Skip to main content

If you are using our backend SDK that is lesser than the following versions, please visit the older documentation link here.

Allow / Deny requests based on IP address

You can set the SuperTokens core's config such that it accepts / denies requests that originate from certain IPs. This can be used to make sure that only your backend is able to query the SuperTokens core - increasing the security.

Allowing requests that have certain IP addresses#

 docker run \
-p 3567:3567 \
-e IP_ALLOW_REGEX="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>

The above will only allow requests that originate from an IP that matches 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 regular expression. A breakdown of this regex is:

  • 127\.\d+\.\d+\.\d+: IPs that start with 127.; OR
  • ::1: IPv6 from localhost; OR
  • 0:0:0:0:0:0:0:1: IPv6 from localhost

In this way, we allow requests only from localhost and for other requests, the core will return a 403 status code. If instead you want to allow a list of IP addresses that correspond to your backend server's IP address, you can set this value to IP1|IP2|IP3... - for example: 100.12.12.3|192.167.4.3|50.32.5.1.

If this value is not set, then the core will allow requests from any IP address.

Denying requests that have certain IP addresses#

This is the opposite of the above config. If you only set this, the core will allow requests from any IP other than the one that matches the regular expression corresponding to this setting..

 docker run \
-p 3567:3567 \
-e IP_DENY_REGEX="100.1.1.3" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>

The above setting will make the core accept requests from any IP other than 100.1.1.3. For 100.1.1.3, it will return a 403.

What if both the configs are set?#

In this case, the core will allow requests only based on the value of ip_allow_regex, as long that request's IP doesn't match the regex of ip_deny_regex. For example, if you set ip_allow_regex: IP1|IP2 and ip_deny_regex: IP1, then the core will accept requests only from IP2.

important

For managed service, please navigate to your dashboard and go to the edit configuration section to set this value.

Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI