What an IP can — and can’t — tell you
IP geolocation answers “roughly where is this network registered?” not “where is this person?”. The accuracy ladder is steep:
| Signal | Typical reliability |
|---|---|
| Country | 95–99% correct |
| Region / state | 70–85% |
| City | 50–80%, worse on mobile |
| Street address | Not available from IP alone |
Anyone claiming pinpoint accuracy from an IP is selling something. The honest use cases are coarse: choosing a default language, routing to a regional server, fraud signals, and analytics — not surveillance.
The three things that distort the answer
When a lookup looks “wrong,” it’s almost always one of these, and none is a bug in the data:
- VPN / proxy — the IP belongs to the VPN exit node, so you see Frankfurt for a user sitting in Lagos. This is the point of a VPN, working as designed.
- CGNAT (Carrier-Grade NAT) — mobile carriers and some ISPs share one public IP across thousands of subscribers, registered at a regional gateway that can be hundreds of kilometres from any given user.
- ISP registration drift — an ISP may register an entire IP block to a single head-office city even though it serves customers across a whole country. Recently reassigned blocks can also carry stale location data until the databases refresh.
Reading the ASN — the field power users care about
The Autonomous System Number is often more telling than the city. Every network that participates in internet routing has one, and it identifies who operates the address space. Seeing AS15169 Google LLC or AS13335 Cloudflare immediately tells you the traffic is from a cloud or CDN, not a residential connection — invaluable for separating real users from bots, scrapers, and server-side requests. A residential ISP’s ASN versus a hosting provider’s ASN is frequently the single best signal in lightweight fraud screening.
IPv4 vs IPv6, and the privacy-by-default mindset
IPv6 geolocation tends to be coarser than IPv4: the address space is newer, allocations are larger, and the mapping databases are less mature, so expect country-level confidence more often than city-level. Whichever version you’re handling, the responsible posture is the same — geolocate for legitimate, disclosed purposes; store the minimum for the shortest time; and remember that behind every address is a person whose location data you’re inferring. This tool sends lookups directly from your browser to public APIs and stores nothing, but your application’s obligations begin the moment you log a user’s IP.