- Ably FAQs
- Account and app setup and configuration
- Keys and tokens
-
Account billing and packages
-
General
-
Realtime API and client libraries
-
Troubleshooting
-
Channels
-
REST API and client libraries
-
Ably error codes
-
Account and app setup and configuration
-
Ably architecture, transports, and security
-
Performance and Redundancy
-
Push Notifications
-
Integrations
-
Migrating to Ably from an existing service
How can I restrict connections or requests by origin or IP?
The best way to do this sort of restriction is with token authentication. That way you are in control and can validate any feature of the client making the request (whether that's origin, IP, cookies, or anything else) in your auth server, as part of deciding whether to grant someone a token.
For the occasional usecases where token auth is impossible or impractical, it is also possible to add a couple of kinds of restriction (by origin or IP address) to an API key directly. Aside from being a lot less flexible than token auth, this needs manual intervention to change; as such it is only available to customers with enterprise support packages. Please get in touch if you're interested in this functionality.
Note that origin restrictions in particular should not be considered a security boundary; the origin header is easily spoofed, in particular outside of browser contexts. To emphasize this, and for convenience, a request with no origin header will still be allowed when an origin restriction is set.