IP Geo API vs ipapi.co in 2026: Free-Tier Attribution, EU Residency, and the Threat-Detection Question

5-minute read · 2026 pricing · honest assessment

If ipapi.co is on your IP-geolocation shortlist in 2026, the comparison usually comes down to three things: does the free tier carry an attribution backlink, do you need EU data residency, and are VPN / proxy / Tor flags first-class on the free plan or paywalled? ipapi.co has a clean REST shape, multiple response formats, and broad community SDKs, but its 2018-era pricing posture (free-tier requires “Powered by ipapi” attribution, USD billing, basic threat-detection only on paid tiers) creates real friction for a lot of modern teams. This post lays out where each one wins, without the marketing varnish.

Looking for the full feature matrix? Jump straight to the ipapi.co alternative comparison →.

The 60-second take

Pick the row that’s the dealbreaker. If two rows pull opposite directions, the row enforcing a hard architectural or compliance constraint wins — for example, “we cannot ship a paid product with a ‘Powered by ipapi’ badge” beats “we’d prefer XML responses.”

The real reasons teams switch from ipapi.co to IP Geo API

The most common switch story we hear isn’t about price or latency. It’s about production realities that the 2018-era ipapi.co free-tier posture didn’t anticipate:

1. Attribution backlink on the free tier blocks paid products. ipapi.co’s free 1.000 req/day requires a “Powered by ipapi” link on the consuming page. For any commercial product — paid SaaS, white-label dashboard, B2B portal — that’s not acceptable, and the upgrade path starts at $35/mo for 50K req/mo. Our free tier is 1.000 req/day without attribution, so MVPs and paid side projects ship without an upfront invoice or a vendor-branded backlink.
2. Threat detection is paid-only. ipapi.co’s proxy / tor flags are restricted to paid tiers, and even there the surface is thin (no VPN classification, no datacenter flag). We bundle is_vpn, is_proxy, is_tor, is_datacenter, and is_residential into every response on every tier, including free.
3. EU-only data residency for regulated sectors. ipapi.co’s privacy page does not commit to EU-only data flow; queries can transit US-based edge nodes. For fintech, healthtech, gov-tech, and adtech under GDPR scrutiny, that’s a documented Article 44/45 transfer-assessment problem. We’re EU-only at infra (Hetzner Frankfurt + Vercel fra1), at contract, and at corporate level.
4. USD billing fatigue. Stripe/USD invoicing plus monthly FX adds 1-3% friction on every European invoice. Dutch, Belgian, German, and French finance teams flag this on every close. We bill EUR via Mollie with iDEAL, SEPA, Bancontact, and credit card as first-class methods.
5. 50K req/mo is an awkward step-up. ipapi.co’s first paid tier ($35/mo, 50K req/mo) is roughly half the volume of our entry plan (€29/mo, 100K req/mo) at a higher absolute price after FX. Teams that grow past the free tier hit “pay more, get less” friction within the first paid month.

If none of these hit your stack, ipapi.co’s clean shape, response-format breadth, and community SDK coverage are genuinely good and you have no switching reason. Stay where you are.

The real reasons to not switch

We try to be straight about this — the fastest way to lose a customer is to oversell the migration.

• Your users are spread across 50+ non-EU countries. ipapi.co’s global Anycast network beats an EU-hosted REST API on median latency for non-EU clients. For a European SaaS with European users, the latency delta rarely matters. For a global consumer app with users in Asia and the Americas, it does.
• You depend on JSONP, XML, or CSV response shapes. ipapi.co supports five response formats (JSON, JSONP, XML, CSV, YAML); we’re JSON-only by design. If a downstream system requires JSONP for cross-domain script tags or XML for a legacy parser, the migration adds work.
• You rely on a specific community SDK. ipapi.co has been live since 2018 and has a long tail of community-maintained client libraries across PHP, Ruby, Go, Rust, and several JS frameworks. We ship official TypeScript and Python SDKs (MIT-licensed) but the community ecosystem is thinner.
• You’re locked to a longer track record. ipapi.co has been operating since 2018. We launched in 2026. Vendor risk is a fair concern. Our mitigation: full data export, open-source clients, and a documented exit path on the pricing FAQ. But “older vendor = lower risk” is a defensible heuristic.

What migration actually looks like

For most teams the move is a single base-URL flip plus a thin response-shape adapter:

- // ipapi.co (path-based, attribution required on free tier)
- const r = await fetch(`https://ipapi.co/${ip}/json/`);
- const data = await r.json();
- const country = data.country_code;
- const city = data.city;
+ // IP Geo API (auth-header, attribution-free)
+ const r = await fetch(`https://ipgeo.10b.app/v1/lookup/${ip}`, {
+   headers: { Authorization: `Bearer ${process.env.IPGEO_API_KEY}` }
+ });
+ const data = await r.json();
+ const country = data.country_code;
+ const city = data.city;

The non-obvious work is field mapping. ipapi.co uses country_code, region, city, latitude, longitude, timezone, plus optional proxy / tor flags on paid plans. We use a flatter contract: country_code, region, city, lat, lon, timezone, with is_vpn / is_proxy / is_tor / is_datacenter / is_residential always present at the top level. Full mapping table on the ipapi.co alternative comparison page.

What we recommend:

1. Dual-call for 24-48h. In the request handler, call both ipapi.co and our API; log every diff to a structured store. The most common diffs are city-naming (we use canonical English; ipapi.co occasionally returns local-script names) and ASN organization formatting.
2. Cache the response. Most workloads see a 60-80% IP repeat-rate within an hour. A 1-hour TTL cache (Redis, Memcached, or local LRU) cuts your billable count proportionally — and brings effective latency back below 1ms for hot IPs even on a REST API.
3. Keep the ipapi.co free tier warm for 7 days as rollback insurance, then remove the attribution backlink and any community SDK references.

Full migration guide with curl examples is on the ipapi.co alternative comparison page.

Pricing math at three common volumes

Direct apples-to-apples is straightforward because both vendors meter per-request. The table below is illustrative based on 2026 public list pricing for the most common workload (city-level + threat detection):

Numbers above are list-price snapshots from ipapi.co’s public pricing page on 2026-04-23. Negotiated annual contracts vary. The headline: ipapi.co’s flat plans are competitive once you factor out the attribution requirement and the basic threat-detection surface — but for workloads that need VPN/proxy/datacenter flags from day one or cannot ship a “Powered by” backlink, IP Geo API’s per-request total cost of ownership tends to be lower across the 50K-1M req/mo zone where most indie / SMB / scaleup teams sit.

Trust check: should you trust this comparison?

Honest disclosure: this post is on the IP Geo API blog. We have a commercial reason to suggest switching. We tried to compensate for that bias by:

• Listing ipapi.co’s strengths (response-format breadth, community SDKs, longer track record, global edge) in the same depth as ours.
• Naming specific cases where ipapi.co is the right pick (non-EU global users, JSONP / XML / CSV consumers, community-SDK lock-in).
• Acknowledging that vendor longevity is a defensible concern about us specifically.
• Linking ipapi.co’s pricing page directly so you can verify pricing, attribution requirements, and feature claims yourself.
• Sourcing all numbers from public pricing pages on the date stamped above.

If you spot a factual error, email hello@ipgeo.10b.app — we’ll edit and add a correction note above the fold within 48h. We’d rather be cited as accurate than aggressive.

Try IP Geo API in 5 minutes

# 1. Sign up — no credit card, 1.000 lookups/day on free tier, no attribution backlink
open https://ipgeo.10b.app/pricing

# 2. Test against a known IP (Google DNS) — note the bundled threat block
curl https://ipgeo.10b.app/v1/lookup/8.8.8.8 \
  -H "Authorization: Bearer $IPGEO_API_KEY"

# 3. Inspect the threat fields — no paid-tier upgrade required
curl https://ipgeo.10b.app/v1/lookup/8.8.8.8 \
  -H "Authorization: Bearer $IPGEO_API_KEY" | jq '{is_vpn,is_proxy,is_tor,is_datacenter,is_residential}'

Sign up free → · Full ipapi.co comparison → · API reference →

FAQ

Why is ipapi.co’s free-tier attribution such a big deal? The “Powered by ipapi” backlink is fine for an open-source side project, a personal blog, or an unmonetised demo. It is not fine for a paid SaaS, a B2B portal, or a white-label customer dashboard — those products either upgrade to a paid plan or look unprofessional. Our free 1.000/day tier ships attribution-free so commercial pre-revenue products can validate before paying.

Is the threat data better than ipapi.co’s paid proxy / tor fields? Different upstream composition. Our is_vpn/is_proxy/is_tor/is_datacenter/is_residential classifiers run on an ensemble of public abuse feeds (Spamhaus DROP, FireHOL, AbuseIPDB-lite) plus our own passive-probe data. ipapi.co’s threat-flag composition is not publicly documented and the surface is narrower (proxy + tor only, no VPN or datacenter classification). Both cover the common 80% of fraud-relevant flags well; specialized fraud platforms typically run their own ML on top regardless of vendor.

Will my ipapi.co-shaped code work as-is with IP Geo API? Mostly the field names overlap (country_code, region, city, latitude/longitude ≈ lat/lon). Edge cases (languages, currency, country_calling_code, utc_offset vs timezone) need a thin adapter — see the field mapping table.

Can I use IP Geo API with JSONP for client-side scripts on a non-CORS site? Not today. We require auth-header on every request, which means JSONP <script src="..."> tags don’t work. For client-side JavaScript, use a server-side proxy on the same origin or call our API from a backend route. ipapi.co’s JSONP-friendly URL-key pattern is a fit for legacy CORS-blocked frontends.

What happens if your API has an outage? Public status page: https://status.ipgeo.10b.app with a 90-day rolling history. Our SLA is 99.5% on Business plan (multi-region active-active across Frankfurt + Amsterdam). Most production deployments cache responses with a TTL of 1-24h, which means a brief API outage degrades to stale data, not failed lookups.

Related reading

• How to Migrate from ipapi.co to IP Geo API in 2026 → — step-by-step drop-in guide: field-by-field map, code diffs in Python / Node / Go, the attribution-backlink scrub and org-string concatenation gotchas, shadow mode, gradual cutover, rollback plan, and the 7 week-one gotchas.

Drop-in migration guides for adjacent providers (in case you’re consolidating multiple sources onto IP Geo API):

• Migrate from MaxMind GeoIP2 to IP Geo API — .mmdb-to-API field map, weekly-sync pain, GeoIP2 nested-shape compatibility
• Migrate from ipinfo.io to IP Geo API — loc-string + ASN-org regex + Authorization-header gotchas
• Migrate from ipstack to IP Geo API — HTTP→HTTPS scheme flip + Security-Module paywall + connection.asn integer typing
• Migrate from ipgeolocation.io to IP Geo API — Security-API SKU consolidation + apiKey-in-URL log-leak hardening + latitude/longitude string-vs-number gotchas
• Migrate from IP2Location to IP Geo API — BIN/CSV/MMDB decommission + IP2Proxy SKU consolidation + USD-annual-to-EUR-monthly billing + proxy_type enum-vs-split-booleans gotchas
• Migrate from DB-IP to IP Geo API — MMDB/CSV-download decommission + IP-to-Threat / Anonymous / Datacenter SKU consolidation + CC-BY-4.0 attribution-backlink scrub + countryCode3 ISO-3 vs ISO-2 gotchas

If you’re evaluating IP geolocation APIs against multiple providers, the other head-on comparisons in this series may help:

• IP Geo API vs ipinfo.io in 2026 — head-on with the dominant North-American incumbent
• IP Geo API vs MaxMind in 2026 — managed API vs self-hosted GeoIP2 dataset trade-offs
• IP Geo API vs ipstack in 2026 — modern EU-hosted alternative for ipstack migrations
• IP Geo API vs ipgeolocation.io in 2026 — feature parity, GDPR posture, EUR billing
• IP Geo API vs IP2Location in 2026 — REST-first vs database-download, IP2Proxy bundling, EU residency
• IP Geo API vs DB-IP in 2026 — REST-first vs MMDB-download EU-vs-EU, attribution-free free tier, threat bundling

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

Last reviewed 2026-05-09 · IP Geo API team · Comments / corrections: hello@ipgeo.10b.app

Pairs with the full ipapi.co alternative comparison page — has the complete feature matrix, migration guide, and pricing snapshot.