IP whitelisting for API access (Enterprise)

IP whitelisting (Enterprise)

Restrict API access to specific IP addresses or CIDR ranges for enhanced security.

Configuring IP whitelist

1. Go to Company Settings → Security tab.
2. Under API IP whitelist, toggle Enable IP whitelist to ON.
3. Add IP addresses or CIDR ranges:
   • Single IP: 203.0.113.45
   • CIDR range: 203.0.113.0/24
   • IPv6: 2001:db8::/32
4. Click Save.

What IP whitelisting affects

• REST API – Requests from non‑whitelisted IPs receive 403 Forbidden.
• MCP server – Same as REST API (MCP server uses API).
• Webhook deliveries – Outgoing webhooks from Certorix are NOT restricted (they come from Certorix IPs).
• Widget and chat – NOT restricted (customers must access from anywhere).
• Web app (dashboard) – NOT restricted (admins may need to log in from anywhere).

Testing IP whitelist

Use the Test IP button to check if a given IP address is allowed. Useful for debugging.

Whitelist limits

• Maximum 50 IP entries (single IPs or CIDR ranges).
• Each entry counts as one rule.
• Wildcards (e.g., *) not allowed.

Emergency override

If you lock yourself out by misconfiguring the whitelist:

1. Contact Certorix support (support@certorix.com) with proof of identity.
2. Support can temporarily disable the whitelist (for 24 hours).
3. Log in and correct the whitelist configuration.

Enterprise customers also have a break‑glass admin URL that bypasses IP restrictions (shared during onboarding).

Audit logging

IP whitelist changes (enable, disable, add, remove) are logged in the audit log with before/after values.