How to Migrate from ipapi.co to IP Geo API in 2026: A Step-by-Step Drop-In Guide

7-minute read · 2026 code samples · honest rollback plan

This is the practical companion to the ipapi.co alternative comparison → and the head-on review of ipapi.co vs IP Geo API →. Those two pages tell you whether to switch. This page tells you how — including the three field-shape gotchas no other migration guide is honest about.

TL;DR — most ipapi.co → IP Geo API migrations land in half an engineering day. The real work is not the swap itself; it is removing the “Powered by ipapi” attribution from your free-tier code paths, the org-string ASN+name concatenation split, and a rollback path you actually trust.

Who this guide is for

You currently call ipapi.co via https://ipapi.co/{ip}/json/ (or one of the community SDKs), you’ve decided that the free-tier attribution backlink, the per-day-not-per-month rate limit, and USD-billed Stripe invoices cost more than they should, and you want a REST replacement that:

• Returns a JSON shape close enough to the existing flat ipapi.co response that downstream consumers don’t have to be rewritten
• Includes VPN / proxy / Tor / datacenter flags on every plan, free, with no quota multiplier
• Bills in EUR with a transparent tier ceiling and SEPA / iDEAL / Bancontact at checkout
• Has no attribution backlink requirement on the free tier (the single most common reason side-project teams hit this guide)

If those four boxes are unchecked — pause and read the vs comparison → first. The tradeoffs are real, especially if you depend on ipapi.co’s global Anycast latency from non-EU clients, the JSONP / XML / CSV response formats, or the Excel-style bulk CSV upload.

The 7-step migration checklist

1. Inventory every call site that hits ipapi.co or ipapi.com, including any community SDK imports.
2. Map your fields to the ipapi-compatibility response (?format=ipapi).
3. Add a feature flag so you can switch any call site between providers.
4. Wire a 60-second cache in front of the API client (in-memory or Redis).
5. Deploy in shadow mode — call both, log differences, serve ipapi.co responses.
6. Cut over gradually — 10% → 50% → 100% of traffic over 48 hours.
7. Decommission the ipapi.co API key — revoke in the ipapi dashboard, archive billing, remove the attribution backlink.

The rest of this post walks each step with copy-paste code.

Step 1 — Inventory call sites

Run this in the repo root before touching anything:

git grep -nE "ipapi\.co|ipapi\.com|Powered by ipapi" -- ':!*.lock' ':!*.md'

Most teams find 1-4 call sites for ipapi.co. The endpoint is so simple (one HTTP GET, no auth on free tier) that direct requests.get / fetch calls are common — there’s often no SDK to grep. Make a list. Note for each: language, response format (JSON vs JSONP vs XML vs CSV), fields consumed, and whether the result is cached.

Watch-out: ipapi.co has two domains in the wild — the canonical ipapi.co and the older ipapi.com mirror. Both are owned by the same operator but have slightly different default response shapes (ipapi.co/json/ returns flat; ipapi.com/{ip}/json returns nested under geo.*). Audit both. Also grep for any HTML/JSX containing the literal string "Powered by ipapi" — the free-tier ToS requires this attribution and removing it from rendered pages is one of the steps users forget.

Step 2 — Map the fields

ipapi.co returns a flat JSON shape, with a single country.* style prefix expansion (the API flattens the country block into country, country_name, country_code_iso3, country_capital, country_population, country_area_sq_km, country_calling_code, country_currency, country_currency_name, country_languages, country_tld, in_eu):

{
  "ip": "8.8.8.8",
  "version": "IPv4",
  "city": "Mountain View",
  "region": "California",
  "region_code": "CA",
  "country": "US",
  "country_name": "United States",
  "country_code": "US",
  "country_code_iso3": "USA",
  "country_capital": "Washington",
  "country_tld": ".us",
  "continent_code": "NA",
  "in_eu": false,
  "postal": "94043",
  "latitude": 37.4056,
  "longitude": -122.0775,
  "timezone": "America/Los_Angeles",
  "utc_offset": "-0700",
  "country_calling_code": "+1",
  "currency": "USD",
  "currency_name": "Dollar",
  "languages": "en-US,es-US,haw,fr",
  "asn": "AS15169",
  "org": "GOOGLE"
}

IP Geo API ships an ?format=ipapi compatibility shim that returns the same flat shape so most call sites stop noticing the swap. The mapping for the fields ~95% of integrations rely on:

Fields the shim does not cover (documented gaps): country_capital and country_population and country_area_sq_km (we do not import the world-fact-book enrichment — these are weak signals for almost every product use), languages comma-separated string (use Accept-Language request header parsing instead), country_tld (low signal, statically derivable from country_code if you really need it), and the version field (always "IPv4" or "IPv6" — read it from the input IP itself). If your code reads any of those, list them as blockers and decide per call site whether to drop the dependency or keep ipapi.co for that path only (hybrid pattern — see the comparison page →).

Step 3 — Feature flag, then drop-in client

Python (was raw requests against ipapi.co)

# before
import requests

def lookup_country(ip: str) -> str:
    r = requests.get(f"https://ipapi.co/{ip}/json/", timeout=2.0)
    r.raise_for_status()
    return r.json()["country"]

# after — drop-in via the ipapi-compatibility shim
import os, requests
from functools import lru_cache

API_KEY = os.environ["IPGEO_API_KEY"]
USE_IPGEO = os.environ.get("USE_IPGEO_API", "0") == "1"   # feature flag

@lru_cache(maxsize=10_000)
def _lookup(ip: str) -> dict:
    r = requests.get(
        f"https://api.ipgeo.10b.app/v1/{ip}",
        headers={"Authorization": f"Bearer {API_KEY}"},
        params={"format": "ipapi"},
        timeout=2.0,
    )
    r.raise_for_status()
    return r.json()

def lookup_country(ip: str) -> str:
    if USE_IPGEO:
        return _lookup(ip)["country"]   # flat shape — no rewrite
    r = requests.get(f"https://ipapi.co/{ip}/json/", timeout=2.0)
    r.raise_for_status()
    return r.json()["country"]

Note the auth shape change: ipapi.co’s free tier is anonymous and rate-limited per source IP; IP Geo API uses a Bearer token in the Authorization header. If you currently pass ?key=... for an ipapi paid plan, that query-param auth is still supported on the new client too (?api_key=...) for environments where headers get stripped at the edge.

Node / TypeScript (was raw fetch against ipapi.co)

// before
const r = await fetch(`https://ipapi.co/${ip}/json/`);
const j = await r.json();

// after — drop-in
const cache = new Map<string, any>();
export async function geoLookup(ip: string) {
  if (process.env.USE_IPGEO_API !== "1") {
    const r = await fetch(`https://ipapi.co/${ip}/json/`);
    return r.json();
  }
  if (cache.has(ip)) return cache.get(ip);
  const r = await fetch(`https://api.ipgeo.10b.app/v1/${ip}?format=ipapi`, {
    headers: { Authorization: `Bearer ${process.env.IPGEO_API_KEY!}` },
  });
  if (!r.ok) throw new Error(`ipgeo ${r.status}`);
  const j = await r.json();
  cache.set(ip, j);
  setTimeout(() => cache.delete(ip), 60_000);   // 60-s TTL
  return j;
}

Go

// after — drop-in via the ipapi-compatibility shim
url := fmt.Sprintf("https://api.ipgeo.10b.app/v1/%s?format=ipapi", ip)
req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
req.Header.Set("Authorization", "Bearer "+os.Getenv("IPGEO_API_KEY"))
resp, err := httpClient.Do(req)
// ... unmarshal into your existing ipapi-shaped struct

Step 4 — Cache layer (the step everyone skips)

A naive 1-call-per-request integration will burn through ipapi.co’s free 1.000 req/day in the first hour of any production traffic. ipapi.co’s free-tier rate limit is per-day, not per-month, which fragments quota across the day in a way that surprises teams; IP Geo API’s daily ceiling is the same shape, but the populated threat-flag fields make the cache hit-rate higher (you stop calling out for repeat IPs flagged as bots). The good news: most production traffic is dominated by 1-5% of IPs (your bot crawler, your monitoring, your power users). A 60-second in-memory cache typically deflects 70-90% of calls at zero cost.

• Single-pod / serverless Lambda: Python lru_cache or a Map in Node, sized 10k entries.
• Multi-pod web: Redis SETEX <ip> 60 <json> or your existing distributed cache.
• Edge / CDN: Cloudflare Workers KV with a 60-300 s TTL.

If you want strict cache-miss bounds, add a per-host concurrency limiter so only one in-flight call per IP is ever issued.

Step 5 — Shadow mode (the step that builds trust)

Before flipping any user-facing path: call both APIs and compare.

def lookup_country(ip: str) -> str:
    r = requests.get(f"https://ipapi.co/{ip}/json/", timeout=2.0)
    r.raise_for_status()
    legacy = r.json()["country"]
    if SHADOW_MODE:
        try:
            new = _lookup(ip)["country"]
            if new != legacy:
                logger.warning("ipapi-shadow-mismatch", extra={"ip": ip, "legacy": legacy, "new": new})
        except Exception as e:
            logger.error("ipapi-shadow-error", extra={"ip": ip, "error": str(e)})
    return legacy

Run shadow mode for 24-48 hours. The mismatch rate on country-level data is typically <0.5% (mostly recent IP-block reassignments where one source is fresher). City-level is 1-3%. ASN naming is the noisiest signal — both providers ship the same numeric ASN, but the org field differs in shape: ipapi.co returns the org as a single string (e.g. "GOOGLE"); IP Geo API’s native shape splits this into network.asn (integer) + network.organization (string). The shim re-concatenates so the legacy org field stays a string, but if you parse the org string with a regex that expects ^AS\d+\s+(.+)$ (a few community SDKs do), test it before flipping. The single biggest mismatch class for ipapi.co is the threat-flag block: ipapi.co’s free shadow path does not include is_vpn / is_proxy / is_tor, while IP Geo API returns populated values. Treat absent-vs-populated as a known-good signal, not a mismatch.

For most fraud / analytics rules the numeric ASN is the only field that matters; pin your match logic to that.

Step 6 — Gradual cutover

Once shadow logs are clean, flip a percentage of traffic via your feature-flag system (LaunchDarkly, Unleash, or a hashed-IP rollout):

import hashlib

def use_ipgeo(ip: str, percent: int) -> bool:
    h = int(hashlib.md5(ip.encode()).hexdigest(), 16)
    return (h % 100) < percent

Recommended ladder: 10% → 50% → 100% over 48 hours. Watch your existing fraud-flag dashboards for unexpected spikes; the bundled threat-flag block exposes signals that ipapi.co’s free tier did not, so if you wire is_vpn=true into a soft-block rule you may see a 5-15% bump in flagged sessions. This is not a regression — it is the threat data you were paying for separately on ipapi’s /threat endpoint, now bundled.

Step 7 — Decommission

Once 100% has been on IP Geo API for >7 days with no incidents:

1. Revoke the ipapi.co API key (paid plan) in the ipapi dashboard, or simply stop calling the anonymous endpoint (free plan).
2. Cancel the ipapi subscription (Stripe USD invoices stop on the next cycle).
3. Remove the IPAPI_KEY env var from CI / production / staging (if applicable).
4. Remove the “Powered by ipapi” attribution backlink from every page, email template, and embed that previously rendered it. This is the step most teams forget — the attribution requirement is in the free-tier ToS and removing it is half the reason you are migrating.
5. Delete the legacy fallback branch from your code (keep the feature-flag scaffold for the next migration).
6. Update your DPIA / Article 30 record — processor change from ipapi (US) to corem6 BV (NL/EU).

The 7 gotchas teams hit in week one

1. Attribution backlink left in HTML. ipapi.co’s free tier ToS requires “Powered by ipapi” linking to https://ipapi.co. Teams switch the API call but forget the rendered backlink lives on a footer template, an email signature, or a status-page embed. Grep your templates, not just your call sites. Removing the backlink is half the reason you are migrating.
2. asn string vs integer. ipapi.co returns "AS15169" (string with AS prefix). IP Geo API native returns 15169 (integer, no prefix); the shim preserves the "AS..." string format on the asn field but exposes the integer at network.asn. Code that does int(asn[2:]) on the legacy field continues to work; code that reads network.asn as a string will break. Pin a unit test on the type before flipping.
3. org string concatenation. ipapi.co’s org is a single string like "GOOGLE" or "GOOGLE LLC". IP Geo API native splits ASN-org into network.asn (integer) + network.organization (string). The shim re-concatenates so the legacy org field stays a single string, but the org-name suffix shape can differ slightly between providers ("GOOGLE" vs "Google LLC"). If your fraud rules string-match on the org name, test against a sample of 50+ IPs before the 50% cutover.
4. No cache layer. Quota burn in 4-6 hours on the free tier. Add the cache before flipping the flag — the per-day ceiling on ipapi.co is small enough that an unflagged production deploy can exhaust it before lunch.
5. Outbound HTTPS blocked. Production VPC egress rules deny api.ipgeo.10b.app. Get firewall change scheduled before cutover. ipapi.co’s hostname (ipapi.co) was likely already allowlisted; the new hostname is not.
6. Authorization header stripped at the edge. ipapi.co’s free tier is anonymous; IP Geo API uses a Bearer token in the Authorization header. Some CDNs / WAFs strip Authorization on calls to non-allowlisted hostnames. Test from prod before flipping >10%. (Workaround: pass the key as ?api_key=... query param instead — supported on every tier.)
7. GDPR DPIA refresh. Switching processor classes (ipapi US → corem6 NL-only) usually triggers a one-page Article 30 update. Boring, but should be on the cutover checklist; it’s also the reason most teams started this migration in the first place.

What you’ll see in week two

• 70-90% cache-hit rate if step 4 was done right.
• ~10-25% bill reduction on the same volume (€29 vs ~$35 at 100K incl. threat data, €99 vs ~$95 at 1M; ipapi.co Pro is $35/mo for 50K req/mo with /threat requiring a separate quota).
• Attribution-free free tier — the single most-cited reason teams hit this guide. Side-project marketing pages and white-label embeds no longer have to render “Powered by ipapi”.
• VPN / Tor / proxy / datacenter / VPN flags on every response, free — no separate /threat endpoint, no separate quota.
• Cleaner DPO conversation at your next compliance review — EU-only contractually, no Article 44/45 transfer-impact-assessment for IP visitor data.

Pairing pages

• ipapi.co alternative comparison → — full feature matrix, EU-residency claim, free-tier specs.
• IP Geo API vs ipapi.co in 2026 → — narrative companion: when ipapi.co still wins.
• API reference → — endpoint, parameters, error codes (ships with paid tiers).
• Pricing → — EUR 0 / 29 / 99 tiers, no overage surprises.

FAQ

How long does a real ipapi.co migration take? For a single-stack web app with 1-4 call sites and a working CI: half an engineering day end-to-end. Multi-stack monorepos with 10+ call sites: 1-2 days, mostly in shadow-mode tuning. The attribution-backlink scrub is the time sink, not the field-shape diff — grep your templates first.

Will my ipapi.co-shaped tests still pass? Yes — the compatibility shim returns the same flat JSON shape for the supported field set. For fields outside the shim (country_capital, country_population, country_area_sq_km, languages comma-separated string, country_tld), mock the new client path or move that logic to a dedicated reference-data source.

What about the SDK ergonomics? ipapi.co does not ship a first-party SDK; the SDKs in npm / PyPI under names like ipapi, ipapi-python, ipapicom-client are all community-maintained. Most callers are raw requests.get / fetch against the simple endpoint. We do not ship language SDKs in 2026 either — the API is small enough that a 10-line client is faster than a SDK.

What’s the rollback story if something goes wrong? The feature flag gives you a 1-second flip back to ipapi.co. Keep the (free or paid) ipapi.co integration working for at least 30 days post-cutover. Most teams keep the attribution backlink in a feature-flagged template branch until the 30-day mark for instant fallback.

Can I migrate one service at a time? Yes — and it’s the recommended approach. Each call site is independent. Migrate the lowest-risk one first (often a dashboard analytics path or a server-side log enrichment job), measure for a week, then move to the next. There is no all-or-nothing requirement.

What about ipapi.co’s JSONP / XML / CSV response formats? Those are formats ipapi.co inherited from a 2014-era web stack. We support JSON only (REST and JSON:API content-types). If your code reads JSONP from a <script> tag or parses the XML response, refactor to JSON fetch first — this is a one-hour cleanup that pays back independently of which provider you end up on.

What if I was on the free tier with the attribution backlink? Then this migration is also a brand-cleanup for you — IP Geo API’s free tier has no attribution requirement, so any white-label embed, footer, or email template that previously rendered “Powered by ipapi” can be cleaned up. This is the single most common reason side-project teams in the first hour of evaluation hit this guide.

What about ipapi.co’s Excel-style bulk CSV upload? ipapi.co’s /bulk/ endpoint accepts a CSV of IPs and returns a CSV of results. We support the same workflow via a JSON POST to /v1/bulk with up to 100 IPs per call (paginate for larger batches). For one-off CSV-in-CSV-out workflows, a 20-line Python script using the JSON endpoint is shorter than the original CSV upload code.

Related migration & comparison reading

• How to Migrate from MaxMind GeoIP2 to IP Geo API in 2026 — sibling migration guide for the database-download incumbent
• How to Migrate from ipinfo.io to IP Geo API in 2026 — sibling migration guide for the dominant North-American REST incumbent
• How to Migrate from ipstack to IP Geo API in 2026 — sibling migration guide for the apilayer-published REST product
• How to Migrate from ipgeolocation.io to IP Geo API in 2026 — sibling migration guide for the bundled-endpoints REST incumbent (Security-API SKU consolidation, apiKey-in-URL log-leak)
• How to Migrate from IP2Location to IP Geo API in 2026 — sibling migration guide for the BIN/CSV/MMDB downloadable-database incumbent (IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration)
• How to Migrate from DB-IP to IP Geo API in 2026 — sibling migration guide for the EU-headquartered (Brussels) MMDB-download incumbent (CC-BY-4.0 attribution scrub, IP-to-Threat / Anonymous / Datacenter SKU consolidation)
• IP Geo API vs ipapi.co in 2026 — narrative head-on with TCO math
• IP Geo API vs ipinfo.io in 2026 — when ipinfo.io still wins
• IP Geo API vs MaxMind GeoIP2 in 2026 — managed API vs self-hosted GeoIP2 dataset trade-offs
• IP Geo API vs ipstack in 2026 — pricing, throughput and threat-intel comparison
• IP Geo API vs ipgeolocation.io in 2026 — feature parity, GDPR posture, EUR billing
• IP Geo API vs IP2Location in 2026 — REST-first vs database-download
• IP Geo API vs DB-IP in 2026 — REST-first vs MMDB-download EU-vs-EU

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

Last reviewed 2026-05-09 · IP Geo API team · Comments / corrections: hello@ipgeo.10b.app

Pairs with the full ipapi.co alternative comparison page and the head-on IP Geo API vs ipapi.co review.