ToRouter DocsAPI Keys
IP whitelist & blacklist (CIDR)
Restrict a ToRouter API key to known networks using CIDR rules. Supports IPv4 and IPv6.
Each key can carry an IP whitelist and an IP blacklist. Both accept CIDR ranges, one per line, IPv4 or IPv6.
How matching works
| Whitelist | Blacklist | Behaviour |
|---|---|---|
| empty | empty | Any source IP allowed |
| set | empty | Only IPs inside the whitelist allowed |
| empty | set | All IPs allowed except those in the blacklist |
| set | set | Must be in whitelist and not in blacklist |
The whitelist is deny-by-default once set — an unlisted IP gets 401.
CIDR examples
203.0.113.0/24
198.51.100.42/32
2001:db8::/32/32= a single IPv4 address/24= 256 IPv4 addresses (a typical office subnet)/128= a single IPv6 address0.0.0.0/0= everything (don't use this — leave the field empty instead)
Setting the rules
- Go to API Keys → click your key → Edit
- Paste CIDR ranges into IP whitelist or IP blacklist (newline-separated)
- Save
Changes apply on the next request — no cache to wait for.
Running behind a corporate proxy, VPN or serverless function? The source IP ToRouter sees is the egress IP of that hop, not your laptop. Check https://portal.torouter.ai from the same network to confirm.
When a request is blocked
You get 401 Unauthorized with a message like ip not allowed. The request is not billed. See Blocked key.