***

title: IP Whitelisting
subtitle: Restrict API access to specific IP addresses
slug: api-guides/ip-whitelisting
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.prolifi.io/api-guides/llms.txt. For full documentation content, see https://docs.prolifi.io/api-guides/llms-full.txt.

## Overview

IP whitelisting is an optional security feature that restricts API access to requests originating from specific IP addresses. When enabled, requests from unlisted IPs are rejected with a `403` error.

## How it works

* IP whitelisting is **opt-in**. If no whitelist entries are configured, all IP addresses are allowed.
* Whitelist entries are scoped by **mode** (test or live), so you can have different allowed IPs for development and production.
* Only **active** entries are enforced. You can disable an entry without deleting it.

<Note>
  IP whitelisting is configured per merchant in the Prolifi dashboard under **API Settings**. It cannot be managed through the Public API itself.
</Note>

## Blocked request response

When a request is made from an IP that is not in the whitelist:

```json
{
  "error": {
    "type": "ip_restricted",
    "message": "Request from this IP address is not allowed."
  }
}
```

## Best practices

* **Start without a whitelist** during development and testing.
* **Add your production server IPs** before going live if your security policy requires IP restrictions.
* **Include CI/CD pipeline IPs** if you run automated tests against the API.
* **Keep entries updated** when your infrastructure changes — stale whitelist entries cause unexpected `403` errors.