Restrict production API access to approved IP addresses
Overview
IP whitelisting restricts inbound API access to approved IP addresses. Requests from other IPs are rejected, even when they include valid API credentials.
This complements API Key authentication, which verifies who is making the request. IP whitelisting verifies where the request comes from.
Production only
IP whitelisting is enforced in the production environment. The Sandbox environment does not enforce IP restrictions, so you can integrate and test without maintaining a whitelist.
In the Control Panel, the IP whitelisting section in Sandbox explains that the feature is only active in production.
Manage allowed IPs in the Control Panel
Navigate to Connect → API Access → IP whitelisting in the Control Panel to manage your company's allowed IP addresses.
Users with the appropriate permissions can:
- Add IPv4 or IPv6 addresses that your integration uses to call the API
- Disable an address that should no longer have access (you can add it again later if needed)
Adding an IP address may require multi-factor authentication (MFA).
How requests are checked
For each production API request, Devengo:
- Determines the client IP from the request (using
X-Forwarded-Forwhen present, otherwise the connection IP) - Checks that the IP is on your company's allowed list
- Rejects the request if the IP is not allowed
Blocked requests return a 403 response with error code ip_not_allowed. See Errors for details.
Tips
- Whitelist the egress IP addresses used by your servers, containers, or VPN—not individual developer machines unless they call the API directly.
- If your infrastructure uses dynamic IPs, contact [email protected] before go-live to discuss your setup.
- After changing your egress IPs, update the whitelist in the Control Panel before deploying—otherwise production traffic will be rejected.