Brevo logs every IP address that tries to use your API keys. To protect your keys, Brevo can automatically block API requests from unknown IP addresses. You can also manually authorize trusted IP addresses to ensure they are never blocked.

Good to know

• Only account owners or users with the SMTP & API – Authorized IPs permission can manage this feature. This includes blocking unknown IP addresses and manually authorizing IP addresses. To learn more, check our dedicated article User permissions in Brevo.
• On an Enterprise plan with a New Admin account, admin users can authorize IP addresses directly from the Admin account and share them with their sub-organizations. To learn more, check our dedicated article New Admin account - Authorize and share IP addresses with your sub-organizations for API security.

Why block unknown IP addresses?

Blocking unknown IP addresses helps protect your API keys by:

• Preventing unauthorized access from unknown or suspicious IPs.
• Allowing API access only from trusted IP addresses you have used or approved.
• Detecting unusual behavior early, such as API calls from unexpected sources.

This adds an extra layer of security and helps you respond quickly to potential threats.

How blocking unknown IP addresses works

Brevo can automatically block API calls from IP addresses that are not authorized. This process happens in two phases, with an initial learning phase and an automatic blocking phase:

🟢 Phase 1: IPs are automatically authorized

When you first use an API key, Brevo automatically authorizes the IP addresses that make API calls. This "learning phase" means IP blocking is inactive, so you can set up and test your integration without restrictions.

🔐 Phase 2: Blocking is activated

If no new IPs are detected for 30 days, Brevo automatically:

• Activates the blocking of unknown IP addresses.
• Block all API calls from unknown IP addresses.
• Sends you an email notification with the blocked IP address and the API key used.

From the notification, you can:

• Authorize the IP address and add it to the Authorized IP addresses list.
• Deny authorization and rotate the API key if needed.
• Deactivate the automatic IP blocking to allow all IP addresses again.

Activate or deactivate blocking of unknown IP addresses

Activate blocking of unknown IP addresses

You can activate this feature if it is not already activated on your account.

1. Click the account dropdown and select Settings > Security > Authorized IPs.
2. If the status is Deactivated, click Activate blocking.
   

Once activated, API calls from unknown IP addresses are blocked. 

Each time an IP address is blocked, you receive an email notification and the blocked IP address is added to the Unauthorized IP addresses list. If you recognize and trust it, you can authorize the blocked IP address.

Deactivate the blocking of unknown IP addresses

If needed, you can deactivate the blocking of unknown IP addresses:

1. Go to the account dropdown and select Settings > Security > Authorized IPs.
2. If the status is Activated, click Deactivate blocking.
   
3. Click Deactivate blocking again to confirm.

Once deactivated, all IP addresses can make API calls using your API keys.

Manually authorize an IP address

You can manually authorize an IP address to ensure it is always allowed. This includes:

• A trusted IP address that you want to allow in advance
• A blocked IP address that was automatically blocked by Brevo

Manually authorize a trusted IP address

You can manually authorize IP addresses to ensure trusted sources are always allowed.

1. Go to the account dropdown and select Settings > Security > Authorized IPs.
2. Click Authorize IP address.
   
3. From the IP address format dropdown, select the format of the IP address you want to authorize:
   • IPv4
   • IPv4 range (CIDR format)
   • IPv6
   • IPv6 range (CIDR format)
4. Enter the IP address or IP address range you want to authorize.
5. Click Authorize IP address.
   

The IP address appears in your Authorized IP addresses list and will not be blocked.

Manually authorize a blocked IP address

You can authorize a blocked IP address if you recognize and trust it:

• Directly from the email notification, or
• From the Unauthorized IP addresses list.
  

Once authorized, the IP address can make API calls again.

Manually remove an authorized IP address

If an IP address is no longer in use or should no longer have access, you can manually remove it from your list of authorized IPs.

1. Go to the account dropdown and select Settings > Security > Authorized IPs.
2. From the Authorized IP addresses, select the IP address you want to remove. 
3. Click Delete.
   
4. Click Delete IP address to confirm.

The IP address will be removed from your list and will no longer be able to make API calls if the automatic IP blocking feature is active.

Best practices for API security

• Manually authorize trusted IP addresses in advance.
• Keep API keys secure and rotate them regularly.
• Monitor API usage for unusual patterns or errors.

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo Agency partner.