Skip to content
Back to Journal
IP Intelligence

A Complete List of IP Data Fields You Need to Know

17 min readHusnain
A Complete List of IP Data Fields You Need to Know

Ask "what data can you get from an IP address?" and most answers stop at "a rough location." That is the smallest, least interesting part of the picture. The same 32 or 128 bits also tell you which network owns the address, whether it is a home connection or a rented server, whether it is hiding behind a VPN or a Tor relay, whether it has shown up on threat feeds, whether it is a verified search-engine crawler — and how all of that adds up to a risk decision.

The catch is that no two APIs return the same set of fields, and the field that matters most to you is very often the one your provider charges extra for. So this guide does two things. First, it walks the complete list of IP data fields group by group, using real values pulled from the live GeoIPHub API. Second, it puts the major providers side by side so you can see which fields each one returns, and which it puts behind a paywall.

Every GeoIPHub example below is a real response from GET api.geoiphub.com/v1/lookup/{ip} — you can reproduce any of them with the free IP lookup tool. Competitor details are drawn from each vendor's official documentation as of June 2026; tiers and field names change, so verify against their current docs before you build.

The 10 response groups of IP data

The cleanest way to think about IP data is not as a flat list of 95 fields but as 10 logical groups, each answering a different question about the address:

  • ip — the address you asked about, echoed back
  • asn — the network: ASN, organization, ISP, connection type
  • geo — where it places: country, region, city, coordinates, timezone, confidence
  • whois — registry and ownership data from RDAP: netname, allocation status, registration dates
  • network — abuse contact, open ports, service, cloud region
  • detection — VPN, proxy, Tor, hosting, relay and the named provider
  • threat — abuse, bots, verified crawlers, blocklists, botnet and honeypot signals
  • scoring — the explainable 0–100 risk score and recommended action
  • meta — evidence trail: timestamps, request ID, latency, sources

Here is a real (trimmed for readability) response for 185.220.101.1, a known Tor exit node, showing how the groups fit together:

GeoIPHub API
{ "ip": "185.220.101.1", "asn": { "asn": 60729, "org": "TORSERVERS-NET", "asn_type": "hosting", "connection_type": "datacenter" }, "geo": { "country_code": "DE", "city": "Berlin", "timezone": "Europe/Berlin", "geo_confidence": 0 }, "whois": { "org": "Artikel10 e.V.", "netname": "ARTIKEL10-TOR-EXIT", "status": "ASSIGNED PA" }, "detection": { "is_vpn": false, "is_tor": true, "is_hosting": true, "is_anonymous": true, "anonymity_level": "high" }, "threat": { "is_crawler": false, "threat_types": ["tor"] }, "scoring": { "fraud_score": 79, "confidence": 0.67, "recommended_action": "block", "detection_methods": ["tor_exit", "datacenter_ip", "whois_tor"] }, "meta": { "last_scanned": "2026-06-18T09:22:54Z" } }

Notice how the groups corroborate each other: the ASN says hosting, the WHOIS netname says tor-exit, the detection group confirms is_tor, and the score group rolls it into a block with the exact methods that fired. That cross-checking is the whole point of carrying this many fields. Now let us walk each group.

1. The IP itself (ip)

The simplest field, and an important one: the API echoes back the exact address it resolved, normalized. Use it to confirm you queried what you intended (especially after parsing an X-Forwarded-For header, where the wrong hop is a classic bug) and to key your own cache. Both IPv4 and IPv6 are supported; if you are unsure what your own public address is, the what-is-my-IP tool shows it along with everything a website can infer from it.

2. Network and ASN data (asn)

Before location, before anything, every routable IP belongs to an Autonomous System — the network that announces it to the internet. This group is among the most reliable IP data you can get, because it comes from the global routing table rather than an estimate.

The standout field here is connection_type. The difference between a residential address (a home broadband line) and a datacenter address (a rented server) is one of the highest-signal data points in all of IP intelligence: datacenter IPs host the overwhelming majority of VPNs, proxies and bots, while residential IPs are where your real customers live. A single connection_type: "datacenter" on a consumer-facing login is worth more than a dozen geolocation fields. You can check any address with the free datacenter IP check, and we cover the full ASN model in the IP geolocation API reference.

3. Geolocation data (geo)

This is the group everyone thinks of first — and the one most often misused.

Two honest notes. First, country is near-certain, region is solid, and city is approximate at best — independent studies that check IP locations against real GPS coordinates routinely find median city-level errors of 11–18 km. We dug into the evidence in how accurate is IP geolocation; the short version is to treat city as a radius, never a pin, and never to use an IP to locate a person.

Second, that is exactly why the geo_confidence field exists. Rather than publish an accuracy_radius in kilometers (the field some providers return), GeoIPHub returns a confidence value you can weight your decisions by — and it can be low or zero for anycast and infrastructure IPs like public DNS resolvers, which have no single physical home. An honest zero beats a confident guess.

4. WHOIS and registration data (whois)

Every IP block is registered with one of the five Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC). Pulling that record over RDAP adds an ownership and intent layer that pure geolocation misses.

The keyword flags are deliberately modest: a block whose registry record literally describes "VPN hosting services" rarely hides it, but a keyword match is treated as supporting evidence, never a sole reason to flag. It contributes to the score; it does not decide it.

5. Network evidence (network)

What does the address look like from the network's own side? This group carries the published abuse contact and a few operational fields gathered from active probing.

The abuse_contact is the field you reach for when you need to report activity from an address — it is pulled straight from the registry record. Note that operational fields like open_ports and service populate as scanning evidence accrues and are empty for many clean addresses; treat their presence as signal, not their absence as proof.

6. VPN, proxy and Tor detection (detection)

This is the densest group and, for most fraud and abuse teams, the most valuable. It answers: is this address anonymizing its user, and if so, how?

The field worth circling is vpn_provider. Most APIs can tell you an IP is "a VPN" with a boolean; far fewer can tell you it is NordVPN specifically. GeoIPHub names the operator because its detection pulls from 10 VPN providers' own published server lists, then confirms infrastructure with active protocol handshakes across 11 VPN and proxy protocols — a completed OpenVPN or WireGuard handshake is close to conclusive, whatever the WHOIS record says. We break down the full stack in how VPN and proxy detection actually works, and you can test any address (including your own) with the VPN detection test or read the detection methodology.

7. Threat and bot intelligence (threat)

Where the detection group asks "is this anonymized?", the threat group asks "is this address known to be abusive — or known to be friendly?"

The nested crawler object is a genuine differentiator and worth understanding. When Googlebot (66.249.66.1) hits the API, the response is not a guess — it returns crawler.verified: true, crawler.name: "Googlebot", crawler.operator: "Google", and crawler.verification_method: "ip_range_list". Verification is done against 9 official crawler and AI-bot IP feeds (Googlebot, Bingbot, GPTBot, ChatGPT-User, and more), so a spoofed "Googlebot" User-Agent from the wrong network sets crawler.spoofed instead of slipping through. If bot management matters to you, see verifying AI crawlers by IP, rDNS and CIDR and the threat intelligence overview. The is_cgnat flag deserves a mention too: a CGNAT address is shared by thousands of subscribers, so it should never be hard-blocked on the strength of one bad actor.

8. Reverse DNS (dns)

A small dedicated group for reverse-DNS data, mirrored from the network group so consumers that only care about rDNS can read it in one place.

fcrdns_valid is the one to trust: a matching PTR that forward-resolves back to the same IP is much stronger evidence than a PTR string alone, which anyone controlling the reverse zone can set.

9. Risk scoring (scoring)

All of the above is evidence. The scoring group turns it into a decision.

A good IP fraud score is not a black box. The fraud_score combines 40+ weighted signals, and crucially it also subtracts: a residential ISP removes points, a verified crawler removes more, and CGNAT ranges are capped so a shared address cannot condemn a crowd. The detection_methods array names exactly which signals fired, so you can audit any verdict. The recommended_action maps the score to a clear policy:

This is the group fraud teams build on. We explain the model in IP risk scoring explained and where to set thresholds in choosing an IP fraud score threshold for login, signup and checkout; you can score any address free with the IP fraud score check or read the fraud prevention guide.

10. Metadata and evidence trail (meta)

The last group is about trust: when was this established, and from where?

Stale IP data is wrong IP data — an address that was a home in Chicago last quarter can be a datacenter range in Frankfurt this quarter. The last_scanned and last_classified_at timestamps let you decide how much to trust a result, and the request_id is what you quote if you ever need to report a classification you think is wrong.

How IP data providers compare, field by field

Here is the part the field lists alone do not tell you: two providers can both "have" a field, yet only one returns it on the plan you can afford. The market splits into two broad archetypes — database products that ship stored classifications you download or query, and premium lookup APIs that gate their richest fields behind paid tiers. The table compares GeoIPHub against both on the capabilities that actually differ. "Paid" means the capability typically exists but is gated to a paid plan or a separate product.

Two patterns stand out across the market, and both come straight from vendors' own documentation:

  • The free tier is where providers diverge most. Free tiers across the market are typically geolocation plus ASN at best — ISP data, connection type, anonymizer flags, and any risk score are gated to paid plans, and some providers keep the entire threat object behind a paywall. GeoIPHub returns every field on the free tier, 1,500 requests per day, with no field paywall.
  • Most providers look up; few verify. Database and aggregation products return stored classifications, not live measurements — active probing remains rare across the market. And while several vendors can name a VPN provider on a paid tier, GeoIPHub's combination of provider-list attribution, active handshakes, and verified, IP-range-confirmed crawler identification (naming Googlebot vs a spoofed User-Agent) is uncommon: most products ship a generic "spider" label at best, and a named, range-verified crawler field is rarely shipped at all.

A fair caveat: every provider has strengths a table cannot capture — mature fraud platforms, accuracy-radius data, currency and locale extras. Choose on the fields your use case needs, on the plan you will actually run. The point of the comparison is that the field list and the price list have to be read together.

Which IP data fields actually matter for your use case

You rarely need all 80 fields at once. Match the fields to the decision:

The bottom line

The "complete list of IP data fields" is not a single location string — it is roughly 95 fields across 10 groups: the address, its network and ASN, its approximate geolocation, registry data, network evidence, reverse DNS, VPN/proxy/Tor/anycast detection, threat and verified-bot signals, and an explainable risk score, all wrapped in an evidence trail. Knowing the fields is half the job; the other half is knowing which ones your provider returns on the plan you run, and which it merely lists in a brochure.

The fastest way to see all of it is to run a real lookup. Try the free IP lookup tool on any address, read the full API reference for the exact schema, or get a free API key and pull all 80 fields yourself — no credit card, 1,500 requests a day.

Start Scoring Every IP in Real Time

GeoIPHub gives fraud, security, and engineering teams a single API for IP geolocation, VPN & proxy detection, threat intelligence, and an explainable 0–100 risk score.

Complete response on every lookup
VPN, proxy, residential-proxy & Tor detection
Explainable 0–100 IP risk score
Free tier with 1,500 requests/day

Get Your Free API Key

Sign up in minutes — no credit card required. Upgrade only when you need more volume.

Frequently Asked Questions

What data can you get from an IP address?

Far more than a location. A modern IP intelligence API returns the network (ASN, ISP, connection type), approximate geolocation (country, region, city, coordinates, timezone), WHOIS/registry data (organization, netname, allocation status), VPN/proxy/Tor detection with the provider named, threat and bot signals, and an explainable risk score — typically 80 or more fields grouped into around 9 objects on a single lookup.

Can an IP address reveal my exact home address?

No. IP geolocation estimates an approximate area — a city or region at best — never a street address or a specific person. City-level accuracy is inherently imprecise, and mobile, CGNAT and VPN connections make it weaker still. Anyone claiming pinpoint, address-level accuracy from an IP alone is overselling it.

What is an ASN in IP data?

An Autonomous System Number identifies the network that announces an IP address to the internet — for example AS15169 is Google. The ASN, its organization, and its type (ISP, hosting, mobile) are among the most reliable IP data fields because they come from the global routing table, not from a guess about physical location.

What is an IP fraud score and how is it calculated?

An IP fraud score is a single 0–100 number summarizing how risky an address looks. A good one is explainable: GeoIPHub combines 40+ weighted signals — VPN/proxy/Tor detection, hosting classification, threat-feed listings and WHOIS/registry evidence — subtracts exonerating signals, and returns the exact methods that fired plus a recommended action (allow, review, step up, or block).

What is the difference between a residential and a datacenter IP?

A residential IP is assigned by a consumer ISP to a home connection; a datacenter (hosting) IP belongs to a cloud or server provider. The distinction lives in the connection_type and ASN fields. Datacenter IPs are far more likely to host VPNs, proxies and bots, so the connection type is one of the highest-signal fields for fraud and bot decisions.

Do all IP API providers return the same fields for free?

No — and this is the biggest practical difference between providers. Most gate the valuable fields (ISP, connection type, VPN/proxy detection, the provider name, and any risk score) behind paid plans, leaving the free tier as country plus ASN. GeoIPHub returns every field on the free tier, with 1,500 requests per day and no field paywall.

What does an accuracy radius mean in IP geolocation?

An accuracy radius is the distance, in kilometers, within which the true location is likely to fall around the returned coordinates — a large radius means a vague estimate. Some providers return an accuracy_radius; GeoIPHub instead returns a geo_confidence value, which can be low or zero for anycast and infrastructure IPs that have no single physical home.