Why does this exist?

The actual problem with IP lookup sites

Go try any of the top results for "what is my IP" right now. I'll wait. What you'll find is: a page that takes 3 seconds to load, four ad slots, a cookie banner the size of a parking ticket, a prompt asking you to create an account, and somewhere buried in the footer, a link to a privacy policy that says they "may share your data with trusted partners." Trusted partners. Cute.

The business model for most of these sites is not the tool. The tool is the bait. The actual product is the data they collect while you're using the tool. Your IP, your user agent, your location, your timestamp, your session — all of it packaged and sold to data brokers who sell it to marketers who eventually show you an ad for something you googled once at 2am.

That model works fine if you don't think too hard about it. But here's the thing: the whole reason someone is checking their IP is usually because they care about privacy. They're checking if their VPN works. They're testing their network. They're looking up a domain. They're literally privacy-conscious people being data-harvested by the tool they're using to check their privacy. The irony is thick enough to cut.

So we built the version we wanted to exist. Your IP hits the server, gets looked up, gets shown to you, and then we forget it immediately. Not "store it for 30 days and then delete it." Forget it. In-memory, response returned, gone. No log files. No database tables. No analytics events. Just the answer.

How it actually works under the hood

The homepage runs on Vercel's Edge Runtime. When you hit the page, the server reads your IP from the incoming request headers — specifically CF-Connecting-IP (set by Cloudflare), then X-Real-IP, then X-Forwarded-For as fallbacks. That IP is then sent to ip-api.com, which returns geolocation data: city, region, country, ISP, ASN, organization, timezone, coordinates, and flags for whether the IP is a mobile network, proxy/VPN, or hosting provider.

The world map is drawn with D3.js using Natural Earth 1 projection and TopoJSON country boundaries. When your location comes back, the map animates to your coordinates and drops a pin. It's a nice visual but it's not magic — all it's doing is plotting a latitude and longitude that came from ip-api.com.

The browser intelligence section is entirely client-side. It reads navigator.userAgent, screen.width/height, navigator.language, Intl.DateTimeFormat for timezone, navigator.connection for network type, and canvas/WebGL for the GPU renderer string. None of this gets sent to our server — it's all computed in your browser and displayed in your browser.

The WebRTC leak detection part is clever. It creates an RTCPeerConnection with STUN server configurations (stun.l.google.com, stun.cloudflare.com) and listens for ICE candidates. WebRTC uses these to discover local and public IPs for peer connections. If the IP reported by STUN differs from what our server sees, your VPN is leaking your real IP. This is the mechanism that catches over 95% of VPN users who think they're protected but aren't.

The 15 tools and what they're actually for

Each tool is self-contained. They don't share sessions, they don't log results, and most of them don't even touch our servers — they query public APIs directly or run entirely in your browser.

Privacy, in more detail than you probably want

Here's what happens when you use this site, in exact terms. You load the page. Your browser makes an HTTP request to our Vercel Edge server. The server reads the IP from the request headers. It calls ip-api.com with that IP to get geolocation data. It returns the result to your browser. That's the entire server-side flow. There is no step where we write anything to storage.

We don't run Google Analytics. We don't run Plausible. We don't run any analytics. There are no tracking pixels. No third-party scripts except what's needed for the tools themselves to function. The page you're looking at right now doesn't phone home to anything other than our own Vercel deployment.

No cookies are set. None. Open your browser's developer tools, go to Application, Storage, Cookies. You'll see nothing from whatismyip.technology. We have no reason to set cookies because we have no sessions, no accounts, no preferences to persist.

The third-party services the tools use each see your IP as part of a normal HTTP request. ip-api.com gets your IP to return geolocation. dns.google gets a domain name you typed in. rdap.org gets a domain or IP you typed in. crt.sh gets a domain you typed in. None of them get more than what's necessary for the query. We don't add user identifiers. We don't append session tokens. Just the raw query.

If you want the full policy with all the legal language and specific scenarios, it's at /privacy. The short version is: we collect nothing, we store nothing, we sell nothing.

The three-site ecosystem

whatismyip.technology is one of three sites under the same umbrella. They're separate sites because they serve different purposes, but they're designed to work together.

The idea is that .technology is where you do the thing, .codes is where you build with the thing, and .wiki is where you learn about the thing. They cross-link where it makes sense and stay out of each other's way otherwise.

The tech stack (if you're curious)

Next.js App Router on Vercel. Tailwind v4 for styling. Framer Motion for animations. The world map is D3-geo with TopoJSON. No database. No auth. No persistent server-side state of any kind.

Third-party APIs: ip-api.com for geolocation, rdap.org for WHOIS/RDAP, dns.google for DNS records, crt.sh for certificate transparency, api6.ipify.org for IPv6 detection, and Google STUN servers for WebRTC leak detection.

The password generator and subnet calculator run entirely in the browser using the Web Crypto API and standard bitwise operations respectively. They make zero network requests. You could be offline and they'd still work. That's the right way to build tools that handle anything remotely sensitive.

The philosophy behind all of it

There's a version of this site where we add a "premium" tier with faster lookups and more WHOIS history. There's a version where we add a little tracking pixel so we can tell investors we have "50,000 monthly active users." There's a version where we put the VPN leak test behind a signup wall because it converts.

We're not building that version. Not because we can't, but because it would make the product worse. The whole value proposition of a privacy tool is that it doesn't compromise your privacy. The moment you start logging things "for product analytics" or gating tools to grow a mailing list, you've undermined the only reason someone should trust you with their network data in the first place.

This is free because useful tools should be free when they can be. The infrastructure cost to run this is low. Vercel's edge network handles the traffic. ip-api.com has a generous free tier. The tools that need server-side processing (port scanner, SSL checker) are lightweight. We're not burning money running this. We're also not making money from it. It exists because it should exist.

If you use it, great. If you find a bug or something gives wrong results, email [email protected] and we'll fix it. If you build something cool with the API, we'd honestly love to hear about it.

Contact and feedback

We read the inbox. If something is broken, if a tool is giving you wrong results, if your location detection is wildly off, if you found a security issue — email [email protected]. Real response, not an autoresponder.

For security issues specifically: if you find a vulnerability, please disclose responsibly. We'll fix it fast, we'll be grateful, and we'll credit you in the fix commit if you want to be credited. No bug bounty program yet because this is a free tool with no budget, but we'll at least say thank you loudly.

If you're a developer and want to use the API in your project, the docs are at whatismyip.codes. No API key, no rate limit beyond reasonable use, CORS open. Build whatever you want with it.

For everything else — suggestions, ideas, "hey you should add a tool that does X" — same email. We do read them. We don't always implement them but we read them.