Skip to main content

IP Allowlist

The IP allowlist (shown as IP Whitelist in the Developer Portal) restricts which client IP addresses may reach an API and its hosted web app. It's a network-level gate that runs before authentication — a request from a disallowed IP is turned away regardless of any token it carries.

note

Unlike the other governance controls, the IP allowlist is available to every tenant, not just Business tenants. It's configured per API.

How it works

The allowlist is fail-open:

  • Empty → all source IPs are allowed. (The Portal: "With no IPs configured, all source IPs are allowed.")
  • Non-empty → only the listed IPs may reach the API; every other client is rejected with 403 Forbidden.

The check applies to both the API endpoints and the hosted web app, so a non-empty list locks down the whole surface for that API.

warning

When the list is non-empty, requests from IPs not on it are rejected. Add your own IP before locking the API down, or you'll lock yourself out.

Supported addresses

  • IPv4 — e.g. 192.168.1.1
  • IPv6 — e.g. 2001:db8::1
  • Loopback127.0.0.1 and ::1 are accepted

Each entry is a single address; the list is validated as you add entries.

Configuring the allowlist

In the Developer Portal:

  1. Open the API and go to Security → IP Whitelist.
  2. Enter an IPv4 or IPv6 address and click Add. Repeat for each allowed address.
  3. Remove an address with its delete button to lift the restriction for that IP.

Changes take effect on subsequent requests. Editing the allowlist requires write access to the API.

Good to know

  • It's a coarse gate, not per-user. The allowlist applies to everyone — it can't grant different IPs different permissions. Combine it with access rules and roles for per-user control.
  • Order of checks. For a request that clears API status, the IP allowlist is evaluated early — before role and data authorization — so a blocked IP never reaches your collections.
  • CORS is separate. The allowlist controls who (by IP) may connect; CORS controls which browser origins may call the API. They solve different problems.

See also

Last updated on