IP Whitelist

Restrict your API keys so they only work from specific IP addresses or network ranges. If someone steals your key, they still can't use it from an unauthorized IP.

How it works

1. Add one or more IPs or CIDR ranges to your whitelist
2. When a request arrives, SnapSharp checks the source IP against your whitelist
3. If the whitelist is empty, all IPs are allowed (default behavior)
4. If the whitelist has entries, only matching IPs can use your API keys

Managing your whitelist

Go to Settings → IP Whitelist in your dashboard.

Adding an entry

Enter an IP address or CIDR range. Both IPv4 and IPv6 are fully supported:

IPv4:

• Single IP: 203.0.113.42
• CIDR range: 10.0.0.0/24 (allows 10.0.0.0–10.0.0.255)
• Larger subnet: 172.16.0.0/16 (allows 172.16.0.0–172.16.255.255)

IPv6:

• Single IP: 2001:db8::1
• CIDR range: 2001:db8::/32 (allows the entire /32 block)
• Link-local: fe80::/10

Add an optional note (e.g. "Production server", "CI/CD runner", "Office VPN range") to remember why each entry exists.

Removing an entry

Click Remove next to any entry. The change takes effect immediately.

Error response

When a request comes from a non-whitelisted IP:

{
  "error": "ip_not_allowed",
  "message": "Request IP is not in the allowed list",
  "status": 403
}

Best practices

• Start with your server IPs — add the IPs of your production and staging servers
• Include CI/CD runners — if you use the CLI in pipelines, add those IPs too
• Don't whitelist local IPs — 127.0.0.1 and private ranges won't work since requests come from your server's public IP
• Test before enabling — make a test request from your server to confirm its IP, then add it