Skip to main content
The Authorized IP page lets a merchant restrict access to their Ecrypt account by IP address. When enabled, only requests originating from IPs on the allowlist can reach the dashboard and/or the API — every other source is blocked. This is one of the strongest controls Ecrypt offers, because it removes most of the attack surface entirely: a stolen password, a leaked API key, or a card-testing bot operating from any random internet IP simply cannot reach the gateway if that IP isn’t on the list. Path: Settings → Fraud Prevention → IP Allowed
What is IP allowlisting?
An allowlist (sometimes called a whitelist) is the opposite of a blocklist: instead of listing the IPs you want to deny, you list the IPs you want to permit. Anything not on the list is denied by default. This default-deny posture is significantly more secure than trying to enumerate every bad actor in the world.

Page Layout

  • Title: Authorized IP
  • Description: “Here, you can manage the list of authorized IP addresses for your account. By adding specific IP addresses to this list, you can control access to your resources and services, ensuring only trusted IPs can interact with your applications.”

Master Toggle

  • Enable Authorized IP — a single switch that turns enforcement on or off for the active MID.
  • Help text under the toggle: “Once Enabled, All requests originating from the IP addresses listed in the ‘IP’s Authorized Table’ filter will be granted access to your services and resources. The rest will be BLOCKED.”
The toggle is the kill switch. While it’s off, the allowlist is informational only. The moment it’s on, every request from an IP not on the list is rejected — including yours, if you forgot to add it.

Add a New IP Address (Form)

FieldTypeDescription
LabelTextA human-readable name for the entry (e.g., “Main Office”, “Retail POS Subnet”, “Production API Server”).
IP AddressTextThe IPv4 address to authorize. The label above the field shows your current source IP as a hint (e.g., Your IP: 172.30.50.167) so you can quickly add yourself.
ALLOWED TO USE THE PLATFORMCheckboxPermits this IP to access the Ecrypt dashboard (web UI / login).
ALLOWED TO USE THE APICheckpointPermits this IP to make REST API calls against the gateway.
ADD IP ADDRESSButtonSaves the entry to the IP’s Authorized Table.
You can grant platform, API, or both for each entry. A dashboard-only entry is appropriate for back-office staff browsing reports; an API-only entry is appropriate for a production server that submits payments programmatically.

IP’s Authorized Table

The list of currently configured entries:
ColumnDescription
IP AddressThe IP authorized.
LabelThe human-readable name set when adding.
StatusWhich scopes are granted (Platform, API, or both).
ActionPer-row controls to edit or delete the entry.
If no entries exist, the table shows No results found.

Configuring the Allowlist

The safest way to turn this on for the first time is to add yourself first, then enable the toggle, then expand the list. If you enable enforcement before you’re on the list, you’ll lock yourself out and need your account representative to restore access.
  1. Go to Settings → Fraud Prevention → IP Allowed.
  2. Confirm your current IP from the Your IP: hint above the IP Address field.
  3. Add an entry for yourself with ALLOWED TO USE THE PLATFORM checked.
  4. Add entries for every other user, office, server, and integration that needs access:
    • Office locations (use the office’s public WAN IP, not internal LAN IPs).
    • Each ecommerce / production server that calls the API — check ALLOWED TO USE THE API.
    • Static-IP VPN gateways used by remote staff.
  5. Once the list is complete and verified, flip Enable Authorized IP to ON.

Adding an entry

  1. Type a clear Label (you’ll thank yourself later when reviewing the list months from now).
  2. Type the IPv4 address to permit.
  3. Check ALLOWED TO USE THE PLATFORM and/or ALLOWED TO USE THE API based on intended use.
  4. Click ADD IP ADDRESS. The entry appears in the IP’s Authorized Table.

Editing or removing an entry

Use the per-row Action controls in the IP’s Authorized Table to edit a label / scopes, or delete an entry that’s no longer needed (decommissioned server, former office, departed contractor).

How It Works With the Rest of Ecrypt

  • Platform vs. API scopes are independent. An entry with only “API” checked will be blocked from logging into the dashboard from that IP, and vice versa.
  • Scope is per MID. If you operate multiple MIDs, you must configure the allowlist on each one. Use the location switcher (top-left) to switch MIDs and configure each independently.
  • API keys still apply. IP allowlisting layers on top of API key authentication — even if a private key is leaked, the attacker also needs to be on the allowlist.
  • Pairs naturally with the Velocity Filter. Allowlisting prevents most unauthorized traffic from reaching the gateway at all; the velocity filter contains anything that slips through (or originates from an authorized source).

Use Cases

  • Single-location retail. Allow only the office WAN IP. Card-testing bots running anywhere in the world are blocked outright.
  • Ecommerce with a known production stack. Allow your production server IPs for API access; allow internal staff IPs for platform access. Disable everything else.
  • Mixed B2B / call-center. Allow your office IPs for the dashboard and your billing-server IP for the API. Field staff who need mobile access either go without (and use a kiosk/iPad on a static-IP network) or VPN in through an allowlisted gateway.
  • Tightening after a security incident. If you suspect credential or API-key compromise, turning on IP allowlisting immediately blunts the attacker’s access while you investigate and rotate keys.

Tips & Best Practices

  • Always add yourself first. The dashboard does not have a “do you really want to lock yourself out?” confirmation — be careful with the master toggle.
  • Use labels generously. “Marketing laptop - Sarah” is much more useful than just 73.221.x.x six months from now.
  • Use static public IPs. Allowlisting against dynamic residential IPs is fragile — the entry can stop working overnight when the ISP rotates the address. For remote workers, a static-IP VPN or a fixed-IP business internet line is the right pattern.
  • Avoid allowing entire ISPs or large subnets. The narrower the allowlist, the better the protection. Allow individual server IPs rather than /16 blocks unless you specifically need them.
  • Review the list quarterly. Remove entries for retired servers, closed offices, and former employees. Stale allowlist entries become attack surface.
  • Keep API-only entries separate from platform entries. A web server should not need dashboard access; an analyst should not need API access. Granting the minimum required scope per entry follows the principle of least privilege.
  • Document your allowlist outside Ecrypt. Keep a record (in your IT documentation or password manager) of which entries correspond to which systems, so a new admin can audit the list without guesswork.
  • If you get locked out, contact your Ecrypt account representative — they can disable enforcement so you can recover, but they cannot remotely add an IP for you to bypass the lock.
  • Combine with reCAPTCHA, velocity filtering, and proper API key hygiene. Defense in depth: IP allowlisting prevents most attacks from ever starting, while the other controls handle the rest.