Skip to main content

Security

Use the Security feature to restrict which origins are permitted to make API calls. By managing Domain Names and Source IPs through an Allowlist, unauthorized access to project resources and API calls are blocked. Requests from origins not registered in the Allowlist return an HTTP 403 status code with an error response.


Security Settings

Configure and manage the Domain/IP Allowlist from the Security tab on the project detail page. As a general practice, use the Domain Name Allowlist for requests originating from web browsers, and the Source IP Allowlist for requests from fixed network environments such as server-to-server communication. By default, both options are set to allow all origins. Enable only the method that fits your environment to allow only the necessary origins.

Security Dashboard

1. Register a Domain

This method restricts resource access from unauthorized origins based on Domain. Follow the steps below to add a Domain to the Allowlist.

Security Domain
  • Click the [Allow only listed domains] button to enable authorized Domain-based security.
  • Optionally enter a description for the domain in the [Name] field.
  • Enter the Domain in the [Domain] field.
  • Click the [Add] button on the right to add the Domain to [Allowed Domains].

At least one Domain must be registered to activate the [Allow only listed domains] condition, with a maximum of 25. When enabled, requests from origins with Domains not in the Allowlist return a 403 error.

warning

Switching the domain permission condition from [Allow only listed domains] back to [Allow all domains] will reset the [Allowed Domains] list. Exercise caution when changing this condition.

2. Register a Source IP

This method restricts API calls to only those from permitted IP addresses based on Source IP. Follow the steps below to add an IP to the Allowlist.

Security IP
  • Click the [Allow only listed IPs] button to enable Source IP-based security.
  • Optionally enter a description for the IP in the [Name] field.
  • Enter the IP address in the [Source IP] field.
  • Click the [Add] button on the right to add the Source IP to [Allowed IPs].

At least one IP must be registered to activate the [Allow only listed IPs] condition, with a maximum of 25. When security is enabled, requests from Source IPs not in the Allowlist return a 403 error.

warning

Switching the IP permission condition from [Allow only listed IPs] back to [Allow all IPs] will reset the [Allowed IPs] list. Exercise caution when changing this condition.

3. Setting Conditions

When both [Allow only listed domains] and [Allow only listed IPs] are enabled, you can set the resource access condition to either [Domain and IP must both match] or [Domain or IP can match] The default setting is [Domain and IP must both match].

Security Condition
  • Domain and IP must both match

An AND condition where both the Domain and IP must be registered in the Allowlist to access the resource.

  • Domain or IP can match

An OR condition where either the Domain or the IP must be registered in the Allowlist to access the resource.

After selecting one of the two conditions, click the [Save Changes] button to save your settings.


Error Response

When an API call is made from an origin not registered in the Allowlist, the following response is returned with an HTTP 403 status code. The error message may reference Domain or Source IP depending on the type of request.

Error Response Example
{
"code": "PERMISSION_DENIED",
"message": "Permission denied. Check your security settings and ensure your domain is allowlisted."
}

The main causes of this error and the corresponding remedies are as follows.

  • The Domain or Source IP Allowlist is enabled, but the current origin is not registered — Add the Domain Name or Source IP to the Allowlist in the Security settings.
  • The value registered in the Allowlist does not match the actual request origin — Review the registered entries and check for typos or formatting errors.
  • The Security feature is not in use — Verify that the Domain and Source IP Allowlist toggles are disabled. When a toggle is enabled, only origins registered in the Allowlist are permitted.

Security Recommendations

Using API Keys together with the Security feature strengthens protection against unauthorized access. Review the following recommendations when configuring your security settings.

  • Store API Keys in environment variables (e.g., process.env.API_KEY) rather than embedding them directly in source code. Do not commit API Keys to version control systems, as exposure can lead to unauthorized use.
  • Rotate API Keys periodically. Keys in long-term use accumulate exposure risk, and regular rotation helps maintain security.
  • Keep the number of registered Domain Names and Source IPs in the Allowlist to a minimum. Remove entries that are no longer in use to eliminate unnecessary access paths.
  • If your environment uses fixed network connections (e.g., server-to-server communication), enable the Source IP Allowlist to block requests from non-permitted IPs.