> For the complete documentation index, see [llms.txt](https://api.homedesigns.ai/homedesignsai-api-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://api.homedesigns.ai/homedesignsai-api-documentation/others/api-token-security-and-access-control.md).

# API Token Security & Access Control

<figure><img src="/files/BCSRgTWhk7KzJ5g1F5oV" alt=""><figcaption></figcaption></figure>

You can restrict API access based on:

* Domain (for front end/browser usage)
* IP Address (for back end/server usage)
* Both (for flexible and secure access)\
  \
  Before configuring restrictions, decide:\
  \- Is this API token being used from the front end (browser) or the back end (server)?<br>

## **Front end Access (Domain Restriction):**&#x20;

<figure><img src="/files/ZVm67a4JXyChhJBw45lL" alt=""><figcaption></figcaption></figure>

Use this option when your API is called from:

&#x20;     \- Web applications

&#x20;     \- Browser-based apps

&#x20;     \- JavaScript front end projects\
&#x20;        \
**You can add up to 5 allowed domains.** **`Example: example.com`**\
\
**How It Works**

* If the request domain matches one of the allowed domains →  Access Granted
* If the domain does not match →  Access Denied

&#x20;If only Domain Whitelist is enabled → Back end requests will NOT work.<br>

## **Back end Access (IP Restriction)**

<figure><img src="/files/AeeOHG0HN4BIcmr6RSYs" alt=""><figcaption></figcaption></figure>

Use this option when your API is called from:

* Back end servers
* Server-to-server integrations
* cURL scripts

You can add up to 5 allowed IP addresses.

`Example: 192.168.1.1`

**Notes:**

* Only static IP addresses are supported.
* Dynamic IP addresses are not recommended and may cause access issues.
* Do not use internal or network IPs. Use your server’s public static IP address.
* If IP restriction is enabled but no IP address is added → All backend requests will be blocked.

\
**How It Works**

* If the request IP matches one of the allowed IPs →  Access Granted
* If it does not match →  Access Denied

If only IP Whitelist is enabled → Front end requests should NOT work.

\
**Using Both Domain and IP Whitelist**
--------------------------------------

If both restrictions are enabled:

* Front end requests must match one of the allowed domains.
* Back end requests must match one of the allowed IP addresses.

Each request is validated based on its source (browser or server).

\
**Access Denied Response**

If access validation fails, the API returns:\
\
`{`

&#x20;   `"error": "Access denied. You don't have permission to access this."`

`}`\
\
HTTP Status Code: 403 Forbidden\ <br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://api.homedesigns.ai/homedesignsai-api-documentation/others/api-token-security-and-access-control.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.