Sooner or later almost every web product needs to know where a visitor is. Localized pricing, GDPR consent banners, content licensing, fraud checks, shipping estimates: all of it starts with the same question. Which country is this request coming from?There are three honest ways to answer it, and picking the wrong one for your situation either costs you accuracy or saddles you with maintenance you did not sign up for.
Method 1: The Header Your CDN Already Sends
If your traffic runs through Cloudflare, the CF-IPCountry header is already attached to every request, free. Similar headers exist on other CDNs.It is a two letter country code, nothing more: no city, no timezone, no currency, no proxy detection.For a consent banner that only needs to know EU or not, this is genuinely the right answer and you should stop reading here.
The catch is granularity and portability. The moment you need city level data, or you move off that CDN, the approach evaporates.
Method 2: A Self Hosted Geolocation Database
Downloadable databases like MaxMind's GeoLite give you offline lookups with zero per request cost and single digit microsecond latency.The trade is operational:You own the update pipeline (IP allocations move constantly, so a stale database quietly rots your accuracy.)You own the storage on every instance.The free tiers are noticeably less accurate at city level than the paid data.Self hosting wins when you have serious ops capacity and enormous lookup volume.It loses when your team is small and the database update job becomes another thing nobody owns.
Method 3: A Geolocation API
The third route is calling a geolocation API per lookup and caching the result.One HTTP request returns country, region, city, coordinates, timezone, currency and connection data, with the provider maintaining the underlying dataset so accuracy never silently decays on your watch.Here is the whole integration with ipstack:
const res = await fetch(
https://api.ipstack.com/${ip}?access_key=${KEY}&fields=country_code,city,time_zone
);
const geo = await res.json();
// { country_code: "DE", city: "Berlin", time_zone: { id: "Europe/Berlin", ... } }
Cache by IP with a one day TTL and your request volume drops to a fraction of your traffic.The trade off here is the inverse of self hosting: zero maintenance, but a per lookup cost above the free tier and a network hop on cache misses.
Which Method Should You Pick?
Decision rule 1: Country only, on a CDN: use the header. It is free and instant.
Decision rule 2: City level data, small team: use the API. The maintenance you avoid is worth more than the subscription.
Decision rule 3: Massive volume, dedicated ops: self host, and put the database update job on an actual rotation.
Most teams land on the API because location requirements grow.The feature that needed a country code in January needs a timezone by March and proxy detection by June, and only one of the three methods grows with you without new infrastructure.
Geolocate your first visitor in the next five minutes.The free plan needs no card.Get an ipstack key → https://apilayer.com/products/ipstack/
FAQ
How accurate is IP geolocation?
Country level detection is accurate for the overwhelming majority of requests.City level accuracy varies by region and connection type, since mobile carriers and VPNs blur the picture.Treat city data as strong signal for personalization, not as ground truth for anything legal or safety critical.
Does IP geolocation work with IPv6?
Yes, modern geolocation services resolve both IPv4 and IPv6 addresses.ipstack handles both through the same endpoint, so dual stack traffic needs no special handling in your code.
Is it legal to geolocate visitors by IP?
Generally yes, since an IP address arrives with every request and country level lookup is standard practice for compliance itself, such as GDPR consent.If you store the IP alongside other personal data, disclose it in your privacy policy like any other processing.
Top comments (0)