Skip to main content

What is an IP allowlist?

An IP allowlist limits which request IPs can use an API key. When a key has stored allowed IPs, BabySea checks the request IP during authentication and rejects non-matching requests with BSE1007.

Setting up an allowlist

When creating a key, use the IP allowlist field in the Add API key dialog and enter comma-separated IP values: 
203.0.113.10, 198.51.100.5, 2001:db8::1
RuleDetail
Maximum entries50 IPs per key
Empty fieldAll IPs allowed

How it works

The allowlist is stored with the API key record and used during request authentication:
1

Read the key

BabySea loads the API key record and its stored allowed_ips values.
2

Read the request IP

BabySea identifies the request IP for the current call.
3

Compare values

If the key has stored IP entries, BabySea compares the request IP against those entries.
4

Continue or reject

Matching requests continue to the route. Non-matching requests return BSE1007.

Dashboard display

In the API keys table, the IP allowlist column shows the configured IPs:
  • If one IP is configured, it is shown directly.
  • If multiple IPs are configured, the first IP is shown with a +N badge. Hover over the badge to see the full list.
  • If no IPs are configured, the column shows a dash.

Error response

When a request comes from an IP not in the allowlist:
JSON
{
  "status": "error",
  "request_id": "req_a1b2c3d4",
  "error": {
    "code": "BSE1007",
    "type": "ip_not_allowed",
    "message": "This IP address is not in the allowlist for this API key.",
    "retryable": false
  }
}

Common setups

Single production server

Restrict the key to your server’s static IP: 
203.0.113.10

Multiple servers behind a load balancer

List all origin IPs (not the load balancer IP, unless it preserves X-Forwarded-For): 
203.0.113.10, 203.0.113.11, 203.0.113.12

Cloud functions (Vercel, AWS Lambda, etc.)

Cloud functions use dynamic IPs that change on each invocation. In this case, leave the allowlist empty and rely on key scoping and monitoring instead.

Development and production keys

Create separate keys for each environment with their own allowlists:
Key nameIP allowlistScope
prod-api-worker203.0.113.10Full Access
dev-local(empty)Generate Only

IP allowlist with rotation

When you rotate a key, the replacement key inherits the same allowlist. The current dashboard rotation flow does not ask for a new IP list.

Updating an allowlist

The current dashboard does not provide an edit action for the allowlist. To change it:
  1. Create a new key with the IP values you want.
  2. Update your application to use the new key.
  3. Revoke or delete the old key when the cutover is complete.
Use IP allowlists together with the smallest possible scopes.