Best Free IP Geolocation API in 2026

What Does an IP Geolocation API Do?

An IP geolocation API takes an IP address and returns location data: country, region, city, latitude/longitude, timezone, and ISP. Better APIs also tell you whether the IP is a proxy, VPN, or Tor exit node — which is critical for fraud detection.

Common Use Cases

• Analytics and dashboards — Show where your users are on a map, segment traffic by region
• Fraud detection — Flag transactions where the IP location doesn't match the billing address
• Content personalization — Show local pricing, language, or currency based on visitor location
• Ad targeting — Serve geo-targeted ads without relying on third-party cookies
• Access control — Restrict content or features by country (geo-fencing)
• VPN/proxy detection — Detect users hiding behind VPNs, proxies, or Tor for security enforcement

How IP Geolocation Works

IP addresses are allocated in blocks by regional internet registries (ARIN, RIPE, APNIC, etc.). Geolocation providers build databases that map these blocks to physical locations using a combination of registry data, BGP routing tables, latency measurements, and user-reported corrections.

Accuracy varies by granularity: country-level is 99%+ accurate, city-level is typically 70-90% accurate, and anything more precise than that is unreliable. Mobile IPs and cloud provider IPs are the hardest to geolocate accurately.

The Top IP Geolocation APIs Compared

ipinfo.io

The most popular IP data provider. Clean API, extensive documentation.

• Strength: 50,000 free requests/month, excellent data quality, privacy detection (VPN/proxy/Tor)
• Weakness: privacy detection requires paid plan ($99/month), ASN data is separate, free tier has no support
• Verdict: Best overall if you can afford the paid tier. Free tier is generous but limited in features.

ipapi.com

Simple, affordable, and easy to integrate.

• Strength: 1,000 free requests/month, straightforward JSON response, supports JSONP
• Weakness: free tier is HTTP-only (no HTTPS), no proxy/VPN detection on free plan, rate limited
• Verdict: Good for hobby projects. The HTTP-only free tier is a dealbreaker for production apps.

Rebirth API

IP geolocation with proxy/VPN detection included on the free tier.

• Strength: proxy/VPN/Tor detection included free, same API key as 8 other endpoints, HTTPS on all tiers
• Weakness: 100 free calls/month (lower than ipinfo), newer platform, no ASN data yet
• Verdict: Best free option if you need proxy detection without paying $99/month. Lower volume but more features per call.

Code Examples

cURL

curl -X POST https://rebirthapi.com/api/v1/ip-geo \
  -H "Authorization: Bearer rb_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{"ip": "134.201.250.155"}'

# Response:
# {
#   "ip": "134.201.250.155",
#   "city": "Los Angeles",
#   "region": "California",
#   "country": "US",
#   "latitude": 34.0522,
#   "longitude": -118.2437,
#   "timezone": "America/Los_Angeles",
#   "isp": "APNIC Research",
#   "proxy": false,
#   "vpn": false,
#   "tor": false
# }

Python

import requests

API_KEY = "rb_live_your_key"
HEADERS = {"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}

def geolocate_ip(ip: str) -> dict:
    res = requests.post(
        "https://rebirthapi.com/api/v1/ip-geo",
        headers=HEADERS,
        json={"ip": ip}
    )
    return res.json()

# Fraud check: does the IP match the billing country?
def fraud_check(ip: str, billing_country: str) -> dict:
    geo = geolocate_ip(ip)

    flags = []
    if geo.get("vpn") or geo.get("proxy") or geo.get("tor"):
        flags.append("hidden_ip")
    if geo.get("country") != billing_country:
        flags.append("country_mismatch")

    return {
        "ip_country": geo.get("country"),
        "billing_country": billing_country,
        "risk": "high" if len(flags) >= 2 else "medium" if flags else "low",
        "flags": flags
    }

result = fraud_check("134.201.250.155", "US")
print(f"Risk: {result['risk']} — Flags: {result['flags']}")

Node.js

async function getGeoData(ip) {
  const res = await fetch('https://rebirthapi.com/api/v1/ip-geo', {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer rb_live_your_key',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ ip })
  });
  return res.json();
}

// Personalize content by region
app.get('/pricing', async (req, res) => {
  const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress;
  const geo = await getGeoData(ip);

  const currency = geo.country === 'GB' ? 'GBP'
    : geo.country === 'EU' ? 'EUR'
    : 'USD';

  res.json({ currency, country: geo.country, city: geo.city });
});

Building a Fraud Detection Layer

The real power of IP geolocation is combining it with other signals. Here's a pattern that works: check the IP geolocation against the billing address, detect VPN/proxy usage, and cross-reference with email validation to build a composite risk score.

With Rebirth API, all three checks (IP geo, email validation, business lookup) use the same API key. Three calls, one integration, a complete fraud signal pipeline.

When Free Volume Isn't Enough

If you're geolocating every visitor to your site, you'll burn through any free tier quickly. For high-traffic analytics, consider caching: geolocate each unique IP once and store the result. Most IPs keep the same geolocation for months. A simple Redis cache with a 24-hour TTL can reduce your API calls by 90%+.

FAQ

How accurate is IP geolocation?

Country-level is 99%+ accurate. City-level is 70-90% depending on the provider and IP type. Mobile and cloud IPs are less accurate than residential.

Can IP geolocation detect VPNs?

Yes. Good providers maintain databases of known VPN, proxy, and Tor exit node IPs. Rebirth API includes this detection on the free tier; most competitors charge extra for it.

Is IP geolocation GDPR-compliant?

IP addresses are considered personal data under GDPR. You need a lawful basis (legitimate interest or consent) to process them. The geolocation lookup itself is a data processing activity, so include it in your privacy policy.

Should I use client-side or server-side geolocation?

Server-side. Client-side IP detection can be spoofed, and exposing your API key in frontend code is a security risk. Always call the geolocation API from your backend.