Preview
IP allow-list (preview)
Restrict API key usage to specific IP ranges so only trusted networks can authenticate with Meridian.
Overview
Every API key in Meridian can be bound to one or more IP ranges expressed in CIDR notation. When a request arrives, Meridian extracts the source IP and checks it against the allow-list attached to the key. If no range matches, the request is rejected with 403 Forbidden.
CIDR notation
CIDR (Classless Inter-Domain Routing) lets you specify a range of IP addresses with a single compact string. Meridian supports both IPv4 and IPv6.
| CIDR | Meaning |
|---|---|
| 203.0.113.0/24 | 203.0.113.0 – 203.0.113.255 |
| 198.51.100.42/32 | Single host |
| 2001:db8::/48 | IPv6 /48 prefix |
Managing via dashboard
- Open the API Keys page.
- Click the key you want to restrict.
- Under IP Allow-list, enter one CIDR per line.
- Click Save. Changes take effect within 60 seconds.
Note: Leaving the allow-list empty disables IP filtering entirely — the key will work from any address.
Edge cases
- ▸Proxied traffic: Meridian reads the connecting IP from the
X-Forwarded-Forheader when present. Ensure your proxy sets it correctly. - ▸IPv4-mapped IPv6: Addresses like
::ffff:203.0.113.1are normalized to IPv4 before matching. - ▸Overlapping ranges: The first matching CIDR wins. Order your list from most to least specific.