How can I restrict connections or requests by origin or IP?

The best way to do this sort of restriction is with token authentication. That way you are in control and can validate any feature of the client making the request (whether that's origin, IP, cookies, or anything else) in your auth server, as part of deciding whether to grant someone a token.

For the occasional usecases where token auth is impossible or impractical, it is also possible to add a couple of kinds of restriction (by origin or IP address) to an API key directly. Aside from being a lot less flexible than token auth, this needs manual intervention to change; as such it is only available to customers with enterprise support packages. Please get in touch if you're interested in this functionality.

Note that origin restrictions in particular should not be considered a security boundary; the origin header is easily spoofed, in particular outside of browser contexts. To emphasize this, and for convenience, a request with no origin header will still be allowed when an origin restriction is set.