Restrict which IP addresses can call your VeriSwarm API endpoints. When configured, only requests from allowed IPs can submit events and check trust decisions. All other requests receive a 403 Forbidden response.
IP allowlisting applies to endpoints authenticated with your API key (x-api-key header):
POST /v1/eventsPOST /v1/decisions/checkDashboard access (authenticated via session tokens) is not affected by the IP allowlist. This ensures you can always manage your workspace from any location, even if a misconfigured allowlist blocks API traffic.
IP ranges are specified in CIDR (Classless Inter-Domain Routing) notation:
| CIDR | Matches | Description |
|---|---|---|
203.0.113.10/32 |
1 IP | Single address |
203.0.113.0/24 |
256 IPs | 203.0.113.0 -- 203.0.113.255 |
10.0.0.0/16 |
65,536 IPs | 10.0.0.0 -- 10.0.255.255 |
10.0.0.0/8 |
16.7M IPs | 10.0.0.0 -- 10.255.255.255 |
The /32 suffix means a single exact IP. The smaller the suffix number, the broader the range.
Navigate to Account > Settings > Security > IP Allowlist.
Leave the field empty to disable the allowlist (all IPs allowed).
curl https://veriswarm.ai/v1/public/providers/ip-allowlist \
-H "x-account-access-token: YOUR_SESSION_TOKEN"
Response:
{
"ip_allowlist": "203.0.113.0/24,198.51.100.0/24"
}
An empty string means no allowlist is configured.
Requires MFA verification.
curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
-H "x-account-access-token: YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"ip_allowlist": "203.0.113.0/24, 198.51.100.10/32"
}'
Response:
{
"status": "updated",
"ip_allowlist": "203.0.113.0/24,198.51.100.10/32"
}
Send an empty string to remove the allowlist entirely:
curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
-H "x-account-access-token: YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"ip_allowlist": ""
}'
When a request comes from an IP not in the allowlist, VeriSwarm returns:
HTTP/1.1 403 Forbidden
Content-Type: application/json
{
"detail": "Request blocked by IP allowlist policy"
}
The request is rejected before any processing occurs. No event is ingested, no decision is returned, and no rate limit is consumed.
If you accidentally set an allowlist that blocks your own API traffic:
Alternatively, use the API with your session token (which is not IP-restricted):
curl -X POST https://veriswarm.ai/v1/public/providers/ip-allowlist \
-H "x-account-access-token: YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ip_allowlist": ""}'
If your agents run on cloud infrastructure, you may want to allowlist the egress IP ranges of your provider. Here are starting points -- always verify current ranges from official documentation:
| Provider | How to Find Ranges |
|---|---|
| AWS | ip-ranges.json -- filter by service and region |
| Google Cloud | cloud.json |
| Azure | ServiceTags JSON -- filter by service tag |
| Vercel | Vercel serverless functions use dynamic IPs; consider using a Vercel Secure Compute static IP |
| Railway | Static egress IPs available on Pro plan |
For serverless environments without static IPs, consider routing API traffic through a proxy with a fixed IP, or use API key authentication without IP allowlisting.
The API validates all CIDR entries on save. Invalid entries are rejected:
{
"detail": "Invalid CIDR range: not-an-ip"
}
Both IPv4 and IPv6 CIDR notation are supported. The maximum allowlist length is 4,000 characters.