Skip to main content

Documentation Index

Fetch the complete documentation index at: https://supahooks.ar27111994.dev/llms.txt

Use this file to discover all available pages before exploring further.

IP allowlisting lets you restrict all incoming traffic to a known set of source addresses. When allowedIps is configured, the actor rejects any request whose source IP is not covered by the list — including both webhook ingest and management endpoints. Requests from blocked addresses receive a 403 response.

Configure the allowlist

Set allowedIps to an array of IP addresses or CIDR blocks in your actor input: 
{
  "urlCount": 1,
  "retentionHours": 24,
  "allowedIps": [
    "203.0.113.10/32",
    "10.0.0.0/8"
  ]
}
Both individual addresses and ranges are supported. Use /32 (IPv4) or /128 (IPv6) for a single host.
Use CIDR notation for IP ranges. For example, 203.0.113.0/24 covers all 256 addresses from 203.0.113.0 to 203.0.113.255, which is useful when a provider publishes a range instead of a fixed address.

Response for blocked requests

Any request from an address outside the allowlist receives a 403 Forbidden response: 
{
  "error": "Forbidden",
  "message": "Source IP is not in the configured allowlist"
}

What the allowlist covers

allowedIps applies to all traffic reaching the actor:
  • Webhook ingestPOST /webhook/:id and any other method on that route
  • Management endpoints/logs, /info, /replay, /log-stream, /system/metrics, and the dashboard
The health probes (/health, /ready) are not affected by IP allowlisting so that container orchestrators and load balancers can always reach them.

Combine with authKey for layered security

IP allowlisting and API key auth are independent controls that you can stack together. A request must pass both checks when both are enabled: it must originate from an allowed address and present the correct authKey. 
{
  "urlCount": 1,
  "retentionHours": 48,
  "authKey": "your-secret-key-here",
  "allowedIps": [
    "203.0.113.10/32"
  ]
}
This combination is useful when you want to pin traffic to a specific provider network and still require a secret for any tooling that calls your management endpoints.

Restrict to provider IP ranges

A common pattern is to accept traffic only from the IP ranges published by your webhook provider: 
{
  "allowedIps": [
    "54.187.174.169/32",
    "54.187.205.235/32",
    "54.187.126.244/32"
  ]
}
Provider IP ranges change over time. Check your provider’s official documentation for the current list before configuring the allowlist, and update it when the provider publishes changes.