IP Geo API

IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question

5-minute read · 2026 pricing · honest assessment

If ipstack is on your IP-geolocation shortlist in 2026, the comparison usually comes down to three things: does the free tier have to do real work, do you need EU data residency, and is fraud / VPN detection a first-class feature or a paid bolt-on? ipstack has a long track record and broad global edge presence, but its 2016-era pricing posture (HTTP-only free tier, USD billing, paid Security Module) creates real friction for a lot of modern teams. This post lays out where each one wins, without the marketing varnish.

Looking for the full feature matrix? Jump straight to the ipstack alternative comparison →.

The 60-second take

What you care about Choose
Global Anycast edge for non-EU users ipstack
Already in the apilayer multi-API ecosystem ipstack
XML response format (legacy parsers) ipstack
HTTPS on every tier, including free IP Geo API
VPN / Proxy / Tor detection bundled free IP Geo API
EU-only data residency (no US transit) IP Geo API
EUR billing + iDEAL / SEPA / Bancontact IP Geo API
1.000 lookups/day free instead of 100/month IP Geo API

Pick the row that’s the dealbreaker. If two rows pull opposite directions, the row enforcing a hard architectural constraint wins — for example, “production HTTPS pages have to call this API from the browser” beats “we’d like to keep the apilayer dashboard.”

The real reasons teams switch from ipstack to IP Geo API

The most common switch story we hear isn’t about price. It’s about production realities that the 2016-era ipstack pricing didn’t anticipate:

  1. HTTP-only free tier breaks browser-side calls. Modern browsers block mixed content (HTTPS page → HTTP API) by default; CSP headers block it harder. For any client-side JavaScript on a production HTTPS site, ipstack’s free tier is effectively unusable without a paid upgrade. We serve HTTPS on every tier, including the free 1.000/day plan, so prototypes ship without an upfront invoice.
  2. The Security Module is a separate product. ipstack’s fraud / VPN / proxy / Tor detection is paywalled behind the “Security Module” add-on, not bundled into Basic ($9.99/mo). Use cases like account-takeover protection, abuse rate-limits, or simple “block-Tor-on-signup” land on Professional ($49.99/mo) or higher. We bundle is_vpn, is_proxy, is_tor, is_datacenter, and is_residential flags into every response on every tier, including free.
  3. EU-only data residency for regulated sectors. apilayer is US/Austrian and operates global Anycast — your queries can transit US edge nodes. For fintech, healthtech, gov-tech, and adtech under GDPR scrutiny, that’s a documented Article 44/45 transfer-assessment problem. We’re EU-only at infra (Hetzner Frankfurt + Vercel fra1), at contract, and at corporate level.
  4. USD billing fatigue. Paddle/USD invoicing plus monthly FX adds 1-3% friction on every European invoice. Dutch, Belgian, German, and French finance teams flag this on every close. We bill EUR via Mollie with iDEAL, SEPA, Bancontact, and credit card as first-class methods.
  5. 100 requests / month is too small to actually try. ipstack’s free tier is metered monthly at 100 requests — enough for a single-page demo and not much else. Our free tier is 1.000 requests per day (~30× ipstack’s monthly), attribution-free.

If none of these hit your stack, ipstack’s global edge and apilayer ecosystem are genuinely good and you have no switching reason. Stay where you are.

The real reasons to not switch

We try to be straight about this — the fastest way to lose a customer is to oversell the migration.

What migration actually looks like

For most teams the move is a single base-URL flip plus a thin response-shape adapter:

- // ipstack (HTTP-only on free tier, HTTPS on Basic+)
- const r = await fetch(`http://api.ipstack.com/${ip}?access_key=${KEY}`);
- const data = await r.json();
- const country = data.country_code;
- const city = data.city;
+ // IP Geo API (HTTPS on every tier)
+ const r = await fetch(`https://ipgeo.10b.app/v1/lookup/${ip}`, {
+   headers: { Authorization: `Bearer ${process.env.IPGEO_API_KEY}` }
+ });
+ const data = await r.json();
+ const country = data.country_code;
+ const city = data.city;

The non-obvious work is field mapping. ipstack uses country_code, region_name, city, latitude, longitude, plus the optional security block (Security Module only). We use a flatter contract: country_code, region, city, lat, lon, with is_vpn / is_proxy / is_tor / is_datacenter / is_residential always present at the top level. Full mapping table on the ipstack alternative comparison page.

What we recommend:

  1. Dual-call for 24-48h. In the request handler, call both ipstack and our API; log every diff to a structured store. The most common diffs are city-naming (we use canonical English; ipstack occasionally returns local-script names) and ASN organization formatting.
  2. Cache the response. Most workloads see a 60-80% IP repeat-rate within an hour. A 1-hour TTL cache (Redis, Memcached, or local LRU) cuts your billable count proportionally — and brings effective latency back below 1ms for hot IPs even on a REST API.
  3. Keep the ipstack key warm for 7 days as rollback insurance, then revoke and remove from secret stores.

Full migration guide with curl examples is on the ipstack alternative comparison page.

Pricing math at three common volumes

Direct apples-to-apples is straightforward because both vendors meter per-request. The table below is illustrative based on 2026 public list pricing for the most common workload (city-level + threat detection):

Monthly volume ipstack (Basic + Security Module) IP Geo API Notes
100K req/mo $9.99 (Basic) + Security Module add-on (varies; ~$50/mo realistic) ≈ $60 €29 Crossover at ~50K req/mo if Security Module is a must-have
1M req/mo $49.99 (Professional, includes Security Module on higher tiers) €99 IP Geo API ~10-15% cheaper at parity feature set
10M req/mo Custom (typically $499+/mo on Business) €399 (custom) Roughly comparable; threat-detection bundled vs add-on is the differentiator
Compliance overhead (EU residency docs, DPA, transfer assessments) apilayer SCC + your DPO time EU-only, no transfer assessment Often dominates the unit economics for regulated sectors

Numbers above are list-price snapshots from ipstack’s public pricing page on 2026-04-23. Negotiated annual contracts vary. The headline: ipstack’s flat plans are competitive once you reach the tier that bundles the Security Module — but every tier below that is an apples-to-oranges comparison because threat detection isn’t included. For workloads that need VPN/proxy flags from day one, IP Geo API’s per-request total cost of ownership tends to be lower across the 100K-1M req/mo zone where most indie / SMB / scaleup teams sit.

Trust check: should you trust this comparison?

Honest disclosure: this post is on the IP Geo API blog. We have a commercial reason to suggest switching. We tried to compensate for that bias by:

If you spot a factual error, email hello@ipgeo.10b.app — we’ll edit and add a correction note above the fold within 48h. We’d rather be cited as accurate than aggressive.

Try IP Geo API in 5 minutes

# 1. Sign up — no credit card, 1.000 lookups/day on free tier, HTTPS included
open https://ipgeo.10b.app/pricing

# 2. Test against a known IP (Google DNS) — note HTTPS on free tier
curl https://ipgeo.10b.app/v1/lookup/8.8.8.8 \
  -H "Authorization: Bearer $IPGEO_API_KEY"

# 3. Inspect the bundled threat block — no Security Module add-on needed
curl https://ipgeo.10b.app/v1/lookup/8.8.8.8 \
  -H "Authorization: Bearer $IPGEO_API_KEY" | jq '{is_vpn,is_proxy,is_tor,is_datacenter,is_residential}'

Sign up free → · Full ipstack comparison → · API reference →

FAQ

Why is ipstack’s HTTP-only free tier such a big deal? Modern browsers block mixed content (HTTPS page → HTTP API) by default. CSP headers block it harder. For any client-side JavaScript on a production HTTPS site, ipstack’s free tier is effectively unusable without a paid upgrade. Our free tier ships HTTPS so side projects and MVPs can ship without an upfront invoice.

Is the threat data the same as ipstack’s Security Module? Different upstream composition. Our is_vpn/is_proxy/is_tor/is_datacenter/is_residential classifiers run on an ensemble of public abuse feeds (Spamhaus DROP, FireHOL, AbuseIPDB-lite) plus our own passive-probe data. ipstack’s Security Module composition is not publicly documented. Both cover the common 90% of fraud-relevant flags well; specialized fraud platforms typically run their own ML on top regardless of vendor.

Will my ipstack-shaped code work as-is with IP Geo API? Mostly the field names overlap (country_code, city, latitude/longitudelat/lon). Edge cases (continent_code, connection_type, time_zone.id vs timezone) need a thin adapter — see the field mapping table.

Can I run IP Geo API in air-gapped environments? Not today. We’re API-only by design. A self-hosted on-prem appliance is on the 2027 roadmap. Pre-2027 air-gapped use cases should stay on a database-file vendor like MaxMind.

What happens if your API has an outage? Public status page: https://status.ipgeo.10b.app with a 90-day rolling history. Our SLA is 99.5% on Business plan (multi-region active-active across Frankfurt + Amsterdam). Most production deployments cache responses with a TTL of 1-24h, which means a brief API outage degrades to stale data, not failed lookups.

Related reading

Practical companion (highly recommended if you’ve decided to switch):

Drop-in migration guides for adjacent providers (in case you’re consolidating multiple sources onto IP Geo API):

If you’re evaluating IP geolocation APIs against multiple providers, the other head-on comparisons in this series may help:

Industry deep-dives

Last reviewed 2026-05-08 · IP Geo API team · Comments / corrections: hello@ipgeo.10b.app

Pairs with the full ipstack alternative comparison page — has the complete feature matrix, migration guide, and pricing snapshot.

Get early access — 50% off for 12 months

First 100 signups lock in 50% off any paid plan for the first year. No credit card required — we’ll email you at launch.