ip-api Authentication: Methods, Setup, and Security (2026)

Authentication overview

ip-api provides IP geolocation and proxy/VPN detection services, with different access models based on usage. For non-commercial applications, the service is accessible without explicit authentication, relying on IP address-based rate limiting. This free tier is restricted to HTTP requests and has a rate limit of 150 requests per minute. Commercial use, or any usage requiring higher request volumes, HTTPS, or dedicated support, necessitates a paid plan and the use of an API key for authentication. The API key serves to identify the user and authorize access to the agreed-upon service limits and features.

The distinction between authenticated and unauthenticated access is fundamental to how ip-api manages resource allocation and service quality. Unauthenticated requests are subject to shared rate limits and potential throttling, while authenticated requests benefit from dedicated throughput and encrypted communication via HTTPS. This approach allows ip-api to offer a free tier for developers and small projects while ensuring reliable service for commercial clients. Understanding these tiers is critical for selecting the appropriate authentication strategy and ensuring application stability. For detailed information on usage policies, refer to the official ip-api documentation.

Supported authentication methods

ip-api employs a straightforward authentication model, primarily using API keys for commercial access. The free tier does not require an API key but operates under specific constraints.

API Key Authentication

When to use: This method is mandatory for all paid plans. It unlocks higher rate limits, HTTPS support, and access to premium features. Commercial applications, production environments, and any scenario requiring secure communication and predictable performance should utilize API key authentication. The API key is passed as a query parameter in the request URL.

Security Level: Moderate. While API keys themselves are secret, their transmission as a URL parameter means they can be exposed in server logs, browser history, or network sniffers if not protected by HTTPS. Therefore, using HTTPS with API keys is essential to prevent eavesdropping and unauthorized access, aligning with general API security practices outlined by organizations like Google Cloud's API security guide.

Unauthenticated Access

When to use: This is available for the free, non-commercial tier. It's suitable for development, testing, or very low-volume personal projects where data sensitivity is not a concern and HTTP is acceptable. It does not require any credentials.

Security Level: Low. Requests are sent over HTTP, meaning data (including the queried IP address and the response) is unencrypted and vulnerable to interception. Rate limits are enforced based on the client's IP address, making it susceptible to shared limit exhaustion if multiple users share an egress IP. This method is not recommended for production or sensitive applications.

The table below summarizes the authentication methods:

Getting your credentials

To obtain an API key for ip-api, you must subscribe to a paid plan. The process typically involves these steps:

1. Visit the ip-api website: Navigate to the official ip-api pricing page.
2. Choose a plan: Select a suitable commercial plan based on your anticipated request volume and required features (e.g., HTTPS, dedicated support).
3. Sign up/Register: Complete the registration process, which typically involves providing an email address, setting a password, and agreeing to the terms of service.
4. Subscribe to a plan: Provide payment details to activate your chosen plan.
5. Access your dashboard: Once subscribed, you will gain access to a user dashboard. Your unique API key will be displayed there. Keep this key confidential.

For the free tier, no explicit credentials are required. Access is granted automatically, subject to the non-commercial use policy and rate limits. However, for any serious application, upgrading to a paid plan and using an API key is recommended to ensure reliability and security.

Authenticated request example

Once you have obtained your API key, you can include it in your API requests. The API key is passed as a query parameter named key. Remember that for paid plans, all requests should be made over HTTPS to encrypt the API key and the data exchanged.

Here's an example of an authenticated request using curl to query the IP address 24.48.0.1:

curl "https://pro.ip-api.com/json/24.48.0.1?key=YOUR_API_KEY"

In this example:

• https://pro.ip-api.com/json/24.48.0.1 is the endpoint for querying IP 24.48.0.1 for JSON output. The pro. subdomain indicates access to the commercial API.
• ?key=YOUR_API_KEY is the query parameter where YOUR_API_KEY should be replaced with your actual API key obtained from your ip-api dashboard.

For unauthenticated requests (free tier, HTTP only), the structure is similar but omits the key parameter and uses the standard subdomain:

curl "http://ip-api.com/json/24.48.0.1"

Note the use of http:// and the absence of the key parameter. This request would be subject to the free tier's rate limits and non-commercial use restrictions.

Security best practices

Implementing security best practices is crucial when integrating with any API, especially when dealing with authentication credentials. For ip-api, consider the following:

1. Always use HTTPS with API Keys: This is the most critical practice. Transmitting your API key over plain HTTP exposes it to interception and misuse. All paid ip-api plans support HTTPS, and it should be used exclusively for all requests containing an API key. HTTPS encrypts the entire communication, protecting both your API key and the data exchanged. This aligns with general recommendations for secure API communication, as detailed by Mozilla's documentation on secure contexts.
2. Keep API Keys Confidential: Treat your API key like a password. Do not hardcode it directly into client-side code (e.g., JavaScript running in a browser) where it can be easily extracted. Instead, use server-side code to make API requests, or store keys in environment variables or secure configuration management systems.
3. Avoid Exposing Keys in Public Repositories: Never commit API keys or other credentials directly into version control systems like Git, especially public repositories. Use .gitignore files or environment variables to manage sensitive information during development.
4. Implement Rate Limiting and Throttling: Even with an API key, implement your own rate limiting on the client side to prevent accidental overuse of your ip-api quota, which could incur additional costs or lead to temporary service interruptions. While ip-api enforces its own limits, client-side controls add an extra layer of protection.
5. Monitor API Usage: Regularly check your ip-api dashboard for usage statistics. Unusual spikes in requests could indicate unauthorized use of your API key or a misconfiguration in your application.
6. Rotate API Keys Periodically: While ip-api's documentation doesn't explicitly mandate key rotation, it's a general security practice to periodically generate new API keys and revoke old ones. This minimizes the window of opportunity for a compromised key to be exploited.
7. Secure Your Server Environment: The environment where your application makes API calls should itself be secure. Apply standard server security measures, including strong access controls, regular patching, and network firewalls, to protect your API keys at rest and in transit within your infrastructure.
8. Understand Free Tier Limitations: For the unauthenticated free tier, be aware that it's HTTP-only and has strict rate limits. Do not use it for sensitive data or in production environments where reliability and security are critical.

By adhering to these practices, you can significantly enhance the security of your integration with ip-api and protect your application and data.