If you're looking for a domain lookup API in 2026, the landscape has shifted. ICANN sunsetted WHOIS in January 2025, 374 gTLDs have already shut off port 43, and RDAP now handles more queries than WHOIS globally. The protocol is changing — and so are the providers.

Here's every option, what they cost, and what tradeoffs you're making.

Before you evaluate any provider

Since GDPR, most registries redact registrant contact details — names, emails, phone numbers, addresses. This affects every lookup method equally — WHOIS, RDAP, any API. No provider can return data the registry has redacted. Make sure the fields you actually need (registrar, dates, nameservers, status) are available before committing to a plan.

Option 1: WHOIS API providers

These services scrape WHOIS data, parse it with custom per-registrar logic, and return structured results via REST APIs. They've been the default choice for years.

Threat intelligence platforms

DomainTools and SecurityTrails (Recorded Future) are threat intelligence platforms that happen to include WHOIS data. DomainTools starts around $50,000/year; SecurityTrails has a free tier at 2,500 queries/month, then jumps to $11,000–$70,000/year. If you need passive DNS, domain risk scoring, or historical attribution across billions of records, these are the tools. If you need registration data for domains, they're overkill.

Parsed WHOIS APIs

WhoisXML API — the most recognized name. 50+ data products, credit-based pricing (not publicly disclosed), 500 free queries on signup.

WhoAPI — 13+ years running. $52/month for 40,000 requests, $499/month for 100,000.

WhoisFreaks — credit-based, starting at $75/month for 50,000 credits. One-time purchases at $150/50k. Includes WHOIS history and reverse lookups.

Whoxy — cheapest pay-as-you-go option. $2 for 1,000 queries, $75 for 50,000, $1,000 for 1M. Plus WHOIS history and reverse lookups.

WhoisJSON — generous free tier (1,000 queries/month), then $10/month for 30,000 or $30/month for 150,000.

What WHOIS APIs have in common

Every provider above is built on the same foundation: scraping WHOIS text and parsing it into structured data. That foundation has two cracks:

The source is disappearing. By September 2025, 374 gTLDs had shut off port 43. Query volume dropped 60%. As port 43 goes dark, providers must either switch to RDAP on their backend or rely on cached data — either way, you're paying for a WHOIS API that increasingly isn't querying WHOIS.

Parsing is fragile. Every registrar formats WHOIS differently. Providers maintain hundreds of custom parsers that break when registrars change their output. You're paying for the maintenance of scraping infrastructure.

Option 2: Query RDAP directly (free)

RDAP is the IETF-standardized replacement for WHOIS. Structured JSON over HTTPS, standardized fields, no parsing required. Every gTLD registry runs an RDAP server, and you can query them for free — no API key, no account.

curl https://rdap.verisign.com/com/v1/domain/google.com

This is a real option. If you need occasional lookups or are building a hobby project, direct RDAP queries work. But for production use, you'll be building more than you expect:

Bootstrap discovery. There's no single RDAP server. You need to fetch IANA's bootstrap registry, cache it, and map each TLD to its server. That's an HTTP call, a JSON parser, a cache layer, and a refresh strategy.

Thin-registry follow-through. .com and .net use thin registries — Verisign stores basics, but registrar details (contacts, abuse email) live on a separate RDAP server. You need to extract the rel=related link, make a second request, and merge the responses.

vcardArray parsing. Contact data uses RFC 6350 — a deeply nested array structure where extracting an organization name means iterating arrays and matching on index positions. Every entity in the response uses this format.

Rate limit handling. Each RDAP server enforces its own limits — some return Retry-After: 86400 (24-hour bans). You need per-server backoff, caching of rate limit state, and graceful degradation.

Field normalization. While RDAP is standardized, registries differ on which optional fields they include, how entities are nested, and what status values they use. A field present in one registry's response may be absent or structured differently in another's.

This is real engineering work — and it's ongoing. RDAP servers change behavior, new TLDs appear, rate limit policies shift. Whether it's worth building depends on your query volume. At 10 lookups a day, build it yourself. At 10,000, the maintenance cost starts to add up.

Option 3: RDAP API

RDAP API is built on RDAP, not WHOIS. It handles bootstrap discovery, thin-registry follow-through, vcardArray parsing, rate limiting, and field normalization — and returns flat, consistent JSON.

curl -H "Authorization: Bearer YOUR_TOKEN" \
  "https://rdapapi.io/api/v1/domain/google.com?follow=true"

{
  "domain": "google.com",
  "status": ["client delete prohibited", "server transfer prohibited"],
  "registrar": {
    "name": "MarkMonitor Inc.",
    "iana_id": "292",
    "abuse_email": "[email protected]"
  },
  "dates": {
    "registered": "1997-09-15T04:00:00Z",
    "expires": "2028-09-14T04:00:00Z",
    "updated": "2019-09-09T15:39:04Z"
  },
  "nameservers": ["ns1.google.com", "ns2.google.com", "ns3.google.com", "ns4.google.com"],
  "dnssec": false,
  "entities": {
    "registrant": {
      "organization": "Google LLC",
      "country_code": "US"
    }
  }
}

Every field in the same place, every TLD. No vcardArray, no nested entity arrays, no guessing which events entry is the expiration date.

SDKs are available for Python (PyPI), Node.js (npm), PHP (Packagist), Go (GitHub), and Java (Maven Central). See the migration guide for before/after code examples in all five languages.

Start a free trial — no credit card required.

Not just domains

Most WHOIS API providers offer IP and DNS data too, but through separate products bolted on alongside WHOIS. RDAP covers domains, IPs, ASNs, nameservers, and entities natively — it's the same protocol, the same standardized JSON, the same API:

IP lookups — network allocation, CIDR range, organization, abuse contacts
ASN lookups — autonomous system details, operator, registration dates
Nameserver lookups — nameserver registration data
Entity lookups — RIR handle details (ARIN, RIPE, APNIC, LACNIC, AFRINIC)

One API, one token, all object types — query IPs at /api/v1/ip/8.8.8.8 or ASNs at /api/v1/asn/15169.

Pricing

Plans start at $9/month for 30,000 lookups (Starter), $49/month for 200,000 (Pro), and $199/month for 1,000,000 (Business). All plans include domain, IP, ASN, nameserver, and entity lookups. Free trial available.

Which option should you pick?

You need threat intelligence — passive DNS, historical WHOIS, domain risk scoring, brand monitoring across millions of domains. DomainTools or SecurityTrails. They're expensive because they solve a hard problem with massive datasets. RDAP API doesn't compete here.

You need current registration data at scale — registrar, dates, nameservers, status, contacts. This is where WHOIS APIs and RDAP API overlap. The difference: WHOIS APIs parse disappearing text. RDAP API normalizes a living, growing protocol. The data is fresher and the source is more reliable.

You need occasional lookups — query RDAP servers directly. It's free, it works, and our migration guide has code examples in 5 languages. If you outgrow it, the SDK is a drop-in upgrade.

You need domain availability or WHOIS history — RDAP doesn't offer historical data or availability checks. Whoxy and WhoisFreaks have deep archives for this use case.

If you're evaluating RDAP API, start a free trial or check the API docs first.

WHOIS API Alternatives in 2026: Pricing, Limits, and What's Changed