API Token Security & Access Control

You can restrict API access based on:

• Domain (for front end/browser usage)

• IP Address (for back end/server usage)

• Both (for flexible and secure access) Before configuring restrictions, decide: - Is this API token being used from the front end (browser) or the back end (server)?

Front end Access (Domain Restriction):

Use this option when your API is called from:

- Web applications

- Browser-based apps

- JavaScript front end projects You can add up to 5 allowed domains. Example: example.com How It Works

• If the request domain matches one of the allowed domains → Access Granted

• If the domain does not match → Access Denied

If only Domain Whitelist is enabled → Back end requests will NOT work.

Back end Access (IP Restriction)

Use this option when your API is called from:

• Back end servers

• Server-to-server integrations

• cURL scripts

You can add up to 5 allowed IP addresses.

Example: 192.168.1.1

Notes:

• Only static IP addresses are supported.

• Dynamic IP addresses are not recommended and may cause access issues.

• Do not use internal or network IPs. Use your server’s public static IP address.

• If IP restriction is enabled but no IP address is added → All backend requests will be blocked.

How It Works

• If the request IP matches one of the allowed IPs → Access Granted

• If it does not match → Access Denied

If only IP Whitelist is enabled → Front end requests should NOT work.

Using Both Domain and IP Whitelist

If both restrictions are enabled:

• Front end requests must match one of the allowed domains.

• Back end requests must match one of the allowed IP addresses.

Each request is validated based on its source (browser or server).

Access Denied Response

If access validation fails, the API returns: {

"error": "Access denied. You don't have permission to access this."

} HTTP Status Code: 403 Forbidden