Skip to main content

IP Whitelist

IP whitelist is a feature to secure API traffic and access against foreign or malicious IPs by allowing only specific IP addresses or ranges of your choice to access Xendit APIs. Traffic coming from whitelisted IPs will be allowed, whereas traffic from non-whitelisted IPs will be rejected


IP Whitelist feature only works for API users through direct API integration and will not work for plugin users (Shopify, woocommerce, etc).


Only users who have Admin permission can access IP whitelist feature in Dashboard.


IP addresses can be whitelisted in IPv4 format and CIDR format. CIDR, which stands for Classless Inter-Domain Routing (CIDR), is a range of IP addresses a network uses. A CIDR address looks like a normal IP address, except that it ends with a slash followed by a number. The number after the slash represents the number of addresses in the range. Example of CIDR IP address in IPv4: This means the address range has 256 addresses after Learn more.

Add IP addresses

To add your IP address, visit IP Whitelist settings in Dashboard.


If there are no whitelisted IPs, Xendit will not validate any IPs from API requests.

Click the Add IP Address button, then add all the IP addresses you want to whitelist. You can add more than one IP address at a time by entering a new line for each IP address in the input box.

Delete IP addresses

When you need to remove any IPs from the whitelist, you can use the select the IP address you wish to delete, and click the Delete button on the top right corner.

Testing IP Whitelist

After you have whitelisted your server IPs, then the expected result is only the registered IP address(es) can access Xendit API. Hence, you can validate the behavior by hitting the Xendit API from the whitelisted IP and non-whitelisted IP, then see the result. You can validate by following these steps:

  1. Prepare the IP address location that you want to test. You can use your computer by finding out the IP address here.
  2. Prepare your API testing setup using Postman by following this instruction here or using your API call to Xendit API.

Example: You have whitelisted IP When you hit Create Invoice API using non-whitelisted IP address, then the result will be displayed as follow:

"message": "Your request from IP was rejected as it hasn't been whitelisted. Visit to check your account's whitelisted IPs"

When you create an API request, for example to Create Invoice API, if the request's IP address is in the list of IP whitelist, then the request IP is verified and API request will proceed as normally. Example a successful request to Create Invoice API using whitelisted IP

Was this page helpful?