# API Token Security & Access Control

<figure><img src="/files/BCSRgTWhk7KzJ5g1F5oV" alt=""><figcaption></figcaption></figure>

You can restrict API access based on:

* Domain (for front end/browser usage)
* IP Address (for back end/server usage)
* Both (for flexible and secure access)\
  \
  Before configuring restrictions, decide:\
  \- Is this API token being used from the front end (browser) or the back end (server)?<br>

## **Front end Access (Domain Restriction):**&#x20;

<figure><img src="/files/ZVm67a4JXyChhJBw45lL" alt=""><figcaption></figcaption></figure>

Use this option when your API is called from:

&#x20;     \- Web applications

&#x20;     \- Browser-based apps

&#x20;     \- JavaScript front end projects\
&#x20;        \
**You can add up to 5 allowed domains.** **`Example: example.com`**\
\
**How It Works**

* If the request domain matches one of the allowed domains →  Access Granted
* If the domain does not match →  Access Denied

&#x20;If only Domain Whitelist is enabled → Back end requests will NOT work.<br>

## **Back end Access (IP Restriction)**

<figure><img src="/files/AeeOHG0HN4BIcmr6RSYs" alt=""><figcaption></figcaption></figure>

Use this option when your API is called from:

* Back end servers
* Server-to-server integrations
* cURL scripts

You can add up to 5 allowed IP addresses.

`Example: 192.168.1.1`

**Notes:**

* Only static IP addresses are supported.
* Dynamic IP addresses are not recommended and may cause access issues.
* Do not use internal or network IPs. Use your server’s public static IP address.
* If IP restriction is enabled but no IP address is added → All backend requests will be blocked.

\
**How It Works**

* If the request IP matches one of the allowed IPs →  Access Granted
* If it does not match →  Access Denied

If only IP Whitelist is enabled → Front end requests should NOT work.

\
**Using Both Domain and IP Whitelist**
--------------------------------------

If both restrictions are enabled:

* Front end requests must match one of the allowed domains.
* Back end requests must match one of the allowed IP addresses.

Each request is validated based on its source (browser or server).

\
**Access Denied Response**

If access validation fails, the API returns:\
\
`{`

&#x20;   `"error": "Access denied. You don't have permission to access this."`

`}`\
\
HTTP Status Code: 403 Forbidden\ <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://api.homedesigns.ai/homedesignsai-api-documentation/others/api-token-security-and-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.