Glossary

The terms behind the signals.

Plain, dev-to-dev definitions of the routing, allocation and network-kind terms GeoQ uses. Each one links to where the signal shows up in a response.

RPKI (Resource Public Key Infrastructure): A public-key system that lets the holder of an IP prefix publish a signed statement (a ROA) saying which AS is allowed to originate it. GeoQ reports the result as network.rpki: valid, invalid or unknown. See RPKI detection.
Route-origin validation: Checking a route announcement against RPKI data to confirm the announcing AS is authorised to originate the prefix. An invalid result means a ROA exists but the origin or prefix length contradicts it — possible hijack or misconfiguration. GeoQ runs its own validator and adds +20 for an invalid origin.
ROA (Route Origin Authorisation): A signed RPKI object naming the AS authorised to originate a given prefix, and the maximum prefix length. ROAs are what route-origin validation checks against.
Bogon: An IP address in space that should never appear as a source on the public internet — unallocated ranges and reserved blocks (e.g. RFC 1918, RFC 5737). Legitimate traffic does not originate from bogon space, so is_bogon === true is a strong spoofing signal (+30).
is_announced: True when a covering prefix for the IP is visible in the global routing table, as seen in public BGP data. An address that claims to be a host but is not announced is suspicious; GeoQ surfaces this for context.
RIR allocation: The delegation of an IP range by a Regional Internet Registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC). GeoQ derives allocation_date, allocation_age_days and registration_country from the RIRs' published delegated-statistics files. Freshly-allocated space can be worth a second look.
ASN (Autonomous System Number): A number identifying a network that announces routes on the internet (e.g. AS15169 is Google). GeoQ returns network.asn and as_org for context on who operates the range an IP belongs to.
iCloud Private Relay: Apple's built-in privacy feature that routes Safari and some app traffic through two relays, so the exit IP belongs to partner infrastructure rather than the user's ISP. GeoQ flags these exits with is_relay and relay_provider: "icloud" — a benign network kind that caps the risk score at 20. See relay detection.
Satellite ASN: The autonomous system of a satellite-internet operator (e.g. SpaceX Starlink). GeoQ classifies attributable satellite-access ranges as connection_type === "satellite", a benign network kind. Satellite ASNs can carry mixed traffic, so GeoQ only sets the value for ranges it can attribute. See satellite detection.
Public resolver: A public DNS resolver such as 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare). These run in hosting-style ranges and can look like a datacenter, so GeoQ recognises them with is_public_resolver — a benign network kind that caps the risk score, rather than scoring them as fraud.
CGNAT (Carrier-Grade NAT): A scheme where a carrier shares one public IP across many subscribers. It means a single IP can represent many distinct users, so per-IP reputation is noisier — useful context when interpreting any IP signal, including satellite links that often sit behind CGNAT-style gateways.
DROP (Don't Route Or Peer): Spamhaus's lists of IP ranges controlled by or leased to known hostile networks — ranges operators are advised not to route or peer with. GeoQ flags these with is_drop_listed (+40). Data is © The Spamhaus Project; see attributions.
Connection type: GeoQ's connection_type field — the network kind an IP belongs to: datacenter (with a datacenter_provider), satellite, or unknown. It replaces the older is_datacenter boolean and only ever holds an authoritative value, never a guess.
Evidence label: A tag GeoQ attaches to each signal describing how much to trust it: authoritative (from a list the network or registry publishes about itself), inferred (derived from shifting lists), or beta (surfaced but not yet scored). See the methodology.
Benign network kind: GeoQ's term for a network that looks risky but belongs to ordinary users — relay, satellite or public resolver. When one is detected, the risk score is capped at 20 and benign_network_kind is added to reasons[]. The false-positive reducer at the heart of the score.

Start with the free tier. No card.

5,000 lookups a day, every signal, the same transparent risk score. Upgrade only when you outgrow it.

Get your free API key Read the quickstart