Network Policies
Your account can be configured with network policies that restrict API access to specific IP addresses and origin domains. These policies are set by your administrator at the tenant or client level.
How It Works
On every request, the API checks your configured network policy:
- IP address — compared against your
allowed_ipslist - Origin domain — compared against your
allowed_domainslist (only checked if anOriginheader is present)
If both checks fail, the request is rejected with a 403 Forbidden response. If either check passes, the request is allowed.
Viewing Your Policy
Call GET /v1/account/config to see your current network policy:
{
"success": true,
"auth_method": "api_key",
"network_policy": {
"allowed_ips": {
"tenant": ["10.0.0.0/8"],
"client": ["203.0.113.50"]
},
"allowed_domains": {
"tenant": ["*.example.com"],
"client": ["app.mysite.com"]
}
}
}
Policy Levels
Network policies can be set at two levels:
- Tenant level — applies to all clients under the tenant
- Client level — applies to your specific client, overrides tenant policy when set
If your client has its own policy, it takes precedence over the tenant policy. If no client-level policy is set, the tenant policy applies.
Supported Formats
IP Addresses
| Format | Example | Description |
|---|---|---|
| Exact IP | 203.0.113.50 | Single IP address |
| CIDR range | 10.0.0.0/8 | Entire subnet |
| Wildcard | 172.16.0.* | Wildcard matching |
| Allow all | * | No IP restriction |
Domains
| Format | Example | Description |
|---|---|---|
| Exact domain | app.mysite.com | Single domain |
| Wildcard subdomain | *.mysite.com | Any subdomain |
| Full URL | https://app.mysite.com | Hostname is extracted automatically |
Domain matching is case-insensitive.
Empty Policies
If both allowed_ips and allowed_domains are empty (no restrictions configured), all requests are allowed regardless of source.
Error Response
When a request is blocked by a network policy:
HTTP 403 Forbidden
{
"error": {
"code": "FORBIDDEN",
"message": "Forbidden"
}
}
If you're receiving unexpected 403 responses, check your network policy with GET /v1/account/config and verify your request is coming from an allowed IP or origin.