IP WHOIS
developer/v1/ip/whoisReturns comprehensive WHOIS/RDAP registration data for an IP address. Includes the owning organization, allocated IP range (start, end, CIDR), network name and handle, registration and last-changed dates, Regional Internet Registry (ARIN, RIPE, APNIC, LACNIC, AFRINIC), RDAP status codes plus a coarse `status_summary` (active/reserved/allocated/transferred/other per RFC 8056), all contacts — including abuse, administrative, registrant, and technical — and a top-level `abuse_contact` shortcut sourced from either `role=abuse` entities or RIPE-style `abuse-mailbox` vCard extensions. Flags `range.cidr_mismatch` when the RIR-supplied CIDR doesn't actually contain the queried IP. Also detects bogon (reserved/private) addresses. Results are cached for 1 day.
What It Does
Queries the appropriate Regional Internet Registry (RIR) RDAP endpoint to retrieve IP allocation data. Uses the IANA RDAP bootstrap (RFC 9224) to automatically route queries to the correct RIR. Parses the full RDAP entity tree to extract all contacts by role (abuse, administrative, registrant, technical) with details from jCard/vCard data (name, email, phone, organization), and promotes the abuse contact to a top-level field — checking `role=abuse` entities first, then falling back to the `abuse-mailbox` vCard extension RIPE prefers, so both RIPE and ARIN networks yield a directly-usable email. Returns the allocated IP range in CIDR notation with a CIDR-contains-IP guard to flag inconsistent registry data, network name, RDAP handle, registration and update dates, RIR source, raw RDAP status codes plus a status summary. Short-circuits for bogon/reserved IPs without external API calls.
Why It's Useful
IP WHOIS data is critical for incident response, threat attribution, abuse reporting, and due diligence. During security incidents, responders need to quickly identify who operates an attacking IP and find the abuse contact to report malicious activity — a top-level structured `abuse_contact` field collapses what used to be a two-step "fetch contacts, then find the one tagged abuse" into a single read, and it also catches RIPE's abuse-mailbox vCard convention that the role-only approach misses. The `status_summary` rollup spares callers from memorizing RFC 8056 vocabulary. For compliance, verifying IP ownership confirms vendor and partner infrastructure claims.
Use Cases
Incident Response & Attribution
During an active security incident, quickly identify the organization, ISP, or cloud provider operating the attacking IPs to coordinate takedown and notify the responsible party.
Immediate attribution and contact information for rapid incident containment and coordinated response.
Abuse Report Filing
Identify the registered organization and correct RIR for malicious IP traffic to file properly formatted abuse reports with the responsible network operator.
Route abuse reports to the correct organization with proper registry reference for faster resolution.
Vendor & Infrastructure Verification
Verify that IP addresses used by vendors, partners, or third-party services are actually registered to the claimed organizations as part of vendor due diligence.
Confirm infrastructure ownership claims and detect potential supply chain risks through IP registration verification.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip | string | Required | The IPv4 or IPv6 address to query WHOIS data forExample: 8.8.8.8 |
Response Fields
| Field | Type | Description |
|---|---|---|
ip | string | The queried IP address |
range.start_address | string | Start of allocated IP range |
range.end_address | string | End of allocated IP range |
range.cidr | string | CIDR notation of the allocation. Null when the RIR-supplied CIDR doesn't actually contain the queried IP. |
range.cidr_mismatch | boolean | Present and true when the RIR returned a CIDR that does not contain the queried IP — typically a registry data inconsistency. |
name | string | Network name from RDAP |
handle | string | RDAP registration handle |
organization | string | Registered organization name |
abuse_contact.email | string | Abuse reporting email address — sourced from role=abuse entity first, then vCard abuse-mailbox extension (RIPE convention) |
abuse_contact.phone | string | Abuse contact phone number |
abuse_contact.name | string | Abuse contact name |
abuse_contact.organization | string | Abuse contact organization |
registration_date | string | When the range was allocated |
last_changed | string | Last update date of the registration |
rir | string | Regional Internet Registry: ARIN, RIPE, APNIC, LACNIC, or AFRINIC |
status | array | RDAP status codes (e.g., active, reserved) |
status_summary | string | Coarse-grained status: active, reserved, allocated, transferred, or other (RFC 8056 §10.2.2) |
contacts | array | All contacts (abuse, administrative, registrant, technical) — each with role, name, email, phone, and organization |
contacts_truncated | boolean | Whether the contacts list was truncated (max 50 contacts) |
is_bogon | boolean | Whether the IP is a bogon (reserved/private) address |
bogon_type | string | Bogon classification (e.g., rfc1918_private, rfc5737_documentation) |
Code Examples
curl "https://api.edgedns.dev/v1/ip/whois" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "ip=8.8.8.8"const response = await fetch(
'https://api.edgedns.dev/v1/ip/whois?ip=8.8.8.8',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/ip/whois',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'ip': '8.8.8.8'
}
)
data = response.json()
print(data)Read the full IP WHOIS guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.