Client-side vs Server-side

There are 2 ways to make calls to the ipdata API. Depending on where you choose to make your calls you will either have to provide an IP address parameter or not.

  • Client-side
  • Server-side


When you call the API in the browser with Javascript, that is considered a client-side request because it is made on the end-user's device.

The benefit of client-side requests is that you don't have to pass an IP address to the API! You can simply make calls to with only your API key and the API will automatically extract the IP address from the TCP connection.

The downside however, is that your API key will be visible to anyone via view-source. To protect against quota theft we offer a whitelisting feature that allows you to specify a list of domains and IP addresses that are allowed to make calls with your API key.

Then when a call is made with your API key we first check that the origin of the request matches the hosts in your whitelist. See Secure your API Key (Premium) for instructions on how to setup your whitelist.

Note that:

  • Once you have a whitelist in place requests from any other host will be blocked with a 403 error.
  • Ensure that you are not stripping the referer header with the following meta tag otherwise this feature will break.
<!--Remove this if present!!! -->
<meta name="referrer" content="no-referrer" />


When you call the API from a server, that is considered a server-side request. In this case you need to provide an IP address as a path parameter to the API. If you don't pass the IP address you want to lookup then you will get the location and other IP address data of the server which is most likely not what you want.

The primary way to get the end-users IP address is through headers which will differ depending on your platform.

For example for PHP behind Apache you would use $_SERVER['REMOTE_ADDR'], if your application is behind Cloudflare you would use $_SERVER["HTTP_CF_CONNECTING_IP"] if using Cloudfront check CloudFront-Viewer-Address which returns both the client IP address and port eg. on AWS Lambda use event['requestContext']['http']['sourceIp'] for HTTP APIs or event['requestContext']['identity']['sourceIp'] for REST APIs.

What’s Next

Discover the data available via the API!