Rate Limits
The Honest Answer
There is no published, hard rate limit. We don’t cut you off after exactly 100 requests per minute or whatever. The API is free, and we want it to stay usable for everyone.
That said, “no hard limit” does not mean “go nuts.” If your script is making 10,000 requests per second, we’re going to notice. And we’re going to be sad. And then your requests are going to start getting 429 responses.
What “Reasonable” Means
Here’s a rough guide to what’s totally fine:
Personal projects and small apps: Do whatever you need to do. A few requests per second? No problem. Building a dashboard that checks an IP every page load? Go for it.
Production apps with real traffic: Also fine, but think about caching. If the same IP hits your app 50 times in a minute, you don’t need to look it up 50 times. Cache the result for a bit. Your users won’t notice, and our servers will be happier.
Scanning the entire IPv4 address space: Please don’t. There are about 4.3 billion IPv4 addresses. Even if we were okay with it (we’re not), you’d be waiting a very long time. Go outside. Touch grass. The IP addresses will still be there when you get back.
Scraping every IP in a /8 block “for research”: We’ve heard this one before. The answer is still no.
Cache Durations
Different endpoints cache their data for different lengths of time. This is worth knowing if you’re wondering how fresh the data is:
| Endpoint | Cache Duration |
|---|---|
GET /api (your IP) | No cache |
GET /api/{ip} (full lookup) | 24 hours |
GET /api/{ip}/geo | 24 hours |
GET /api/{ip}/asn | 24 hours |
GET /api/{ip}/privacy | 12 hours |
GET /api/{ip}/company | 24 hours |
POST /api/bulk | 24 hours |
Privacy data refreshes more often because VPN and proxy status can change faster than geolocation. An IP in Germany today is probably still in Germany tomorrow. But a VPN server might rotate IPs more frequently.
What Happens When You Hit the Limit
If you do manage to trigger rate limiting, you’ll get an HTTP 429 response:
{
"error": "Too many requests. Please slow down.",
"status": 429
}
When this happens:
- Stop making requests. This sounds obvious, but you’d be surprised.
- Wait a minute. Literally just wait 60 seconds.
- Reduce your request rate. Whatever you were doing, do less of it.
- Add exponential backoff. If you get a 429, wait 1 second. If you get another, wait 2 seconds. Then 4. Then 8. You get the idea.
Best Practices for Production
If you’re building something real, here’s how to be a good API citizen:
Cache aggressively on your end. IP geolocation data doesn’t change every millisecond. Store results for at least as long as our cache duration, or longer. A 24 hour cache on your side means you only look up each IP once a day.
Use the bulk endpoint. If you have a list of IPs to check, use POST /api/bulk instead of firing off individual requests. It’s faster for you and gentler on us.
Handle 429s gracefully. Don’t just retry immediately in a tight loop. That makes things worse for everyone, including you.
Don’t poll. Your public IP doesn’t change every second. If you’re building an “is my IP the same” checker, once every few minutes is plenty.
A Note on Fairness
This API is free because we want it to be useful. The deal is simple: use it for real things, don’t try to break it, and don’t make us regret not putting a signup wall in front of it.
If you’re building something that needs guaranteed uptime, dedicated throughput, or you’re planning to make a million requests a day, maybe shoot us a message first. We’re reasonable people. We can probably work something out.