Guides

IP Whitelisting

Restrict API access to specific IP addresses
View as Markdown

Overview

IP whitelisting is an optional security feature that restricts API access to requests originating from specific IP addresses. When enabled, requests from unlisted IPs are rejected with a 403 error.

How it works

  • IP whitelisting is opt-in. If no whitelist entries are configured, all IP addresses are allowed.
  • Whitelist entries are scoped by mode (test or live), so you can have different allowed IPs for development and production.
  • Only active entries are enforced. You can disable an entry without deleting it.

IP whitelisting is configured per merchant in the Prolifi dashboard under API Settings. It cannot be managed through the Public API itself.

Blocked request response

When a request is made from an IP that is not in the whitelist:

1{
2  "error": {
3    "type": "ip_restricted",
4    "message": "Request from this IP address is not allowed."
5  }
6}

Best practices

  • Start without a whitelist during development and testing.
  • Add your production server IPs before going live if your security policy requires IP restrictions.
  • Include CI/CD pipeline IPs if you run automated tests against the API.
  • Keep entries updated when your infrastructure changes — stale whitelist entries cause unexpected 403 errors.