> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.idenfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP Whitelisting

> Restrict inbound webhook traffic to iDenfy IP address ranges as a defense-in-depth security layer for callback endpoint protection.

If your infrastructure supports IP-based access control, you can restrict inbound webhook traffic to only the IP addresses used by iDenfy. This adds a defense-in-depth layer on top of [callback signing](/security/callback-signing).

## Obtaining iDenfy's Webhook IP Ranges

iDenfy does not publish its outbound webhook IPs publicly, and they may change over time. To receive the current list, contact iDenfy technical support through the Jira service portal.

<Card title="Request webhook IPs" icon="headset" href="https://idenfy-ivs.atlassian.net/servicedesk/customer/portal/1/group/58/create/87">
  Open a ticket with iDenfy technical support to receive the latest IP ranges for webhook traffic.
</Card>

<Tip>
  After whitelisting, keep your support ticket open or request notifications so you are informed if the IP ranges change in the future.
</Tip>

## API Requests to iDenfy

iDenfy does **not** restrict inbound API requests by source IP. You can call the iDenfy API from any IP address as long as you provide valid authentication credentials. No whitelisting is required on the iDenfy side.

## Recommended Setup

<Steps>
  <Step title="Contact support">
    Request the current webhook IP list from iDenfy technical support.
  </Step>

  <Step title="Configure your firewall or security group">
    Allow inbound traffic on your webhook endpoint only from the provided IP addresses.
  </Step>

  <Step title="Combine with callback signing">
    IP whitelisting alone is not a substitute for signature verification. Use both for the strongest security posture.
  </Step>
</Steps>