Skip to main content
An IP allowlist limits which source IP addresses can use an API key. If a key has an allowlist, BabySea rejects non-matching requests with BSE1007.

Enter values in Add API key

When creating a key, use the field IP allowlist (optional) in Add API key and enter comma-separated IP values: 
203.0.113.10, 198.51.100.5, 2001:db8::1
The field help text is Comma-separated IPs. Leave empty to allow all IPs.
RuleDetail
Match typeExact string match against the request IP
Maximum entries50 IP values per key
Empty fieldAll IPs allowed

How it works

The allowlist is checked before the public /v1 request is allowed to continue:
1

Read the key

BabySea verifies the API key.
2

Read the request IP

BabySea identifies the request IP for the current call.
3

Compare values

If the key has allowlist entries, BabySea checks whether the request IP exactly matches one of the allowed values.
4

Continue or reject

Matching requests continue. Non-matching requests return BSE1007.
If you need to support changing or wide IP pools, create a dedicated key without an allowlist and keep its scopes as narrow as possible.

Dashboard display

In the API keys table, the IP allowlist column shows the configured values:
  • If one IP is configured, it is shown directly.
  • If multiple IPs are configured, the first IP is shown with a +N badge. Hover over the badge to see the full list.
  • If no IPs are configured, the column shows an empty placeholder.

Error response

When a request comes from an IP not in the allowlist:
JSON
{
  "status": "error",
  "request_id": "req_a1b2c3d4",
  "error": {
    "code": "BSE1007",
    "type": "ip_not_allowed",
    "message": "This IP address is not in the allowlist for this API key.",
    "retryable": false
  }
}

Common setups

Single production server

Restrict the key to your server’s static IP: 
203.0.113.10

Multiple servers behind a load balancer

List each origin IP that BabySea will see as the client IP: 
203.0.113.10, 203.0.113.11, 203.0.113.12

Cloud runtimes without stable egress IPs

If your runtime does not give you a stable egress IP, leave the allowlist empty and rely on scope restriction plus monitoring instead.

Development and production keys

Create separate keys for each environment with their own allowlists:
Key nameIP allowlistScope
prod-api-worker203.0.113.10Full Access
dev-localemptyGenerate Only

IP allowlist with rotation

When you rotate a key, the replacement key inherits the same allowlist. The current dashboard rotation flow does not ask for a new IP list.

Updating an allowlist

The current dashboard does not provide an edit action for the allowlist. To change it:
  1. Create a new key with the IP values you want.
  2. Update your application to use the new key.
  3. Revoke or delete the old key when the cutover is complete.
Use IP allowlists together with the smallest possible scopes.