How to Migrate from ipinfo.io to IP Geo API in 2026: A Step-by-Step Drop-In Guide

7-minute read · 2026 code samples · honest rollback plan

This is the practical companion to the ipinfo.io alternative comparison → and the head-on review of ipinfo.io vs IP Geo API →. Those two pages tell you whether to switch. This page tells you how — including the three field-shape gotchas no other migration guide is honest about.

TL;DR — most ipinfo.io → IP Geo API migrations land in half an engineering day. The real work is not the swap itself; it is the loc-string split, the ASN-org concatenation, and a rollback path you actually trust.

Who this guide is for

You currently call ipinfo.io via https://ipinfo.io/{ip}?token=$TOKEN (or the official Node / Python / Go SDK), you’ve decided that the USD invoice plus the paid Privacy Detection add-on costs more than it should, and you want a REST replacement that:

• Returns the same flat JSON shape your code already consumes (no rewrite of downstream callers)
• Includes VPN / proxy / Tor / datacenter flags on every plan, with no add-on
• Bills in EUR with a transparent tier ceiling and SEPA / iDEAL / Bancontact at checkout

If those three boxes are unchecked — pause and read the vs comparison → first. The tradeoffs are real, especially if you depend on mobile-carrier classification or ipinfo.io’s downloadable database.

The 7-step migration checklist

1. Inventory every call site that hits ipinfo.io or imports an ipinfo SDK.
2. Map your fields to the ipinfo-compatibility response (?format=ipinfo).
3. Add a feature flag so you can switch any call site between providers.
4. Wire a 60-second cache in front of the API client (in-memory or Redis).
5. Deploy in shadow mode — call both, log differences, serve ipinfo.io responses.
6. Cut over gradually — 10% → 50% → 100% of traffic over 48 hours.
7. Decommission the ipinfo.io token — revoke, archive billing, delete the SDK.

The rest of this post walks each step with copy-paste code.

Step 1 — Inventory call sites

Run this in the repo root before touching anything:

git grep -nE "ipinfo\.io|ipinfo\.IPinfo|node-ipinfo|from ipinfo|github.com/ipinfo" -- ':!*.lock' ':!*.md'

Most teams find 2-8 call sites for ipinfo.io (it’s typically called from one or two services because the SDK is so simple). Make a list. Note for each: language, SDK version, fields consumed, and whether the result is cached.

Step 2 — Map the fields

ipinfo.io returns a flat JSON shape:

{
  "ip": "8.8.8.8",
  "city": "Mountain View",
  "region": "California",
  "country": "US",
  "loc": "37.4056,-122.0775",
  "org": "AS15169 Google LLC",
  "postal": "94043",
  "timezone": "America/Los_Angeles",
  "privacy": { "vpn": false, "proxy": false, "tor": false, "relay": false, "hosting": false }
}

IP Geo API ships a ?format=ipinfo compatibility shim that returns the same flat shape so most call sites stop noticing the swap. The mapping for the fields ~95% of integrations rely on:

Fields the shim does not cover (documented gaps): anycast flag, abuse contact block (ipinfo paid-only Abuse Contact API), domains reverse-DNS list (separate ipinfo product), and mobile_carrier.{name,mcc,mnc} (ipinfo Mobile Carrier add-on; our equivalent is on the Q3 2026 roadmap). If your code reads any of those, list them as blockers and decide per call site whether to drop the dependency or keep ipinfo.io for that path only (hybrid pattern — see the comparison page →).

Step 3 — Feature flag, then drop-in client

Python (was ipinfo.getHandler)

# before
import ipinfo
handler = ipinfo.getHandler(os.environ["IPINFO_TOKEN"])
res = handler.getDetails(ip)
country = res.country

# after — drop-in via the ipinfo-compatibility shim
import os, requests
from functools import lru_cache

API_KEY = os.environ["IPGEO_API_KEY"]
USE_IPGEO = os.environ.get("USE_IPGEO_API", "0") == "1"   # feature flag

@lru_cache(maxsize=10_000)
def _lookup(ip: str) -> dict:
    r = requests.get(
        f"https://api.ipgeo.10b.app/v1/{ip}",
        headers={"Authorization": f"Bearer {API_KEY}"},
        params={"format": "ipinfo"},
        timeout=2.0,
    )
    r.raise_for_status()
    return r.json()

def lookup_country(ip: str) -> str:
    if USE_IPGEO:
        return _lookup(ip)["country"]   # flat shape — no rewrite
    return handler.getDetails(ip).country

The lru_cache decorator gives you a free in-process cache; replace with Redis SETEX 60 for multi-pod deployments.

Node / TypeScript (was node-ipinfo)

// before
import { IPinfoWrapper } from "node-ipinfo";
const ipinfo = new IPinfoWrapper(process.env.IPINFO_TOKEN!);
const res = await ipinfo.lookupIp(ip);

// after — drop-in
const cache = new Map<string, any>();
export async function geoLookup(ip: string) {
  if (process.env.USE_IPGEO_API !== "1") return ipinfo.lookupIp(ip);
  if (cache.has(ip)) return cache.get(ip);
  const r = await fetch(`https://api.ipgeo.10b.app/v1/${ip}?format=ipinfo`, {
    headers: { Authorization: `Bearer ${process.env.IPGEO_API_KEY!}` },
  });
  if (!r.ok) throw new Error(`ipgeo ${r.status}`);
  const j = await r.json();
  cache.set(ip, j);
  setTimeout(() => cache.delete(ip), 60_000);   // 60-s TTL
  return j;
}

Go (was github.com/ipinfo/go/v2/ipinfo)

// after — drop-in via the ipinfo-compatibility shim
url := fmt.Sprintf("https://api.ipgeo.10b.app/v1/%s?format=ipinfo", ip)
req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
req.Header.Set("Authorization", "Bearer "+os.Getenv("IPGEO_API_KEY"))
resp, err := httpClient.Do(req)
// ... unmarshal into your existing ipinfo.Core struct

Step 4 — Cache layer (the step everyone skips)

A naive 1-call-per-request integration will burn through paid-tier quotas in week one. ipinfo.io’s smoothed monthly limit hides this, but our daily ceilings make it visible immediately on the free tier. The good news: most production traffic is dominated by 1-5% of IPs (your bot crawler, your monitoring, your power users). A 60-second in-memory cache typically deflects 70-90% of calls at zero cost.

• Single-pod / serverless Lambda: Python lru_cache or a Map in Node, sized 10k entries.
• Multi-pod web: Redis SETEX <ip> 60 <json> or your existing distributed cache.
• Edge / CDN: Cloudflare Workers KV with a 60-300 s TTL.

If you want strict cache-miss bounds, add a per-host concurrency limiter so only one in-flight call per IP is ever issued.

Step 5 — Shadow mode (the step that builds trust)

Before flipping any user-facing path: call both APIs and compare.

def lookup_country(ip: str) -> str:
    legacy = handler.getDetails(ip).country
    if SHADOW_MODE:
        try:
            new = _lookup(ip)["country"]
            if new != legacy:
                logger.warning("ipinfo-shadow-mismatch", extra={"ip": ip, "legacy": legacy, "new": new})
        except Exception as e:
            logger.error("ipinfo-shadow-error", extra={"ip": ip, "error": str(e)})
    return legacy

Run shadow mode for 24-48 hours. The mismatch rate on country-level data is typically <0.5% (mostly recent IP-block reassignments where one source is fresher). City-level is 1-3%. ASN naming is the noisiest signal — both providers ship the same numeric ASN, but the org-name suffix can differ ("Google LLC" vs "GOOGLE-LLC"). For most fraud / analytics rules the numeric ASN is the only field that matters; pin your match logic to that.

Step 6 — Gradual cutover

Once shadow logs are clean, flip a percentage of traffic via your feature-flag system (LaunchDarkly, Unleash, or a hashed-IP rollout):

import hashlib

def use_ipgeo(ip: str, percent: int) -> bool:
    h = int(hashlib.md5(ip.encode()).hexdigest(), 16)
    return (h % 100) < percent

Recommended schedule: 10% → 50% → 100% over 48 hours. Watch error rate, p99 latency, and downstream conversion / fraud-rate dashboards for any regression.

Step 7 — Decommission

After 7 days at 100% with no rollback events, you can:

• Revoke the ipinfo.io token in the dashboard.
• Cancel ipinfo.io billing (Privacy Detection add-on first, then base plan).
• Remove node-ipinfo / ipinfo / github.com/ipinfo/go/v2 from build manifests.
• Archive the token (do not delete — keep it dormant for at least 90 days as part of your rollback plan; ipinfo lets you re-issue without resubscribing).

The size win is smaller than the MaxMind decommission (no multi-GB MMDB to delete), but you do shave one HTTP client and one auth-flow off your dependency graph.

Rollback plan

Keep the legacy ipinfo.io path behind the same feature flag for a minimum of 30 days. If you see a regression at any percentage, you can flip back with one config change and zero deploy. After 30 days of stability, prune the dead code in a separate PR.

Note: ipinfo.io tokens accept query-param OR Authorization: Bearer auth; we standardise on Bearer for IP Geo API. Make sure your reverse proxy / WAF is not stripping Authorization headers on the new vendor’s hostname before flipping above 10%.

The 7 gotchas teams hit in week one

1. loc string parsing. ipinfo returns "37.40,-122.07"; if your code does loc.split(",") you’re fine, but if you previously parsed the SDK’s typed Location{Latitude, Longitude} object, the shim’s flat string is a behavioural change. Use ?format=ipgeo to get split fields.
2. org concatenation. ipinfo returns "AS15169 Google LLC" as one string; some downstream code does org.split(" ", 1) to extract the ASN. The shim preserves the same concatenation, but you should silently switch consumers to the native network.asn integer field at the same time — concat-parsing is a known fragility point.
3. No cache layer. Quota burn in 48 h. Add the cache before flipping the flag.
4. Outbound HTTPS blocked. Production VPC egress rules deny api.ipgeo.10b.app. Get firewall change scheduled before cutover. Easy to forget when ipinfo.io’s hostname was already allowlisted.
5. Authorization header stripped at the edge. Some CDNs / WAFs strip Authorization on calls to non-allowlisted hostnames. Test from prod before flipping >10%.
6. CI / test environments. Shared test IPs (127.0.0.1, ::1) return 422 from the API; mock them in test or short-circuit before the call.
7. GDPR DPIA refresh. Switching processor classes (US Delaware ipinfo.io → EU-only IP Geo API) usually triggers a one-page Article 30 update. Boring, but should be on the cutover checklist; it’s also the reason most teams started this migration in the first place.

What you’ll see in week two

• 70-90% cache-hit rate if step 4 was done right.
• ~57-68% bill reduction on the same volume (€29 vs $99 at 100K, €99 vs $249 at 1M).
• VPN / Tor / proxy / hosting flags on every response, free — no separate Privacy Detection add-on. Most teams find one new fraud rule worth shipping in the first month.
• Cleaner DPO conversation at your next compliance review — EU-only contractually, no Article 44/45 transfer-impact-assessment for IP visitor data.

Pairing pages

• ipinfo.io alternative comparison → — full feature matrix, EU-residency claim, free-tier specs.
• IP Geo API vs ipinfo.io in 2026 → — narrative companion: when ipinfo.io still wins.
• API reference → — endpoint, parameters, error codes (ships with paid tiers).
• Pricing → — EUR 0 / 29 / 99 tiers, no overage surprises.

FAQ

How long does a real ipinfo migration take? For a single-stack web app with 2-6 call sites and a working CI: half an engineering day end-to-end. Multi-stack monorepos with 10+ call sites: 1-2 days, mostly in shadow-mode tuning.

Will my ipinfo-shaped tests still pass? Yes — if you’ve used dependency injection on the SDK. The compatibility shim returns the same flat JSON shape for the supported field set. For fields outside the shim (mobile carrier, abuse contact, domains), mock the new client path instead.

What about the SDK ergonomics — typed objects vs raw JSON? ipinfo’s official SDKs return typed Details / Core structs. We do not ship language SDKs in 2026 — the API is small enough that a 10-line client is faster than a SDK. If your codebase relied on typed accessors, write a thin adapter (~20 LOC) that unmarshals the JSON into your existing struct shape; this keeps the rest of the codebase unchanged.

What’s the rollback story if something goes wrong? The feature flag gives you a 1-second flip back to ipinfo.io. Keep the token and the SDK alive for at least 30 days post-cutover. Most teams keep them for 90 days for audit-trail reasons.

Can I migrate one service at a time? Yes — and it’s the recommended approach. Each call site is independent. Migrate the lowest-risk one first (often a dashboard analytics path), measure for a week, then move to the next. There is no all-or-nothing requirement.

What about the Lite database (the free CSV)? Different beast — that’s a downloadable file, not an API call. If your code consumes the ipinfo Lite CSV at build-time (common in static-site generators), the migration looks more like the migrate-from-MaxMind guide than this one. Ping us at hello@ipgeo.10b.app if that’s your shape.

Related migration & comparison reading

• How to Migrate from MaxMind GeoIP2 to IP Geo API in 2026 — sibling migration guide for the database-download incumbent
• How to Migrate from ipstack to IP Geo API in 2026 — sibling migration guide for the apilayer-hosted REST incumbent (HTTPS-on-free + bundled Security)
• How to Migrate from ipapi.co to IP Geo API in 2026 — sibling migration guide for the attribution-tied free-tier REST incumbent (org-string concatenation + bundled threat flags)
• How to Migrate from ipgeolocation.io to IP Geo API in 2026 — sibling migration guide for the bundled-endpoints REST incumbent (Security-API SKU consolidation, apiKey-in-URL log-leak)
• How to Migrate from IP2Location to IP Geo API in 2026 — sibling migration guide for the BIN/CSV/MMDB downloadable-database incumbent (IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration)
• How to Migrate from DB-IP to IP Geo API in 2026 — sibling migration guide for the EU-headquartered (Brussels) MMDB-download incumbent (CC-BY-4.0 attribution scrub, IP-to-Threat / Anonymous / Datacenter SKU consolidation)
• IP Geo API vs ipinfo.io in 2026 — narrative head-on with TCO math
• IP Geo API vs MaxMind GeoIP2 in 2026 — managed API vs self-hosted GeoIP2 dataset trade-offs
• IP Geo API vs ipstack in 2026 — modern EU-hosted alternative
• IP Geo API vs ipapi.co in 2026 — pricing, throughput and threat-intel comparison
• IP Geo API vs ipgeolocation.io in 2026 — feature parity, GDPR posture, EUR billing
• IP Geo API vs IP2Location in 2026 — REST-first vs database-download
• IP Geo API vs DB-IP in 2026 — REST-first vs MMDB-download EU-vs-EU

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

Last reviewed 2026-05-09 · IP Geo API team · Comments / corrections: hello@ipgeo.10b.app

Pairs with the full ipinfo.io alternative comparison page and the head-on IP Geo API vs ipinfo.io review.