Free WHOIS API — Best Options & Free Plans in 2026

Introduction

Manual WHOIS lookups are fine for a one-off check. The moment you need to query dozens of domains programmatically — to verify ownership at onboarding, flag newly-registered phishing domains, or monitor certificate changes — you need an API. The market offers plenty of options, but "free" means different things depending on the provider: some require a credit card to activate even a zero-cost plan, others set a generous monthly quota with no strings attached, and a few only offer limited trial credits that expire.

This guide focuses on what actually matters when evaluating a free WHOIS API: how many requests you get without paying, whether a card is required, which TLDs are covered, what format the data comes back in, and whether the provider uses modern RDAP or only legacy WHOIS. We cover the most commonly evaluated options in 2026 so you can make an informed choice before writing a single line of integration code.

What to Look for in a Free WHOIS API

Not all free tiers are equal. Here are the six criteria that separate genuinely useful free plans from ones that look good on the pricing page but hit a wall in practice.

Free request quota. The number of requests per month you get at zero cost. Anything below 500 is effectively a trial. 1,000 or more per month is enough for side projects, monitoring scripts, or integration testing in a real application.
Credit card requirement. Some providers require a card to activate the free tier, even if they claim they will not charge you. For developers who do not want to hand over billing details for an exploratory integration, card-free plans are a meaningful differentiator.
Response format. Native JSON is the standard for REST APIs. A few older providers return XML by default or require a format parameter to get JSON. Normalized field names across TLDs matter more than the format — inconsistent schemas mean defensive .get() calls everywhere.
TLD coverage. Generic TLDs (.com, .net, .org, .io) are easy. Country-code TLDs (.fr, .de, .jp, .br) and newer gTLDs (.app, .dev, .cloud) separate good providers from great ones. Aim for 1,000+ TLDs with active WHOIS or RDAP servers.
RDAP vs legacy WHOIS. RDAP (Registration Data Access Protocol) is the structured, HTTPS-based replacement for the 40-year-old WHOIS protocol. APIs that use RDAP automatically return richer, consistently-parsed data. Providers still relying solely on legacy WHOIS parsing introduce inconsistency and maintenance risk into their data quality.
Rate limiting. Free tiers often impose strict rate limits (e.g. 5–20 requests per minute). Know the ceiling before building something that depends on burst throughput.

Best Free WHOIS APIs in 2026

The table below summarizes the most commonly evaluated options. Details for each follow.

API	Free Quota	Card Required	Format	TLDs	RDAP
WhoisJSON	1,000 req/mo	No	JSON, XML	1,500+	Automatic
WhoisXML API	~500 queries/mo	Yes	JSON, XML	1,500+	Partial
Whoxy	Very limited credits	No	JSON	~1,000	No
AbstractAPI / ip-api	Varies (IP-focused)	Varies	JSON	Limited	No
RDAP public endpoints	Unlimited (raw)	No	JSON	~1,200	Native

WhoisJSON

1,000 requests per month, no credit card, JSON-native, covering 1,500+ TLDs with automatic RDAP/WHOIS routing. A single API key covers WHOIS, DNS, SSL, subdomain discovery, and domain availability — all endpoints included in the free plan. The rate limit on the free tier is 20 requests per minute. Free tier details and sign-up at a(href="/free-domain-api") whoisjson.com/free-domain-api | .

WhoisXML API

A large, established provider with a broad product catalog. The free tier provides approximately 500 WHOIS queries per month but requires a valid credit card to activate. DNS, SSL, and other products are separate offerings with separate pricing. Strong differentiator: historical WHOIS archives going back years, which no other provider matches. Point of friction: per-product API keys and a more complex billing structure.

Whoxy

Oriented primarily toward reverse WHOIS (find all domains registered by a given email, name, or registrar). The free tier provides a small bundle of credits — enough for evaluation but not sustained use. No RDAP support. No DNS, SSL, or monitoring features. Pay-as-you-go pricing is higher per query than WhoisJSON at any recurring volume. Best fit for infrequent, reverse-WHOIS-specific lookups.

AbstractAPI / ip-api and similar

These generic data-enrichment services are frequently cited in "best WHOIS API" roundups but are primarily built for IP geolocation and general domain availability checks, not structured WHOIS data. TLD coverage is narrower than dedicated WHOIS providers, RDAP is not supported, and the response schemas are less complete. They work for basic domain existence checks; they are not the right choice if you need registrar, expiry, or contact data.

RDAP public endpoints

The IANA maintains a bootstrap file mapping TLDs to their public RDAP servers. You can query these endpoints directly for free — no API key, no rate limit imposed by an intermediary. The limitation is that this is not a unified API: you must resolve the correct endpoint per TLD, handle HTTP errors and timeouts for each registry separately, write your own normalization layer, and fall back to WHOIS for TLDs that have not deployed RDAP (~40% of ccTLDs as of early 2026). It is the right choice for one-off scripts where the infrastructure overhead is acceptable; it is not practical for production applications.

Bottom line: if you want a production-grade free tier with consistent JSON, no card required, and coverage beyond .com/.net, WhoisJSON is the most practical starting point. The RDAP public endpoints are the right choice if you explicitly need zero dependency on a third-party and are comfortable writing the integration layer yourself.

WhoisJSON Free Plan — What You Get

The free plan at WhoisJSON is not a trial. It does not expire, does not require a credit card, and does not restrict you to a subset of the API. Here is what is included:

1,000 requests per month, reset on the calendar month. All six endpoints share this pool — WHOIS, DNS lookup, SSL certificate check, subdomain discovery, domain availability, and reverse WHOIS.
Rate limit of 20 requests per minute. Sufficient for monitoring scripts, onboarding flows, and small batch jobs. The paid plans (from $10/month) raise this to 40–900 req/min.
Automatic RDAP/WHOIS routing. The API picks the best available protocol per TLD. When RDAP is used, the response includes computed enrichment fields ( age, expiration, statusAnalysis, nsAnalysis) that are not possible from raw WHOIS text.
Simple upgrade path. When your volume grows, upgrading to Pro (30,000 req/month for $10/mo) or Ultra (150,000 req/month for $30/mo) takes one click in the dashboard. See full pricing for all tiers.

A representative WHOIS response from the free plan looks like this:

Response — example.comJSON

{
  "name":       "example.com",
  "registered": true,
  "source":     "rdap",
  "created":    "1995-08-14",
  "changed":    "2024-08-13",
  "expires":    "2026-08-13",

  "age": {
    "days":              10743,
    "months":            354,
    "years":             29,
    "isNewlyRegistered": false,
    "isYoung":           false
  },

  "expiration": {
    "daysLeft":       140,
    "isExpiringSoon": false,
    "isExpired":      false
  },

  "registrar": {
    "name": "IANA",
    "url":  "https://www.iana.org"
  },

  "nameserver": ["a.iana-servers.net", "b.iana-servers.net"],
  "status":     ["client delete prohibited", "client transfer prohibited"],
  "dnssec":     "unsigned"
}

Every response includes a Remaining-Requests header so you can track your quota programmatically without logging into the dashboard. The source field ( "rdap" or "whois") tells you which protocol answered the query.

How to Get Started for Free

curl

TerminalShell

curl -s "https://whoisjson.com/api/v1/whois?domain=example.com" \
     -H "Authorization: Token=YOUR_API_KEY" | jq .

Python

whois_lookup.pyPython

import requests

API_KEY  = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"

def whois(domain: str) -> dict:
    resp = requests.get(
        f"{BASE_URL}/whois",
        params={"domain": domain},
        headers={"Authorization": f"Token={API_KEY}"},
        timeout=10,
    )
    resp.raise_for_status()
    return resp.json()

data = whois("example.com")
print(data.get("registrar", {}).get("name"))
print(data.get("expiration", {}).get("daysLeft"))

Node.js

whois.mjsNode.js

const API_KEY  = "YOUR_API_KEY";
const BASE_URL = "https://whoisjson.com/api/v1";

async function whois(domain) {
    const url  = `${BASE_URL}/whois?domain=${encodeURIComponent(domain)}`;
    const resp = await fetch(url, {
        headers: { Authorization: `Token=${API_KEY}` },
    });
    if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
    return resp.json();
}

const data = await whois("example.com");
console.log(data?.registrar?.name);
console.log(data?.expiration?.daysLeft);

Tip: replace /whois with /dns or /ssl in the URL to query DNS records or SSL certificate data with the same key and the same request quota.

When the Free Tier Is Not Enough

1,000 requests per month is enough to build and test an integration, run a small monitoring script, or power a low-traffic tool. It is not enough for bulk domain processing, high-frequency monitoring across large domain portfolios, or production applications with meaningful traffic.

Here are the signals that it is time to upgrade:

You are hitting the monthly quota before month-end. The Remaining-Requests header makes this easy to detect. The Pro plan (30,000 req/month for $10/mo) is usually the right next step.
You need higher burst throughput. The free plan's 20 req/min limit serializes bulk jobs. Pro and Ultra raise the ceiling to 40 and 60 req/min respectively, and the Mega tier goes up to 900 req/min for processing-heavy pipelines.
Your application is in production. Free tiers can change. For applications with SLA commitments or paying users of their own, locking in a paid plan provides stability and support access.
You need more monitoring slots. The free plan includes one domain monitoring slot (webhook alerts on WHOIS/DNS/SSL changes). Paid plans include 5 to 50 slots depending on tier.

All paid plans use the same API key and the same endpoints as the free tier — no migration, no code changes. See the pricing page for current rates.

FAQ

Is there a completely free WHOIS API without rate limits?

Not from a managed provider. Every API that runs infrastructure imposes at least a rate limit or a monthly quota. The closest option to "no limits and no cost" is querying RDAP public endpoints directly — the IANA bootstrap file maps TLDs to their public servers, and you can hit them without an API key.

There is a catch that is rarely mentioned: registries and registrars enforce their own per-IP rate limits on the underlying WHOIS and RDAP servers, independently of any API layer. Verisign (the .com/.net registry) caps anonymous WHOIS queries to a few hundred per day per IP address. Many ccTLD registries apply even stricter throttles — some as low as 10–30 queries per hour. Exceed those limits and the server silently drops your connection or returns an error block with no Retry-After indication. Managed APIs like WhoisJSON solve this transparently by routing requests through a pool of IPs and caching responses, so you never hit a registry-level block. If you query RDAP endpoints directly, you are exposed to those per-IP caps and need to implement your own caching and back-off strategy.

The trade-off, in short: direct RDAP gives you zero cost but requires you to own the routing logic, normalization, WHOIS fallback, and per-registry rate-limit management. For managed APIs, WhoisJSON's free tier (1,000 req/month, no card) is the most generous zero-cost plan currently available and abstracts all of the above.

Do I need a credit card for the WhoisJSON free plan?

No. The WhoisJSON free plan is activated immediately on sign-up with just an email address. No credit card is requested until you choose to upgrade to a paid tier. You can use the full API — all six endpoints — indefinitely on the free plan. Sign up here.

What is the difference between WHOIS and RDAP?

WHOIS is a 40-year-old TCP protocol that returns unstructured plain text. The format varies by registry — there is no standard schema, no structured error codes, and no native authentication. RDAP (Registration Data Access Protocol) is the modern replacement standardized by the IETF (RFC 7480 / RFC 9083). It runs over HTTPS and returns structured JSON with consistent field names, HTTP status codes, and support for Unicode domain names. ICANN mandated RDAP support for all accredited registrars in 2025, but ccTLD registries are not bound by that requirement and many have not yet deployed RDAP endpoints. A good WHOIS API abstracts both protocols and returns the same JSON schema regardless of which one answered the query.

Can I use a free WHOIS API in production?

Yes, with caveats. The WhoisJSON free plan has no expiry and no artificial feature restrictions, so it is technically usable in production. The practical limits are the monthly quota (1,000 requests) and the rate ceiling (20 req/min). If your production application stays within those bounds — for example, a low-traffic onboarding check or a single-domain monitoring alert — the free tier works fine. For applications where domain lookups are on the critical path for paying users, a paid plan removes the quota ceiling and provides predictable throughput.

Start for free — no credit card

1,000 API requests per month. WHOIS, DNS, SSL, subdomain, and monitoring under one key.

Get Your Free API Key Full API Docs

Free WHOIS API — Best Options in 2026