Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iterapay.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

IP whitelisting lets you restrict your IteraPay API key so it can only be used from a specific IP address or network range. When a whitelist is active, any API request originating from an IP that doesn’t match your configured value is rejected — even if the request includes a valid API key. This significantly reduces the risk of unauthorized access if your key is ever leaked.
IP whitelisting is optional but strongly recommended for server-side integrations where your API key is used from a fixed IP, such as a dedicated backend server or a NAT gateway.

Setting up your IP whitelist

You can configure your whitelist with a single IPv4 address or a CIDR range (e.g., 203.0.113.0/24). Only one value can be active at a time — submitting a new value overwrites the previous one.
1

Find your server's outbound IP address

Identify the IP address that your server uses for outbound requests. If you’re using a cloud provider, this may be an Elastic IP, a NAT gateway IP, or a specific egress IP. You can also specify a CIDR range to cover multiple addresses in the same subnet.
2

Submit the whitelist configuration

Send a POST request with your IP address in the request body:
set-ip-whitelist.sh
curl --request POST \
  --url https://api.iterapay.com/ipAddress/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN' \
  --header 'Content-Type: application/json' \
  --data '{"ipAddress": "203.0.113.42"}'
To allow a range of IPs using CIDR notation:
set-ip-whitelist-cidr.sh
curl --request POST \
  --url https://api.iterapay.com/ipAddress/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN' \
  --header 'Content-Type: application/json' \
  --data '{"ipAddress": "203.0.113.0/24"}'
A successful request returns 204 No Content.
Before saving your whitelist, verify that the IP address you’re configuring matches the server making your API requests. If you whitelist the wrong IP, all subsequent API calls from your integration will be rejected. If this happens, use your Bearer token (JWT) to update or remove the whitelist from an authorized session.

Viewing your current whitelist

To check which IP address or range is currently configured, send a GET request:
get-ip-whitelist.sh
curl --request GET \
  --url https://api.iterapay.com/ipAddress/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN'
The response contains your current configuration:
response
{
  "ipAddress": "203.0.113.42"
}
If no whitelist is configured, the response will indicate an empty or absent ipAddress value.

Updating your whitelist

To change the whitelisted IP — for example, when migrating to a new server — send another POST request with the new value. The new IP immediately replaces the old one:
update-ip-whitelist.sh
curl --request POST \
  --url https://api.iterapay.com/ipAddress/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN' \
  --header 'Content-Type: application/json' \
  --data '{"ipAddress": "198.51.100.10"}'
If you’re migrating servers, configure the whitelist with the new IP address before decommissioning the old server to avoid any downtime.

Removing the IP restriction

If you need to remove the IP whitelist entirely — for example, to allow requests from dynamic IPs or during local development — send a DELETE request:
remove-ip-whitelist.sh
curl --request DELETE \
  --url https://api.iterapay.com/ipAddress/YOUR_MERCHANT_ID \
  --header 'Authorization: Bearer YOUR_JWT_TOKEN'
A successful removal returns 204 No Content. Your API key will then accept requests from any IP address until you configure a new whitelist.
Removing the IP whitelist does not invalidate your API key. Your key remains active and can be used from any IP until you either add a new whitelist or revoke the key.

Request and response reference

POST /ipAddress/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token. Format: Bearer <token>.
ipAddress
string
required
The IP address or CIDR range to whitelist. Examples: 203.0.113.42, 203.0.113.0/24.
Returns 204 No Content on success.

GET /ipAddress/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token. Format: Bearer <token>.
Response
ipAddress
string
The currently configured IP address or CIDR range.

DELETE /ipAddress/{merchantID}

merchantID
string
required
Your unique merchant identifier.
Authorization
string
required
Bearer JWT token. Format: Bearer <token>.
Returns 204 No Content on success.