Ideal Postcodes

Ideal Postcodes

Ideal Postcodes provides UK address search and validation solutions including postcode to address lookup, partial address lookups and address autocomplete. These services are provided through a simple, well documented HTTP API, which can be integrated in minutes. We use Royal Mail's Postcode Address File (PAF) with daily updates.


  • Postcode to address lookup service
  • Free-form address lookup service
  • Address autocomplete
  • Simple integration in different languages and systems
  • Simple and secure HTTP API
  • Updated daily from Royal Mail Postcode Address File (PAF)
  • Fixed monthly or annual pricing for public sector organisations
  • Simple dashboard and tools to track and manage usage


  • Fast address entry using a postcode or partial address
  • Reliable addresses for mailing, delivery or record keeping
  • Best UK addressing data quality available


£2.00 to £2.50 per unit

  • Free trial available

Service documents

G-Cloud 10


Ideal Postcodes

Christopher Blanchard

020 7112 8019

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints HTTP API is rate limited
System requirements
  • Internet access
  • Ability to make HTTP requests

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email ( is monitored throughout the week. Phone support is available Monday to Friday. Monday to Friday: Enquiries are handled within the same working day. Questions received between 9am and 4pm are typically handled within an hour. Critical enquiries (e.g. where API access is impaired) are escalated and handled as soon as possible throughout the day. Saturday to Sunday: Emails are monitored for critical enquiries only. Non-critical enquiries are deferred to next business day. Critical enquiries (e.g. where API access is impaired) are escalated and handled as soon as possible throughout the day.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing Web chat is designed and tested to work on both mobile and desktop screen sizes.
Onsite support No
Support levels Support is free. We can be reached by email, phone and live chat. We also provide free support to assist with any integration or technical queries.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Get started by creating Ideal Postcodes account on Once signed in, you may create keys via your dashboard and use them to query for addressing data. All keys are instantly usable on our API with test requests. We provide a wide range of test methods to allow you to develop a rigorous and correct implementation. Test requests do not affect your lookup balance. To take your key live and query genuine addressing data, you will need to purchase a lookup balance for your key or a license that grants data access. Requests that retrieve addressing data (i.e. using the /addresses and /postcodes API) will deduct one lookup from your balance. You can also setup automated top-ups to reload your balance when it runs low.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Past API usage data may be extracted via the API. We can also extract your data for you upon request.
End-of-contract process Access to the API will no longer be available. No additional costs are applicable

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There is no difference between the HTTP API for mobile and desktop users. Integrations may differ between end users however depending on the user interface and accessibility requirements. We provide a range of open-sourced integrations which provide postcode lookup, free text search and autocomplete functionality.
Accessibility standards None or don’t know
Description of accessibility Our website and dashboard are available online via desktop or mobile browsers. The dashboard can be used to manage API access using API keys. Users can use the dashboard to set daily limits, whitelist URLs, allocate notification email addresses and thresholds as well as general account management features.

Our HTTP API provides address search functionality. The API can be used to lookup addresses for a postcode, search for an address using freeform search (i.e. providing address search terms) and autocomplete addresses.
Accessibility testing The website dashboard is designed to work on both mobile and desktop screen sizes.

With regards to postcode and address lookup integration, our postcode lookup and autocomplete libraries are tested on a range of different browsers and screen sizes. This includes testing our libraries in Windows 7, 8 and 10 as well as macOS (formerly OSX), using Internet Explorer, Edge, Chrome, Firefox and Opera. Our integration libraries have also been tested to work on desktop, tablet and mobile phone screen sizes.
What users can and can't do using the API Users can accomplish the following via the HTTP API: Query addressing data (postcode lookup, address search, address autocomplete), check availability of API key, check API key balance and check historical usage of API key
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Integrations with our services are highly customisable. We provide open-sourced browser libraries which can integrate address lookup capabilities building on the addressing APIs we provide. The most basic integration for a website or application can be setup within an hour. These libraries contain a large number of configuration options to customise behaviour and styling of the integration. Users can apply their own CSS classes and styles, specify custom DOM elements to use for the integration and hook into various events in the address lookup process using callback functions. Buyers can also build their own front or backend integrations based around their own requirements. This can be accomplished by modifying our existing open-source implementations or creating a new integration altogether. We also accept pull requests to add more functionality into our existing libraries. Our integrations are all available on ( We are happy to provide any assistance and technical advice in this regard via our support channels.


Independence of resources All our internal services are scaled horizontally. Should any part of our service hit a bottleneck in terms of processing, memory or storage requirements, we are able to create new virtual machines within 30 minutes to expand our resource pool. Services are monitored 24/7 and an engineer is alerted should any of our services trip one of our (conservative) resource utilisation thresholds. We also over-provision our services in terms of computing resources, which affords us more time to deal with any potential resource issues.


Service usage metrics Yes
Metrics types Users can retrieve their usage data via the dashboard or API. These metrics include paid requests per day as well as per request metrics (including IP address, request type, search term and HTTP referrer).
Reporting types
  • API access
  • Real-time dashboards


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Royal Mail

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency Never
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users can export their historical usage data via the dashboard or HTTP API. The former method requires the correct username and password to access the dashboard. The latter method requires a secret user token included in the API request.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network All hosts block network traffic on every interface for all ports for both private and public networks by default. Only network data from recognised IP addresses and specifically authorised ports are permitted. Furthermore data travelling across our private network can only be accessed by our hosting provider.

Availability and resilience

Availability and resilience
Guaranteed availability Historical availability and current service status is retrievable from We strive to maximise our uptime. 99.99% SLA is provided for Public Sector Licensees.

External availability is tracked by a third party monitoring service. The historical data from our 3rd party monitoring service is also reported on our status page. Our addressing API has logged 1 minute of downtime between August 2015 and April 2018.
Approach to resilience Every layer of our service (including our webservers, application services and our database services) is distributed and horizontally scalable. Each of these services are designed to have nodes readily added (or removed) to support greater resiliency as well as enable higher throughput if required. Upon the failure of a node caused by hardware failure or a broken build, traffic is subsequently rerouted to healthy nodes in order to minimise disruption.
Outage reporting Outages are reported on

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication API Key
Access restrictions in management interfaces and support channels Management interfaces are only available behind username and password authentication. Sensitive support requests are handled over phone, email or a private chatroom.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified No
Security governance approach Our security protocols are designed to be aligned with industry best practice. This includes continual service and log monitoring to detect critical and non-critical issues. Centralised, realtime log aggregation and search to quickly identify any failures or security breaches. Securing our services with firewalls, IP whitelists and continual security patching. Vulnerability monitoring of our software stack. Code reviews and rigorous testing for common vulnerabilities and exposures. Where possible we automate security testing as far as possible, e.g. automated alerts for incidents, continuous testing of server security and continuous testing of our software.
Information security policies and processes We maintain a standardised security document which determines our security policies for our software and hardware infrastructure. This document determines security protocols including: storing of system secrets and keys, provisioning and securing of our servers, procedures for checking and applying updates for the software and libraries and common vulnerabilities to build test suites around. With regards to securing our hardware assets, all our servers are deployed using a standardised script and tested over a thousand times a day to ensure they meet the security requirements laid out in the policy. For our software deployments, software is reviewed and tested for common vulnerabilities and exposures listed in our policy. These tests are stored in a test suite which are continually run on our software to detect any bugs or regressions.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our services are tracked and deployed via secured, centralised, private code repositories. In order to reduce the possibility of introducing security lapses with changes in code, we maintain thousands of automated tests that check the low level functionality of the code as well as the high level interaction between our services. To reduce the risk of security lapses or regressions, our test suite also tests our software in hundreds of security scenarios and edge cases after every change and prior to every new build being deployed.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a two part strategy for discovering vulnerabilities in the software we use. Firstly, we periodically check our vendors for security notifications and patches. Secondly, we are subscribed to a number of services which track the underlying dependencies in our software and send us automated notifications if any new versions are released. We consider vulnerabilities that would affect the availability of our services or leak data to be critical. Critical security updates are applied as soon as possible as a first priority. Non-critical updates, (e.g. performance improvements, bug fixes) are periodically applied over a longer period of time.
Protective monitoring type Supplier-defined controls
Protective monitoring approach All our hosts send logs (both system logs and process specific logs) to a centralised logging service which aggregates, indexes, encrypts and archives all our log files. These logs can be viewed and queried in realtime. Each log line is scanned for unusual behaviour on a host. Any suspicious activity is then emailed to the server administrators who will investigate. If a host or process is found to be compromised, the host will be removed from our resource pool and inspected before deletion. Based on the outcome of the investigation, remedial action will be taken e.g. bug fixing or patching.
Incident management type Supplier-defined controls
Incident management approach We are alerted to incidents via internal and external monitoring services. These services are monitored throughout the week for critical errors. If a critical error takes place, an on call engineer is immediately notified as critical alerts are sent via multiple channels: SMS, email and push notification. Upon notification, an engineer will log into our system remotely to determine and fix the issue. If a user detects an issue, they may report this to us via our support email or chatroom, which is monitored throughout the week. Incident reports are uploaded to our status page -

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2.00 to £2.50 per unit
Discount for educational organisations No
Free trial available Yes
Description of free trial We provide test methods to access the API without affecting your balance. We also provide small, provisional test balances for users that wish to make live queries against the API.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑