Ideal Postcodes

Ideal Postcodes

Ideal Postcodes provides UK address search and validation solutions including postcode to address lookup, partial address lookups and address autocomplete. These services are provided through a simple, well documented HTTP API, which can be integrated in minutes. We use Royal Mail's Postcode Address File (PAF) with daily updates.


  • Postcode to address lookup service
  • Free-form address lookup service
  • Address autocomplete
  • Simple integration in different languages and systems
  • Simple and secure HTTP API
  • Updated daily from Royal Mail Postcode Address File (PAF)
  • Fixed monthly or annual pricing for public sector organisations
  • Simple dashboard and tools to track and manage usage


  • Fast address entry using a postcode or partial address
  • Reliable addresses for mailing, delivery or record keeping
  • Best UK addressing data quality available


£2.00 to £2,000 a licence

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 7 3 8 2 3 0 3 6 0 7 7 6 4 2


Ideal Postcodes Christopher Blanchard
Telephone: 020 7112 8019

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
HTTP API is rate limited
System requirements
  • Internet access
  • Ability to make HTTP requests

User support

Email or online ticketing support
Email or online ticketing
Support response times

Questions are responded to as soon as reasonably possible.

Emails are monitored on the weekends.

However, only critical issues are handled outside of UK working days.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible

Users can turn on alerts and audio as notifications based on messages.

ARIA attributes are used to define strings that label the element and role attributes are used to help assistive technology users understand what the element does.
Web chat accessibility testing
Onsite support
Support levels
Support is free. We can be reached by email, phone and live chat. We also provide free support to assist with any integration or technical queries.
Support available to third parties

Onboarding and offboarding

Getting started
Get started by creating an Ideal Postcodes account on Once signed in, you may create Keys via your dashboard and use them to query for addressing data. All Keys are instantly usable on our API with test requests. We provide a wide range of test methods to allow you to develop a rigorous and correct implementation. Test requests do not affect your lookup balance. To take your Key live and query genuine addressing data, you will need to purchase a lookup balance for your key or a licence that grants data access. Requests that retrieve addressing data (i.e. using the /addresses and /postcodes API) will deduct one lookup from your balance. You can also setup Automated Top-Ups to reload your balance when it runs low.
Service documentation
Documentation formats
End-of-contract data extraction
Past API usage data may be extracted via the API. We can also extract your data for you upon request.
End-of-contract process
Access to the API will no longer be available. No additional costs are applicable.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There is no difference between the HTTP API for mobile and desktop users. Integrations may differ between end users; however, depending on the user interface and accessibility requirements. We provide a range of open-sourced integrations which provide Postcode Lookup, free text search and autocomplete functionality.
Service interface
Description of service interface
Accounts and keys can be managed from our website:
Accessibility standards
None or don’t know
Description of accessibility
Accessibility testing
We use automated accessibility testing tools to meet WCAG 2.1 standards.

In doing so, we strive to make sure:
- all images have alternative text
- all form buttons have a descriptive value
- all form inputs to have associated text values
- embedded multimedia to be identifiable via accessible text
- semantic markup is abided by standards
- tables are used for tabular data and data cells are associated with their headers
- ARIA labelling is used where standard HTML is insufficient and ARIA is used to convey HTML semantics accordingly
- no page content flashes more than 3 times per second
- web pages have descriptive titles
- the purpose of links can be determined from the link text alone and from its context
- the language of the page is identified using the HTML lang attribute
- required form elements have corresponding labels
- form validation errors are efficient, intuitive and accessible
- if input errors are detected, suggestions are provided to resolve the issue
What users can and can't do using the API
Users can accomplish the following via the HTTP API: Query addressing data (Postcode Lookup, address search, Address Autocomplete), check availability of API key, check API key balance and check historical usage of API key
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
Integrations with our services are highly customisable. We provide open-sourced browser libraries which can integrate address validation capabilities building on the addressing APIs we provide. The most basic integration for a website or application can be setup within an hour. These libraries contain a large number of configuration options to customise behaviour and styling of the integration. Users can apply their own CSS classes and styles, specify custom DOM elements to use for the integration and hook into various events in the address lookup process using callback functions. Buyers can also build their own front or backend integrations based around their own requirements. This can be accomplished by modifying our existing open-source implementations or creating a new integration altogether. We also accept pull requests to add more functionality into our existing libraries. Our integrations are all available on ( We are happy to provide any assistance and technical advice in this regard via our support channels.


Independence of resources
All our internal services are scaled horizontally. Should any part of our service hit a bottleneck in terms of processing, memory or storage requirements, we are able to create new virtual machines within 30 minutes to expand our resource pool. Services are monitored 24/7 and an engineer is alerted should any of our services trip one of our (conservative) resource utilisation thresholds. We also over-provision our services in terms of computing resources, which affords us more time to deal with any potential resource issues.


Service usage metrics
Metrics types
Users can retrieve their usage data via the dashboard or API. These metrics include paid requests per day as well as per request metrics (including IP address, request type, search term and HTTP referrer).
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Royal Mail

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Users can export their historical usage data via the dashboard or HTTP API. The former method requires the correct username and password to access the dashboard. The latter method requires a secret user token included in the API request.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
All hosts block network traffic on every interface for all ports for both private and public networks by default. Only network data from recognised IP addresses and specifically authorised ports are permitted. Furthermore data travelling across our private network can only be accessed by our hosting provider.

Availability and resilience

Guaranteed availability
Historical availability and current service status is retrievable from We strive to maximise our uptime. 99.99% SLA is provided for Public Sector Licensees.

External availability is tracked by a third party monitoring service. The historical data from our 3rd party monitoring service is also reported on our status page.
Approach to resilience
Every layer of our service (including our webservers, application services and our database services) is distributed and horizontally scalable. Each of these services are designed to have nodes readily added (or removed) to support greater resiliency as well as enabling higher throughput if required. Upon the failure of a node caused by hardware failure or a broken build, traffic is subsequently rerouted to healthy nodes in order to minimise disruption.
Outage reporting
Outages are reported on

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
Access restrictions in management interfaces and support channels
Management interfaces are only available behind username and password authentication. Sensitive support requests are handled over phone, email or a private chatroom.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Our security protocols are designed to be aligned with industry best practice. This includes continual service and log monitoring to detect critical and non-critical issues. Centralised, realtime log aggregation and search to quickly identify any failures or security breaches. Securing our services with firewalls, IP whitelists and continual security patching. Vulnerability monitoring of our software stack. Code reviews and rigorous testing for common vulnerabilities and exposures. Where possible we automate security testing in full measure, e.g. automated alerts for incidents, continuous testing of server security and continuous testing of our software.
Information security policies and processes
We maintain a standardised security document which determines our security policies for our software and hardware infrastructure. This document determines security protocols including: storing of system secrets and keys, provisioning and securing of our servers, procedures for checking and applying updates for the software and libraries and common vulnerabilities to build test suites around. With regards to securing our hardware assets, all our servers are deployed using a standardised script and tested over a thousand times a day to ensure they meet the security requirements laid out in the policy. For our software deployments, software is reviewed and tested for common vulnerabilities and exposures listed in our policy. These tests are stored in a test suite which are continually run on our software to detect any bugs or regressions.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our services are tracked and deployed via secured, centralised, private code repositories. In order to reduce the possibility of introducing security lapses with changes in code, we maintain thousands of automated tests that check the low level functionality of the code as well as the high level interaction between our services. To reduce the risk of security lapses or regressions, our test suite also tests our software in hundreds of security scenarios and edge cases after every change and prior to every new build being deployed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We have a two part strategy for discovering vulnerabilities in the software we use. Firstly, we periodically check our vendors for security notifications and patches. Secondly, we are subscribed to a number of services which track the underlying dependencies in our software and send us automated notifications if any new versions are released. We consider vulnerabilities that would affect the availability of our services or leak data to be critical. Critical security updates are applied as soon as possible as a first priority. Non-critical updates, (e.g. performance improvements, bug fixes) are periodically applied over a longer period of time.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
All our hosts send logs (both system logs and process specific logs) to a centralised logging service which aggregates, indexes, encrypts and archives all our log files. These logs can be viewed and queried in realtime. Each log line is scanned for unusual behaviour on a host. Any suspicious activity is then emailed to the server administrators who will investigate. If a host or process is found to be compromised, the host will be removed from our resource pool and inspected before deletion. Based on the outcome of the investigation, remedial action will be taken, e.g. bug fixing or patching.
Incident management type
Supplier-defined controls
Incident management approach
We are alerted to incidents via internal and external monitoring services. These services are monitored throughout the week for critical errors. If a critical error takes place, an on call engineer is immediately notified as critical alerts are sent via multiple channels: SMS, email and push notification. Upon notification, an engineer will log into our system remotely to determine and fix the issue. If a user detects an issue, they may report this to us via our support email or chatroom, which is monitored throughout the week. Incident reports are uploaded to our status page -

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£2.00 to £2,000 a licence
Discount for educational organisations
Free trial available
Description of free trial
We provide test methods to access the API without affecting your balance. We also provide small, provisional test balances for users that wish to make live queries against the API.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.