VeriSwarm
About
DocsPricingAgent Skill
LoginRegister
  1. Home
  2. /Docs
  3. /Ip allowlist
VeriSwarm
AboutTrust CenterDocsAPIInvestorsAgent SkillOATS SpecStatusChangelogBlogPricingTermsPrivacySLADPA

Getting Started

IntroductionQuickstartUser GuideIntegration GuideMFA Setup Guide

Platform

GateGuardPassportVaultCortexFleetWidget ChatPortable CredentialsScoring ProfilesBadge Embeds

Integration

Agent IntegrationsPython SDKNode.js SDKMCP ServerWebhook SecurityWebhook Management

Account

Team ManagementIP AllowlistCustom Domains

Agent Operations

Agent Manage Reference

Enterprise

SSO ConfigurationRate Limits

Technical Reference

API ReferenceArchitectureData Model

Legal

Terms of ServicePrivacy Policy

IP Allowlisting

Restrict which IP addresses can call your VeriSwarm API endpoints. When configured, only requests from allowed IPs can submit events and check trust decisions. All other requests receive a 403 Forbidden response.

What It Protects

IP allowlisting applies to endpoints authenticated with your API key (x-api-key header):

  • Event ingestion -- POST /v1/events
  • Trust decisions -- POST /v1/decisions/check

Dashboard access (authenticated via session tokens) is not affected by the IP allowlist. This ensures you can always manage your workspace from any location, even if a misconfigured allowlist blocks API traffic.

CIDR Notation

IP ranges are specified in CIDR (Classless Inter-Domain Routing) notation:

CIDR Matches Description
203.0.113.10/32 1 IP Single address
203.0.113.0/24 256 IPs 203.0.113.0 -- 203.0.113.255
10.0.0.0/16 65,536 IPs 10.0.0.0 -- 10.0.255.255
10.0.0.0/8 16.7M IPs 10.0.0.0 -- 10.255.255.255

The /32 suffix means a single exact IP. The smaller the suffix number, the broader the range.

Configuring via the Dashboard

Navigate to Account > Settings > Security > IP Allowlist.

  1. Enter one CIDR range per line (or comma-separated).
  2. Click Save.

Leave the field empty to disable the allowlist (all IPs allowed).

Configuring via the API

Get current allowlist

curl https://veriswarm.ai/v1/public/providers/ip-allowlist \
  -H "x-account-access-token: YOUR_SESSION_TOKEN"

Response:

{
  "ip_allowlist": "203.0.113.0/24,198.51.100.0/24"
}

An empty string means no allowlist is configured.

Set allowlist

Requires MFA verification.

curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
  -H "x-account-access-token: YOUR_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "ip_allowlist": "203.0.113.0/24, 198.51.100.10/32"
  }'

Response:

{
  "status": "updated",
  "ip_allowlist": "203.0.113.0/24,198.51.100.10/32"
}

Disable allowlist

Send an empty string to remove the allowlist entirely:

curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
  -H "x-account-access-token: YOUR_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "ip_allowlist": ""
  }'

What Happens When Blocked

When a request comes from an IP not in the allowlist, VeriSwarm returns:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "detail": "Request blocked by IP allowlist policy"
}

The request is rejected before any processing occurs. No event is ingested, no decision is returned, and no rate limit is consumed.

Safely Removing a Misconfigured Allowlist

If you accidentally set an allowlist that blocks your own API traffic:

  1. Log into the dashboard from any IP. Dashboard session auth is not subject to the IP allowlist.
  2. Navigate to Account > Settings > Security > IP Allowlist.
  3. Clear the field and save, or add your correct IP range.

Alternatively, use the API with your session token (which is not IP-restricted):

curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
  -H "x-account-access-token: YOUR_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ip_allowlist": ""}'

Common CIDR Ranges for Cloud Providers

If your agents run on cloud infrastructure, you may want to allowlist the egress IP ranges of your provider. Here are starting points -- always verify current ranges from official documentation:

Provider How to Find Ranges
AWS ip-ranges.json -- filter by service and region
Google Cloud cloud.json
Azure ServiceTags JSON -- filter by service tag
Vercel Vercel serverless functions use dynamic IPs; consider using a Vercel Secure Compute static IP
Railway Static egress IPs available on Pro plan

For serverless environments without static IPs, consider routing API traffic through a proxy with a fixed IP, or use API key authentication without IP allowlisting.

Validation

The API validates all CIDR entries on save. Invalid entries are rejected:

{
  "detail": "Invalid CIDR range: not-an-ip"
}

Both IPv4 and IPv6 CIDR notation are supported. The maximum allowlist length is 4,000 characters.

Best Practices

  • Start with a single IP for testing before adding ranges.
  • Use /32 for individual servers to minimize the attack surface.
  • Keep the allowlist as narrow as possible. Broad ranges (/8, /16) defeat the purpose.
  • Update the allowlist before migrating infrastructure. Add new IPs first, verify traffic flows, then remove old IPs.
  • Always test after changes. Send a test event from an allowed and a blocked IP to confirm behavior.