Allowlist for your API key

API keys are essential for your apps, but exposing them on the frontend could create risks.

Using allowlists to restrict your API key to be used for specific IPs or domains can protect your API key from undesirable activity.

You can set up the allowlist under API key -Allowlist tab to limit the access.


For domains and IPs, we offer 5 for each for the API key. Remember to add and save your domains / IPs to restrict your API key.


Allowlist behavior

  • If an API key has no allowlists, all requests are accepted.
  • If an API key has an allowlist, all requests must pass it.
  • Each API key has a maximum of 5 allowlist for IPs and domains.
  • If an API key contains both restriction for IPs and Domains, the relation for restriction IPs and restriction for domains is “or”.

How to test

  • Allowlist domains
    • Before adding allowlist domains
      1. Make an API request from a domain
      2. Confirm that the request works as expected.
    • After adding allowlist domains
      1. Make an API request from a domain not on the allowlist.
      2. Confirm that the request fails, and you should see a 403 error, thereby confirming the domain restriction is working.

  • Allowlist IPs
    • Before adding allowlist IPs
      1. Connect to any VPN server.
      2. Test an API request using your API key.
      3. Confirm the request works as expected.
    • After adding allowlist IPs
      1. Connect to a non-allowlist VPN server.
      2. Test an API request using your API key.
      3. The request should fail with a 403 error, confirming the IP restriction is working.