# API Token Security & Access Control
You can restrict API access based on:
* Domain (for front end/browser usage)
* IP Address (for back end/server usage)
* Both (for flexible and secure access)\
\
Before configuring restrictions, decide:\
\- Is this API token being used from the front end (browser) or the back end (server)?
## **Front end Access (Domain Restriction):**
Use this option when your API is called from:
\- Web applications
\- Browser-based apps
\- JavaScript front end projects\
\
**You can add up to 5 allowed domains.** **`Example: example.com`**\
\
**How It Works**
* If the request domain matches one of the allowed domains → Access Granted
* If the domain does not match → Access Denied
If only Domain Whitelist is enabled → Back end requests will NOT work.
## **Back end Access (IP Restriction)**
Use this option when your API is called from:
* Back end servers
* Server-to-server integrations
* cURL scripts
You can add up to 5 allowed IP addresses.
`Example: 192.168.1.1`
**Notes:**
* Only static IP addresses are supported.
* Dynamic IP addresses are not recommended and may cause access issues.
* Do not use internal or network IPs. Use your server’s public static IP address.
* If IP restriction is enabled but no IP address is added → All backend requests will be blocked.
\
**How It Works**
* If the request IP matches one of the allowed IPs → Access Granted
* If it does not match → Access Denied
If only IP Whitelist is enabled → Front end requests should NOT work.
\
**Using Both Domain and IP Whitelist**
--------------------------------------
If both restrictions are enabled:
* Front end requests must match one of the allowed domains.
* Back end requests must match one of the allowed IP addresses.
Each request is validated based on its source (browser or server).
\
**Access Denied Response**
If access validation fails, the API returns:\
\
`{`
`"error": "Access denied. You don't have permission to access this."`
`}`\
\
HTTP Status Code: 403 Forbidden\
