How to Migrate from ipstack to IP Geo API in 2026: A Step-by-Step Drop-In Guide

7-minute read · 2026 code samples · honest rollback plan

This is the practical companion to the ipstack alternative comparison → and the head-on review of ipstack vs IP Geo API →. Those two pages tell you whether to switch. This page tells you how — including the three field-shape gotchas no other migration guide is honest about.

TL;DR — most ipstack → IP Geo API migrations land in half an engineering day. The real work is not the swap itself; it is the HTTP→HTTPS scheme flip on free-tier code paths, the connection.* block split that the Security-Module add-on glued together, and a rollback path you actually trust.

Who this guide is for

You currently call ipstack via http://api.ipstack.com/{ip}?access_key=$KEY (or the apilayer-published SDK), you’ve decided that the USD-Paddle invoice plus the paid Security Module add-on costs more than it should, and you want a REST replacement that:

• Returns a JSON shape close enough to the existing flat ipstack response that downstream consumers don’t have to be rewritten
• Includes VPN / proxy / Tor / datacenter flags on every plan, with no Security Module add-on
• Bills in EUR with a transparent tier ceiling and SEPA / iDEAL / Bancontact at checkout
• Serves over HTTPS on the free tier (ipstack’s free plan is HTTP-only — the single most common reason teams hit this guide)

If those four boxes are unchecked — pause and read the vs comparison → first. The tradeoffs are real, especially if you depend on ipstack’s global Anycast latency from non-EU clients or you already use multiple apilayer products under one dashboard.

The 7-step migration checklist

1. Inventory every call site that hits api.ipstack.com or imports an apilayer SDK.
2. Map your fields to the ipstack-compatibility response (?format=ipstack).
3. Add a feature flag so you can switch any call site between providers.
4. Wire a 60-second cache in front of the API client (in-memory or Redis).
5. Deploy in shadow mode — call both, log differences, serve ipstack responses.
6. Cut over gradually — 10% → 50% → 100% of traffic over 48 hours.
7. Decommission the ipstack access_key — revoke in the apilayer dashboard, archive billing, delete the SDK.

The rest of this post walks each step with copy-paste code.

Step 1 — Inventory call sites

Run this in the repo root before touching anything:

git grep -nE "api\.ipstack\.com|access_key=|apilayer" -- ':!*.lock' ':!*.md'

Most teams find 1-4 call sites for ipstack. The endpoint is so simple (one HTTP GET, one query param) that direct requests.get / fetch calls are common — there’s often no SDK to grep. Make a list. Note for each: language, scheme (http vs https), fields consumed, and whether the result is cached.

Watch-out: count test code separately from production. Test fixtures often hardcode http://api.ipstack.com/... URLs that won’t trip a TLS-only egress allowlist; production paths usually do. Both need switching, but the order matters for shadow-mode (Step 5).

Step 2 — Map the fields

ipstack returns a flat JSON shape, with two nested blocks (location, time_zone, currency, connection, security):

{
  "ip": "8.8.8.8",
  "type": "ipv4",
  "continent_code": "NA",
  "continent_name": "North America",
  "country_code": "US",
  "country_name": "United States",
  "region_code": "CA",
  "region_name": "California",
  "city": "Mountain View",
  "zip": "94043",
  "latitude": 37.4056,
  "longitude": -122.0775,
  "location": { "geoname_id": 5375480, "capital": "Washington D.C.", "languages": [{"code":"en","name":"English","native":"English"}] },
  "time_zone": { "id": "America/Los_Angeles", "current_time": "2026-05-09T09:03:42-07:00", "gmt_offset": -25200, "code": "PDT", "is_daylight_saving": true },
  "currency": { "code": "USD", "name": "US Dollar", "symbol": "$" },
  "connection": { "asn": 15169, "isp": "Google LLC" },
  "security": { "is_proxy": false, "proxy_type": null, "is_crawler": false, "is_tor": false, "threat_level": "low" }
}

IP Geo API ships a ?format=ipstack compatibility shim that returns the same flat shape so most call sites stop noticing the swap. The mapping for the fields ~95% of integrations rely on:

Fields the shim does not cover (documented gaps): location.languages array (apilayer-specific enrichment, low signal), location.capital and location.geoname_id (we do not import GeoNames), currency block (use a dedicated FX API such as exchangerate.host — ipstack’s currency block was a low-signal multi-vendor attachment), and the deprecated time_zone.current_time clock string (reconstruct on the client from gmt_offset). If your code reads any of those, list them as blockers and decide per call site whether to drop the dependency or keep ipstack for that path only (hybrid pattern — see the comparison page →).

Step 3 — Feature flag, then drop-in client

Python (was raw requests against api.ipstack.com)

# before
import os, requests
IPSTACK_KEY = os.environ["IPSTACK_ACCESS_KEY"]

def lookup_country(ip: str) -> str:
    r = requests.get(f"http://api.ipstack.com/{ip}", params={"access_key": IPSTACK_KEY}, timeout=2.0)
    r.raise_for_status()
    return r.json()["country_code"]

# after — drop-in via the ipstack-compatibility shim
import os, requests
from functools import lru_cache

API_KEY = os.environ["IPGEO_API_KEY"]
USE_IPGEO = os.environ.get("USE_IPGEO_API", "0") == "1"   # feature flag

@lru_cache(maxsize=10_000)
def _lookup(ip: str) -> dict:
    r = requests.get(
        f"https://api.ipgeo.10b.app/v1/{ip}",
        headers={"Authorization": f"Bearer {API_KEY}"},
        params={"format": "ipstack"},
        timeout=2.0,
    )
    r.raise_for_status()
    return r.json()

def lookup_country(ip: str) -> str:
    if USE_IPGEO:
        return _lookup(ip)["country_code"]   # flat shape — no rewrite
    r = requests.get(f"https://api.ipstack.com/{ip}", params={"access_key": IPSTACK_KEY}, timeout=2.0)
    r.raise_for_status()
    return r.json()["country_code"]

Note the scheme flip: the new client URL is https://, and the old fallback path should be moved to https:// before the shadow-mode comparison if your ipstack plan is Basic or higher. If you are still on Free (HTTP-only), keep http:// for ipstack but log a TODO — mixed-scheme code paths are a real source of CSP bugs in production.

Node / TypeScript (was raw fetch against api.ipstack.com)

// before
const r = await fetch(`http://api.ipstack.com/${ip}?access_key=${process.env.IPSTACK_ACCESS_KEY}`);
const j = await r.json();

// after — drop-in
const cache = new Map<string, any>();
export async function geoLookup(ip: string) {
  if (process.env.USE_IPGEO_API !== "1") {
    const r = await fetch(`https://api.ipstack.com/${ip}?access_key=${process.env.IPSTACK_ACCESS_KEY}`);
    return r.json();
  }
  if (cache.has(ip)) return cache.get(ip);
  const r = await fetch(`https://api.ipgeo.10b.app/v1/${ip}?format=ipstack`, {
    headers: { Authorization: `Bearer ${process.env.IPGEO_API_KEY!}` },
  });
  if (!r.ok) throw new Error(`ipgeo ${r.status}`);
  const j = await r.json();
  cache.set(ip, j);
  setTimeout(() => cache.delete(ip), 60_000);   // 60-s TTL
  return j;
}

Go

// after — drop-in via the ipstack-compatibility shim
url := fmt.Sprintf("https://api.ipgeo.10b.app/v1/%s?format=ipstack", ip)
req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
req.Header.Set("Authorization", "Bearer "+os.Getenv("IPGEO_API_KEY"))
resp, err := httpClient.Do(req)
// ... unmarshal into your existing ipstack-shaped struct

Step 4 — Cache layer (the step everyone skips)

A naive 1-call-per-request integration will burn through paid-tier quotas in week one. ipstack’s monthly ceilings smear this over 30 days; our daily ceilings make it visible immediately on the free tier. The good news: most production traffic is dominated by 1-5% of IPs (your bot crawler, your monitoring, your power users). A 60-second in-memory cache typically deflects 70-90% of calls at zero cost.

• Single-pod / serverless Lambda: Python lru_cache or a Map in Node, sized 10k entries.
• Multi-pod web: Redis SETEX <ip> 60 <json> or your existing distributed cache.
• Edge / CDN: Cloudflare Workers KV with a 60-300 s TTL.

If you want strict cache-miss bounds, add a per-host concurrency limiter so only one in-flight call per IP is ever issued.

Step 5 — Shadow mode (the step that builds trust)

Before flipping any user-facing path: call both APIs and compare.

def lookup_country(ip: str) -> str:
    r = requests.get(f"https://api.ipstack.com/{ip}", params={"access_key": IPSTACK_KEY}, timeout=2.0)
    r.raise_for_status()
    legacy = r.json()["country_code"]
    if SHADOW_MODE:
        try:
            new = _lookup(ip)["country_code"]
            if new != legacy:
                logger.warning("ipstack-shadow-mismatch", extra={"ip": ip, "legacy": legacy, "new": new})
        except Exception as e:
            logger.error("ipstack-shadow-error", extra={"ip": ip, "error": str(e)})
    return legacy

Run shadow mode for 24-48 hours. The mismatch rate on country-level data is typically <0.5% (mostly recent IP-block reassignments where one source is fresher). City-level is 1-3%. ASN naming is the noisiest signal — both providers ship the same numeric ASN, but the org-name suffix can differ ("Google LLC" vs "GOOGLE-LLC"). The single biggest mismatch class for ipstack is the security.* block: ipstack’s free shadow path will return empty / null fields because the Security Module is paywalled, while IP Geo API returns populated values. Treat null-vs-populated as a known-good signal, not a mismatch.

For most fraud / analytics rules the numeric ASN is the only field that matters; pin your match logic to that.

Step 6 — Gradual cutover

Once shadow logs are clean, flip a percentage of traffic via your feature-flag system (LaunchDarkly, Unleash, or a hashed-IP rollout):

import hashlib

def use_ipgeo(ip: str, percent: int) -> bool:
    h = int(hashlib.md5(ip.encode()).hexdigest(), 16)
    return (h % 100) < percent

Recommended ladder: 10% → 50% → 100% over 48 hours. Watch your existing fraud-flag dashboards for unexpected spikes; the bundled security.* block is more sensitive than ipstack’s paid Security Module on common abuse-feed-listed ranges (Spamhaus DROP overlap), so a 10-20% bump in is_proxy=true is normal and not a regression.

Step 7 — Decommission

Once 100% has been on IP Geo API for >7 days with no incidents:

1. Revoke the access_key in the apilayer dashboard.
2. Cancel the apilayer subscription (Paddle invoices stop on the next cycle).
3. Remove the IPSTACK_ACCESS_KEY env var from CI / production / staging.
4. Delete the legacy fallback branch from your code (keep the feature-flag scaffold for the next migration).
5. Update your DPIA / Article 30 record — processor change from apilayer (US/AT) to corem6 BV (NL/EU).

The 7 gotchas teams hit in week one

1. HTTP→HTTPS scheme flip on free-tier code paths. ipstack’s free plan is HTTP-only; production code that previously read http://api.ipstack.com/... will now hit https://api.ipgeo.10b.app/v1/.... Most CSP / mixed-content errors disappear silently the moment you flip — but if any test or staging environment still expects http://, the cutover lands with a 4xx storm. Audit every URL string before flipping the flag.
2. security.* shape change. ipstack’s security block is empty / null on the free plan and only populated on Professional ($49.99/mo). The IP Geo API shim populates the same path on every tier. Code paths that branch on security == null to mean “no Security Module” will start triggering the populated-branch — which is usually what you want, but verify your fraud rules behave the way you expect when the flags arrive on every request.
3. connection.asn integer vs string. ipstack returns connection.asn as an integer (15169); some downstream code does str(asn) or asn.zfill(...) and expects a string. The shim preserves the integer type — but if your code was tolerant of both and silently converted, the new shim’s strict typing may surface a pre-existing bug. Pin a unit test on the type before flipping.
4. No cache layer. Quota burn in 48 h. Add the cache before flipping the flag.
5. Outbound HTTPS blocked. Production VPC egress rules deny api.ipgeo.10b.app. Get firewall change scheduled before cutover. ipstack’s hostname (api.ipstack.com) was likely already allowlisted; the new hostname is not.
6. Authorization header stripped at the edge. ipstack used a query-param access_key; IP Geo API uses a Bearer token in the Authorization header. Some CDNs / WAFs strip Authorization on calls to non-allowlisted hostnames. Test from prod before flipping >10%. (Workaround: pass the key as ?api_key=... query param instead — supported on every tier.)
7. GDPR DPIA refresh. Switching processor classes (apilayer Vienna+Delaware → corem6 NL-only) usually triggers a one-page Article 30 update. Boring, but should be on the cutover checklist; it’s also the reason most teams started this migration in the first place.

What you’ll see in week two

• 70-90% cache-hit rate if step 4 was done right.
• ~50-65% bill reduction on the same volume (€29 vs ~$50 at 100K incl. Security Module, €99 vs ~$80 at 1M; ipstack Professional + Security Module is $49.99/mo).
• HTTPS on every request, free — the single most-cited reason teams hit this guide. Side-project code paths that broke under mixed-content rules now work without an upgrade.
• VPN / Tor / proxy / crawler / threat-level flags on every response, free — no separate Security Module add-on. Most teams find one new fraud rule worth shipping in the first month.
• Cleaner DPO conversation at your next compliance review — EU-only contractually, no Article 44/45 transfer-impact-assessment for IP visitor data.

Pairing pages

• ipstack alternative comparison → — full feature matrix, EU-residency claim, free-tier specs.
• IP Geo API vs ipstack in 2026 → — narrative companion: when ipstack still wins.
• API reference → — endpoint, parameters, error codes (ships with paid tiers).
• Pricing → — EUR 0 / 29 / 99 tiers, no overage surprises.

FAQ

How long does a real ipstack migration take? For a single-stack web app with 1-4 call sites and a working CI: half an engineering day end-to-end. Multi-stack monorepos with 10+ call sites: 1-2 days, mostly in shadow-mode tuning. The HTTP→HTTPS scheme flip is the time sink, not the field-shape diff.

Will my ipstack-shaped tests still pass? Yes — the compatibility shim returns the same flat JSON shape for the supported field set. For fields outside the shim (location.languages, location.capital, location.geoname_id, the currency block), mock the new client path or move that logic to a dedicated FX / GeoNames data source.

What about the SDK ergonomics? ipstack does not ship a first-party SDK; most callers are raw requests.get / fetch. We do not ship language SDKs in 2026 either — the API is small enough that a 10-line client is faster than a SDK. Migration mostly amounts to changing two strings (URL and auth header).

What’s the rollback story if something goes wrong? The feature flag gives you a 1-second flip back to ipstack. Keep the access_key and the apilayer subscription alive for at least 30 days post-cutover. Most teams keep them for 90 days for audit-trail reasons.

Can I migrate one service at a time? Yes — and it’s the recommended approach. Each call site is independent. Migrate the lowest-risk one first (often a dashboard analytics path or a server-side log enrichment job), measure for a week, then move to the next. There is no all-or-nothing requirement.

What about the apilayer multi-API dashboard? If you also use currencylayer, weatherstack, numverify, or another apilayer product, the convenience of one dashboard is real. The hybrid pattern is fine: keep ipstack for the legacy path, point new code at IP Geo API, and re-evaluate at next contract renewal. Most teams find the bill split is favourable within one billing cycle even keeping the ipstack base subscription.

What if my plan was Free (HTTP-only)? Then this migration is also a TLS upgrade for you — IP Geo API’s free tier serves HTTPS, so any browser-side code that was previously gated behind a $9.99/mo Basic upgrade now works on the free tier. This is the single most common reason teams in the first hour of evaluation hit this guide.

What about ipstack’s currency and location.languages blocks? Those were enrichment fields apilayer attached because they ship currencylayer / a languages API too. We do not import them — we believe IP→currency and IP→language are weak signals and should be replaced by Accept-Language header parsing and an explicit user-preference store. If you genuinely need IP→currency, exchangerate.host is a free EUR-billed alternative.

Related migration & comparison reading

• How to Migrate from MaxMind GeoIP2 to IP Geo API in 2026 — sibling migration guide for the database-download incumbent
• How to Migrate from ipinfo.io to IP Geo API in 2026 — sibling migration guide for the dominant North-American REST incumbent
• How to Migrate from ipapi.co to IP Geo API in 2026 — sibling migration guide for the attribution-tied free-tier REST incumbent (org-string concatenation + bundled threat flags)
• How to Migrate from ipgeolocation.io to IP Geo API in 2026 — sibling migration guide for the bundled-endpoints REST incumbent (Security-API SKU consolidation, apiKey-in-URL log-leak)
• How to Migrate from IP2Location to IP Geo API in 2026 — sibling migration guide for the BIN/CSV/MMDB downloadable-database incumbent (IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration)
• How to Migrate from DB-IP to IP Geo API in 2026 — sibling migration guide for the EU-headquartered (Brussels) MMDB-download incumbent (CC-BY-4.0 attribution scrub, IP-to-Threat / Anonymous / Datacenter SKU consolidation)
• IP Geo API vs ipstack in 2026 — narrative head-on with TCO math
• IP Geo API vs ipinfo.io in 2026 — when ipinfo.io still wins
• IP Geo API vs MaxMind GeoIP2 in 2026 — managed API vs self-hosted GeoIP2 dataset trade-offs
• IP Geo API vs ipapi.co in 2026 — pricing, throughput and threat-intel comparison
• IP Geo API vs ipgeolocation.io in 2026 — feature parity, GDPR posture, EUR billing
• IP Geo API vs IP2Location in 2026 — REST-first vs database-download
• IP Geo API vs DB-IP in 2026 — REST-first vs MMDB-download EU-vs-EU

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

Last reviewed 2026-05-09 · IP Geo API team · Comments / corrections: hello@ipgeo.10b.app

Pairs with the full ipstack alternative comparison page and the head-on IP Geo API vs ipstack review.