POST/api/v1/phishing/geoip

IP Geolocation

Look up geographic location, ASN, and organization details for IP addresses using ipinfo.io. Useful for correlating email sender IPs with known threat actor regions.

Credits

Flat rate, regardless of IP count

Max IPs

Per request

Plans

All

Free, Starter, Professional, Enterprise

Response Fields per IP

Field	Type	Description
ip	string	The queried IP address
country	string	ISO 3166-1 alpha-2 country code
country_name	string	Full country name
city	string	City name
region	string	State or region name
asn	string	Autonomous System Number (e.g. AS15169)
org	string	Organization name
isp	string	Internet Service Provider
latitude	number	Geographic latitude
longitude	number	Geographic longitude
timezone	string	IANA timezone identifier

Private and reserved IPs are rejected. Addresses in the following ranges will cause a 400 validation error: 127.x, 10.x, 172.16-31.x, 192.168.x, 0.x, 169.254.x, 224.x, 240.x, 255.x.

Credits are deducted once per request, not per IP. Sending 1 IP or 20 IPs costs the same 1 credit.

Request Body

Field	Type	Required	Description
ips	string[]	Yes	Array of 1-20 valid IPv4 addresses. Private/reserved IPs are rejected.

Code Examples

cURL

curl -X POST https://api.dfir-lab.ch/v1/phishing/geoip \
  -H "Authorization: Bearer sk-dfir-your-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "ips": ["185.220.101.42", "8.8.8.8"]
  }'

Python

import requests

response = requests.post(
    "https://api.dfir-lab.ch/v1/phishing/geoip",
    headers={
        "Authorization": "Bearer sk-dfir-your-key-here",
        "Content-Type": "application/json",
    },
    json={
        "ips": ["185.220.101.42", "8.8.8.8"]
    },
)

data = response.json()
for result in data["data"]["results"]:
    print(f"{result['ip']}: {result['city']}, {result['country_name']} ({result['asn']})")

summary = data["data"]["summary"]
print(f"\n{summary['total']} IPs across {len(summary['countries'])} countries")

TypeScript

const response = await fetch("https://api.dfir-lab.ch/v1/phishing/geoip", {
  method: "POST",
  headers: {
    Authorization: "Bearer sk-dfir-your-key-here",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    ips: ["185.220.101.42", "8.8.8.8"],
  }),
});

const { data, meta } = await response.json();

for (const result of data.results) {
  console.log(`${result.ip}: ${result.city}, ${result.country_name} (ASN: ${result.asn})`);
}

console.log(`Countries: ${data.summary.countries.join(", ")}`);
console.log(`Credits remaining: ${meta.credits_remaining}`);

Example Response

{
  "data": {
    "results": [
      {
        "ip": "185.220.101.42",
        "country": "DE",
        "country_name": "Germany",
        "city": "Frankfurt am Main",
        "region": "Hesse",
        "asn": "AS205100",
        "org": "Tor Exit Node",
        "isp": "Tor Exit Node",
        "latitude": 50.1109,
        "longitude": 8.6821,
        "timezone": "Europe/Berlin"
      },
      {
        "ip": "8.8.8.8",
        "country": "US",
        "country_name": "United States",
        "city": "Mountain View",
        "region": "California",
        "asn": "AS15169",
        "org": "Google LLC",
        "isp": "Google LLC",
        "latitude": 37.386,
        "longitude": -122.0838,
        "timezone": "America/Los_Angeles"
      }
    ],
    "summary": {
      "total": 2,
      "countries": ["DE", "US"],
      "unique_asns": 2
    }
  },
  "meta": {
    "request_id": "req_abc123",
    "credits_used": 1,
    "credits_remaining": 99,
    "processing_time_ms": 234
  }
}