boolean
.
It determines if the IP address is bogon. Bogon IP
Addresses are those not assigned or allocated by IANA or any RIR (Regional Internet Registry). For
example, the loopback IP 127.0.0.1
is a special/bogon IP address. The IP address
107.174.138.172
is not bogon, hence it is set to false
in this case.
Generally, there is no good reason to query bogon IP addresses, as they are local or special IP addresses that exist in every local network and have no unique significance on the Internet.
#
is_mobile
- Whether the IP is mobile (belongs to a mobile ISP)
The field is_mobile
has the datatype boolean
.
It determines if the IP address belongs to a mobile Internet Service Provider, such as
AT&T Wireless
or T-Mobile
. Knowing whether an IP address belongs to a mobile ISP
is often crucial for security purposes.
For example, Carrier-grade NATs are commonly used in mobile networks, meaning many distinct clients can share the same public IP address. Therefore, rate limiting or banning mobile IP addresses is not advisable, as it could also block legitimate clients sharing the same mobile public IP address.
Other reasons for identifying if an IP originates from a mobile ISP include:
- Certain services being exclusively accessible to mobile clients
- Anticipating reduced Internet speed often associated with mobile clients
The IP address 107.174.138.172
does not belong to a mobile ISP, hence it is set to
false
in this instance.
As of February 2024, the API does not fully detect all mobile IP ranges. The mobile coverage is not good, but the false positive rate is rather low.
#
is_satellite
- Whether the IP belongs to a satellite ISP
The field is_satellite
has the datatype boolean
. It determines if the queried IP
address belongs to a satellite Internet Service Provider such as Starlink, Viasat or OneWeb.
There are many reasons why it is beneficial to know whether an IP address belongs to a satellite ISP or not:
- Satellite ISPs are often used by governments and military organizations for remote areas.
- Satellite IP addresses don't have a fixed Geolocation and can be anywhere in the world.
- Furthermore, satellite IP addresses are often used by multiple users sharing the same IP address.
For example, the following IP addresses belongs to satellite ISPs:
- Starlink: 129.222.200.0
- Viasat: 165.220.232.192
#
is_crawler
- Whether the IP belongs to a crawler / spider / good bot
The field is_crawler
is either set to false
or, if the IP belongs to a
crawler, it is set to a string such as "GoogleBot"
or
"BingBot"
.
Some Examples:
- TwitterBot - 199.59.148.0
- GoogleBot - 66.249.70.224
- BingBot - 40.77.190.180
- DuckduckgoBot - 40.76.173.151
- YandexBot - 213.180.203.183
This field can be used to check whether the IP address belongs to a search engine crawler / bot that you might want to allow on your website or app. Currently, the following crawlers / good bots are detected:
#
is_datacenter
- Whether the IP belongs to a Hosting Provider
The field is_datacenter
has the datatype boolean
.
It specifies whether the IP address belongs to a datacenter (hosting provider) or not.
In this example, the value is
true
, since 107.174.138.172
belongs to the hosting provider
ColoCrossing
.
The definition of what constitutes a datacenter (hosting provider) is quite lenient on ipapi.is and includes all of the following categories:
- Standard hosting providers such as Hetzner.de or Leaseweb.com
- Large cloud providers such as Amazon AWS or Microsoft Azure
- Content Delivery Networks such as Cloudflare, Fastly or edg.io
- Anti-DDoS services such as qrator.net or ddos-guard.net
- IP leasing organizations such as ipxo.com or interlir.com
- Other SaaS, IaaS, or PaaS organizations such as fly.io or Heroku
In other words, every organization that allows third parties to quickly and anonymously obtain hosting resources or access to IP addresses is considered a hosting provider.
If the IP address belongs to a datacenter, then the datacenter object will also be present in the API output.
The datacenter/hosting detection quality of ipapi.is is one of its core
strengths. If this value is true
, you can rely on the fact that the IP address belongs to a
hosting provider.
For a full list of hosting providers, click on the button below.
#
is_tor
- Whether the IP is a TOR Exit Node
The field is_tor
has the datatype boolean
.
If the field is_tor
is true
, the IP address is a TOR exit node. TOR
exit node detection is very accurate, so you can rely on the value of is_tor
. The API detects
most TOR exit nodes reliably.
If the is_tor
field is true
, it is recommended to either challenge the client
with this IP address with a captcha or block them from accessing critical resources.
This is because the TOR network is often used by cybercriminals for malicious activities, and if you are running a critical service, you might want to prevent TOR clients from accessing it.
#
is_proxy
- Whether the IP is a Proxy Exit Node
The field is_proxy
has the datatype boolean
.
The field determines whether the IP address is a proxy. In this example, the IP https://api.ipapi.is/?q=107.174.138.172
is a proxy. Generally, the flag
is_proxy
only covers a subset of all proxies on the Internet. In other words, ipapi.is cannot reliably detect residential and mobile proxies.
Proxy and VPN detection that follows an offline-based approach is not very accurate. Why is that the case? The following example explains why there is a limit to the accuracy that can be achieved:
Let's assume a threat actor sets up a proxy server on a cheap hosting instance and starts using the proxy server for nefarious use cases. How can any offline proxy database contain the information immediately that this IP address belongs to a proxy server?
The answer is: Offline databases cannot know this. The only reliable way to detect proxies is to observe their networking behavior when they are actually used (live).
Proxy databases can only be populated over time, after the threat actor has used the proxy server repeatedly on websites or honeypots. Therefore, these proxy databases are often outdated, lag behind, or contain false information.
Nevertheless, ipapi.is strives to be as accurate as possible by using many different sources that publish proxy IP addresses. Example source: firehol_anonymous.netset from the FireHOL project.
#
is_vpn
- Whether the IP is a VPN Exit Node
The field is_vpn
determines whether the IP address is a VPN Exit Node and has datatype
boolean
.
If the VPN service can be detected, the is_vpn
field is set to true
. Otherwise, it
is set to
false
.
In some cases, the API provides more information about the detected VPN service in the vpn
object.
boolean (false)
-67.170.172.12
is not associated with an VPN, therefore the fieldis_vpn
is set tofalse
boolean (true)
-185.254.75.23
belongs to the VPN service Mullvad, therefore the fieldis_vpn
is set to the valuetrue
and thevpn
object contains data such as:
{
"is_vpn": true,
"region": "de-dus-wg-001",
"last_seen": 1728215552374,
"type": "exit_node",
"service": "MullvadVPN",
"url": "https://mullvad.net"
}
Please note that the vpn
object is only present if the queried IP address belongs to a VPN
exit node. For more information, see the VPN object section.
The field is_vpn
covers a constantly growing subset of all VPNs on the Internet. Due
to our Systematic VPN Detection Approach, the VPN
coverage of the API is
constantly
growing and becoming more accurate on a daily basis.
#
is_abuser
- Whether the IP committed abusive actions
The field is_abuser
has the datatype boolean
.
The field is_abuser
is true
if the IP address has committed abusive actions, as
was the case with 107.174.138.172
. Various IP blocklists and threat intelligence feeds are used
to populate the is_abuser
flag.
Open source and proprietary blocklists are used in the API to populate the is_abuser
flag. The
flag does not differentiate the type of abusive action; the IP could have been involved in activities like
viruses, bots, crawlers, scrapers, or worms.
If the is_abuser
attribute is true
, it is advisable to either challenge the client
with this IP address with a captcha or block them from accessing critical resources.
Example data source for abusive IP addresses: firehol_abusers_1d.netset
#
elapsed_ms
- The internal processing time for the API lookup
The field elapsed_ms
has the datatype float
.
This field indicates the amount of internal processing time, measured in milliseconds (ms), spent handling
the API query. This particular lookup took only 0.18ms
, which is quite fast.
On average, IP lookups on ipapi.is take about 1.04ms
of
processing time.
#
The vpn
object
The vpn
object is only present if the queried
IP address belongs to a VPN exit node. The vpn
object contains meta information for the VPN
exit node.
The format of the vpn
object is as follows (Example IP: 198.54.132.236):
"vpn": {
"ip": "198.54.132.236",
"service": "MullvadVPN",
"url": "https://mullvad.net",
"type": "exit_node",
"last_seen": 1739415261878,
"last_seen_str": "2025-02-13T02:54:21.878Z",
"exit_node_region": "ca-tor-wg-103",
"country_code": "ca",
"city_name": "Toronto",
"latitude": 43.70643,
"longitude": -79.39864
},
service
-string
- The name of the VPN provider. Example:MullvadVPN
url
-string
- The url of the VPN provider. Example:https://mullvad.net
type
-string
- The type of the VPN exit node. This is either"exit_node"
or"vpn_server"
. The value"exit_node"
is most common and means that the IP address is a VPN exit node that was detected by our VPN enumeration system. The value"vpn_server"
is less common and means that the IP address is a VPN server known to belong to the VPN service.last_seen
-number
- The unix timestamp in milliseconds of the last time the VPN exit node was enumerated. Example:1739415261878
last_seen_str
-string
- The last seen date in human readable format. Example:2025-02-13T02:54:21.878Z
exit_node_region
-string
- The region of the VPN exit node. It is in free format. Example:ca-tor-wg-103
country_code
-string
- The ISO 3166-1 alpha-2 two-letter country code where the VPN exit node is located. Example:ca
city_name
-string
- The name of the city where the VPN exit node is located. Example:Toronto
latitude
-number
- The latitude of the VPN exit node's location. Example:43.70643
longitude
-number
- The longitude of the VPN exit node's location. Example:-79.39864
#
The datacenter
object
Example API output for the datacenter
object:
"datacenter": {
"datacenter": "HostPapa",
"domain": "www.hostpapa.com",
"network": "107.172.0.0 - 107.175.255.255"
}
If the IP address belongs to a datacenter/hosting provider, the API response will include a
datacenter
object with at least the following attributes:
datacenter
-string
- to which datacenter the IP address belongs. For a full list of datacenters, check the hosting providers table page. In this case, the datacenter's name isHostPapa
.domain
-string
- The domain name of the hosting provider companynetwork
-string
- the network this IP address belongs to (In the above case:107.172.0.0 - 107.175.255.255
)
Most IP's don't belong to a hosting provider. In those cases, the datacenter
object will not
be present in the API output.
For a couple of large cloud providers, such as Google Cloud, Amazon AWS, DigitalOcean or Microsoft Azure
(and many others), the datacenter
object is more detailed.
Amazon AWS example:
{
"ip": "3.5.140.2",
"datacenter": {
"datacenter": "Amazon AWS",
"network": "3.5.140.0/22",
"region": "ap-northeast-2",
"service": "EC2",
"network_border_group": "ap-northeast-2"
}
}
DigitalOcean example:
{
"ip": "167.99.241.130",
"datacenter": {
"datacenter": "DigitalOcean",
"code": "60341",
"city": "Frankfurt",
"state": "DE-HE",
"country": "DE",
"network": "167.99.240.0/20"
},
}
Linode example:
{
"ip": "72.14.182.54",
"datacenter": {
"datacenter": "Linode",
"name": "US-TX",
"city": "Richardson",
"country": "US",
"network": "72.14.182.0/24"
},
}
#
The company
object
Example API output for the company
object:
"company": {
"name": "HostPapa",
"abuser_score": "0.0136 (Elevated)",
"domain": "hostpapa.com",
"type": "hosting",
"network": "107.172.0.0 - 107.175.255.255",
"whois": "https://api.ipapi.is/?whois=107.172.0.0"
},
Most IP addresses can be associated with an organization or company. The API uses WHOIS information to infer which organization is the administrative owner of a certain IP address.
The owner of an IP address is stored in the databases of the five Regional Internet Registies (RIR'rs). For example, IP address ownership in RIPE NCC is handled with inetnum (IPv4) and inet6num (IPv6) objects. In ARIN, IP address ownership can be inferred from NetRange objects.
Since the example IP 107.174.138.172
falls into the administrative realm of ARIN, the
corresponding WHOIS record is obtained with whois -h whois.arin.net 107.174.138.172
and yields:
The company
object is sourced from inetnum
or NetRange
WHOIS objects.
The
OrgName
from the WHOIS record above is mapped to the name
attribute of the
the company
object.
Most API lookups will have an
company
object with the following attributes:
name
-string
- The name of the organization (company) obtained from the corresponding WHOIS database entryabuser_score
-string
- This field represents the quota of abusive IP addresses of the network belonging to the organization (company). The higher this number is, the more abusive the whole network is.domain
-string
- The domain name of the organization (company)type
-string
- The type for this organization (company), this is eitherhosting
,education
,government
,banking
,business
orisp
network
-string
- The network for which the organization (company) has ownershipwhois
-string
- An url to the WHOIS record for the network of this IP address
#
The abuse
object
Example API output for the abuse
object:
"abuse": {
"name": "HostPapa",
"address": "Buffalo, NY, 14202, US",
"email": "net-abuse-global@hostpapa.com",
"phone": "+1-905-315-3455"
},
The abuse
object contains abuse information about the organization that owns the queried IP
address.
Most IP addresses can be associated with an organization or company. The API uses WHOIS information to determine which organization is the administrative owner of the queried IP address.
The data provided in the abuse
object helps to get in touch
by phone or email with the organization responsible for a certain IP network.
The abuse data always refers to the same network specified in the company.network
field.
Most API lookups will include an abuse
object with the following attributes:
name
-string
- The abuse contact name, the name of the individual or entity that receives abuse complaints about the network specified incompany.network
.address
-string
- The abuse contact address. This is the physical address of the abuse contact for the entity that owns the network specified incompany.network
.country
-string
- The country in which the abuse contact resides.email
-string
- The abuse contact email. This email address handles abuse complaints about incidents associated with the network specified incompany.network
.phone
-string
- The abuse contact phone number. This phone number handles abuse complaints about incidents associated with the network specified incompany.network
.
#
The asn
object
Example API output for the asn
object:
"asn": {
"asn": 36352,
"abuser_score": "0.0073 (Low)",
"route": "107.174.138.0/24",
"descr": "AS-COLOCROSSING, US",
"country": "us",
"active": true,
"org": "HostPapa",
"domain": "hostpapa.com",
"abuse": "net-abuse-global@hostpapa.com",
"type": "hosting",
"created": "2005-12-12",
"updated": "2024-01-04",
"rir": "ARIN",
"whois": "https://api.ipapi.is/?whois=AS36352"
},
Most IP addresses can be associated with an Autonomous System (AS). Similar to the company
object, the
core data to populate the
asn
object originates from WHOIS data. For example, in order to find the corresponding
information for ASN 36352, the WHOIS query whois -h whois.arin.net as36352
yields:
WHOIS data such as the one from above is used to populate the asn
object. For example,
the OrgName
(HostPapa) from the WHOIS record above is mapped to name
attribute of the
the asn
object.
The asn
object provides
the following attributes:
asn
-int
- The AS number (ASN)abuser_score
-string
- This field represents the quota of abusive IP addresses in all routes of the ASN. The higher this number is, the more abusive the whole ASN is.route
-string
- The IP route (prefix) in CIDR network formatdescr
-string
- An informational description of the AScountry
-string
- The origin country of the AS (administratively)active
-string
- Whether the AS is active (active means that there is at least one route administered by the AS)org
-string
- The organization (Based on WHOIS data) responsible for this ASdomain
-string
- The domain of the organization to which this AS belongsabuse
-string
- The email address to which abuse complaints for this organization should be sent (Based on WHOIS data)type
-string
- The type for this ASN, this is eitherhosting
,education
,government
,banking
,business
orisp
created
-string
- When the ASN was established (Based on WHOIS data)updated
-string
- The last time the ASN was updated (Based on WHOIS data)rir
-string
- To which Regional Internet Registry the ASN belongs administrativelywhois
-string
- An url to the WHOIS information for this ASN
For inactive autonomous systems, most of the above information is not available.
#
The location
object
Example API output for the location
object:
"location": {
"is_eu_member": false,
"calling_code": "1",
"currency_code": "USD",
"continent": "NA",
"country": "United States",
"country_code": "US",
"state": "New York",
"city": "Buffalo",
"latitude": 42.88645,
"longitude": -78.87837,
"zip": "14205",
"timezone": "America/New_York",
"local_time": "2025-01-25T05:28:56-05:00",
"local_time_unix": 1737800936,
"is_dst": false
},
The API provides geolocation information for the looked up IP address. The location
object
includes the following attributes:
is_eu_member
-boolean
- Whether the queried IP address is located in an EU member countrycalling_code
-string
- The calling code for the country of the queried IP addresscurrency_code
-string
- The currency code for the country of the queried IP addresscontinent
-string
- The continent as two letter code such asNA
for North Americacountry
-string
- The full name of the countrycountry_code
-string
- The ISO 3166-1 alpha-2 country code to which the IP address belongs. This is the country specific geolocation of the IP address.state
-string
- The state / administrative area for the queried IP addresscity
-string
- The city to which the IP address belongslatitude
-float
- The geographical latitude for the IP addresslongitude
-float
- The geographical longitude for the IP addresszip
-string
- The zip code for this IPtimezone
-string
- The timezone for this IPlocal_time
-string
- The local time for this IP in human readable formatlocal_time_unix
-int
- The local time for this IP as unix timestampis_dst
-boolean
- Whether daylight saving time (DST) is active in the geographical region of this IP addressother
-array
- (Optional) - If there are multiple possible geographical locations, the attributeother
is included in the API response. It contains an array of ISO 3166-1 alpha-2 country codes which represent the possible other geolocation countries.
A proprietary
geolocation database was built from scratch in order to source the
location
object.
# API Endpoints
The IP API currently has two endpoints responding to two different HTTP methods. One endpoint (GET) handles lookups for single IP addresses, the other endpoint (POST) handles the lookup of up to 100 IP addresses (batch IP lookup). The POST endpoint also supports lookups for single IPs and ASNs.
# GET Endpoint - Lookup a single IP Address or ASN
This GET endpoint allows you to lookup a single IPv4 or IPv6 address or an ASN by specifying the query
parameter
q
. Example for IP: q=142.250.186.110
and for ASN: q=AS209103
. You can
also include the key
parameter to provide your API Key for authentication.
- Endpoint - https://api.ipapi.is
- Method -
GET
- Parameters -
q
- The IP address or ASN to lookup;key
- Your API Key - Example - https://api.ipapi.is?q=3.5.140.2&key=your_api_key
- ASN Example - https://api.ipapi.is?q=AS42831&key=your_api_key
# POST Endpoint - Query up to 100 IP Addresses in one API call
You can also make a bulk API lookup with up to 100 IP addresses in one single API request using the POST
method. Additionally, you can perform a simple lookup for a single IP or ASN using the q
parameter in a POST request. The key
parameter can be included for API Key authentication.
- Endpoint - https://api.ipapi.is
- Method -
POST
- Content-Type -
Content-Type: application/json
- Parameters -
ips
- An array of IPv4 and IPv6 addresses to lookup;q
- A single IP address or ASN;key
- Your API Key
For example, in order to lookup the IP addresses:
162.158.0.0
2406:dafe:e0ff:ffff:ffff:ffff:dead:beef
162.88.0.0
20.41.193.225
You can use the following POST API request with curl
:
curl --header "Content-Type: application/json" \
--request POST \
--data '{"ips": ["162.158.0.0", "2406:dafe:e0ff:ffff:ffff:ffff:dead:beef", "162.88.0.0", "20.41.193.225"], "key": "your_api_key"}' \
https://api.ipapi.is
This is how you would make the POST request with JavaScript
using fetch()
:
const IPs = [
'162.158.0.0',
'2406:dafe:e0ff:ffff:ffff:ffff:dead:beef',
'162.88.0.0',
'20.41.193.225'
];
fetch('https://api.ipapi.is', {
method: 'POST',
headers: {
'Accept': 'application/json, text/plain, */*',
'Content-Type': 'application/json'
},
body: JSON.stringify({ ips: IPs, key: 'your_api_key' })
}).then(res => res.json())
.then(res => console.log(res));
# IP Databases
ipapi.is offers the following IP databases for download and purchase. IP databases allow you to work with IP data in an offline environment or to integrate them into your own systems. You can also purchase the full package of all databases via the business subscription. This is cheaper compared to buying the databases separately.
Database Name | Description | Pricing |
---|---|---|
IP to Hosting | The IP to Hosting Database is a database in CSV or MMDB format that contains all known hosting / cloud IP ranges of the Internet. | 49$ per month |
IP to VPN | The IP to VPN Database is a database that contains VPN IP addresses from well-known providers like ExpressVPN and NordVPN. | 79$ per month |
IP to Geolocation | The IP to Geolocation Database is a database that contains geolocation information for IP ranges. | 59$ per month |
IP to ASN | The IP to ASN Database contains all known Autonomous Systems (AS) of the Internet. | 49$ per month |
IP to Company | The IP to Company Database provides company name, domain and type information for every IP address in the Internet. | 89$ per month |
IP to Abuser | The IP to Abuser Database provides information about IP addresses that are known to be abusive, such as spammer IPs, malicious bot IP addresses or IP ranges from which cyber criminals are operating and so on. | 49$ per month |