IP allowlist
Every Stridge API supports an IP allowlist — a list of IP addresses permitted to call the API with your credentials. Requests from any other address are rejected.
How it works
Register the addresses — single IPs or CIDR ranges — in the Stridge Dashboard. Once an allowlist is set, a request that is authenticated with your key but originates from an unlisted address is refused before it is processed. A leaked key, on its own, is no longer enough to call the API.
When to use it
The allowlist is the strongest control for server-side integrations:
- A backend calling the REST API with an API key.
- A service calling or proxying the Gateway HTTP API.
Server-side workloads usually egress from a small, stable set of IP addresses — pin those, and the blast radius of a leaked key drops to nothing.
The IP allowlist does not apply to browser apps — clients have no fixed IP — and webhook consumers don't need it, since they receive calls rather than make them. Protect those with the Gateway Kit controls and webhook signatures respectively.
Recommended setup
- Allowlist the production backend's egress IPs, and keep sandbox and production on separate keys with separate allowlists.
- Combine the allowlist with key rotation: the allowlist narrows where a key works, rotation limits how long it works.
Next
- Gateway Kit security — protecting the browser-side gateway key.
- Verify signature — authenticating inbound webhook deliveries.