Allowlisting

If you want to add an extra layer of security to your gateway, you can define which specific IP addresses or hostnames can access your Control Panel or take certain actions via the API. This is called allowlisting. Once enabled, access will be denied unless the user's IP address or hostname is added to the allowlist.

The allowlist only applies to Control Panel access and server-to-server calls via the API. Any encrypted calls that come straight from the customer’s browser (e.g. requests for payment method nonces using our client SDKs) will not be subject to the allowlist and will be passed to Braintree, regardless of the user’s IP address.

Enabling IP and hostname restrictions

Users with the Edit IP Restrictions role permission can follow these steps to allowlist certain IP addresses or hostnames:

1. Log into the Control Panel
2. Click on the gear icon in the top right corner
3. Click API from the drop-down menu
4. Click on the Security tab
5. Scroll to the IP and Hostname Restrictions section
6. Click the Edit button
7. Fill in the IP Address or Hostname field
8. Check the boxes to select whether to allow Control Panel access and/or API access
9. Click the Add Allowed Host button
10. Repeat steps 7-9 to add any other desired IP addresses or hostnames
11. Click the Enable Restrictions button

Wildcards and CIDR notation

You can use wildcard logic to allowlist a range of hostnames under a specific domain, or all IPs within a certain subnet range. For example, adding 127.54.63.* will allow all IP address within the 127.54.63 subnet range. Classless Inter-Domain Routing (CIDR) notation is also supported.