IP allowlist
INFI can restrict the allowed origins for an API key. When enabled, requests from IPs outside the list receive:
HTTP/1.1 403
{ "error": "IP de origem não autorizado para esta chave." }Configuration
The IP allowlist is configured by the INFI team upon request. Today there is no self-service in the dashboard to add or remove IPs.
[TO BE CONFIRMED WITH THE INFI TEAM]: whether a dashboard UI will be added for merchants to manage the allowlist on their own.
The list accepts:
- IPv4 literal (e.g.,
203.0.113.42) - IPv4 CIDR (e.g.,
203.0.113.0/24) - IPv6 literal
IPv6 CIDR ranges are not supported today.
Origin IP detection
INFI uses the last value of X-Forwarded-For (set by Google Frontend) as the client IP. ::ffff: addresses (IPv4 mapped onto IPv6) are normalized to IPv4.
If your infra is behind NAT with a changing IP (residential, some cloud providers without static IP), prefer not to use the allowlist for that API key. Use a separate key with allowlist only in environments where the IP is stable.
Why combine it with key rotation
The allowlist alone does not replace rotation. In case of key exposure, the attacker may be inside your network (allowed IP). Keep periodic rotation as a second layer.