How can I restrict connections or requests by origin or IP?

The best way to do this sort of restriction is with token authentication. That way you are in control and can validate any feature of the client making the request (whether that's origin, IP, cookies, or anything else) in your auth server, as part of deciding whether to grant someone a token.

For the occasional usecases where token auth is impossible or impractical, it is also possible to add a couple of kinds of restriction (by origin or IP address) to an API key directly. Aside from being a lot less flexible than token auth, this needs manual intervention to change; as such it is only available to customers with enterprise support packages. Please get in touch if you're interested in this functionality.