Skip to main content

Authorize IP addresses for API calls to improve security

Brevo filters attempt to make API calls on your account based on their IP address. This feature is helpful to secure your account and prevent malicious activity.

💡 Good to know
This feature is activated by default and can be disabled. To learn how to disable it, go to Option 3. Disable the IP address detection and authorization.

Why is controlling unknown IP addresses attempting API calls a good practice?

Having control over unknown IP addresses that attempt to make API calls on your account will improve security. Indeed, private data can be accessed this way and you may want to add an extra layer of security. You can do it in Brevo by authorizing a group of IPs to make your API calls.

💡 Good to know
Brevo allows you to use an API key and API calls to perform actions remotely like sending emails, SMS, and transactional emails. To learn more about API keys, check our dedicated article Create and manage your API keys.

What is an IP address?

Each time a user makes an API call on your account, their IP address is registered on the platform. An IP address is an address that identifies a device on the internet. In the context of Brevo, an IP address can identify the origin of the API call. Authorizing certain IP addresses allows you to make sure you know the origin of the API calls made on your account. IP addresses can be grouped into what we call "IP ranges".

Authorize IP addresses

Each time an API call is made, we register the IP address it comes from on the platform. You can then authorize or unauthorize the new IP address from the Authorized IPs section.

You have three possibilities for this: 

  • Option 1. Let Brevo's powerful algorithm authorize IP addresses and only review the ones that are suspicious (default behavior). 
  • Option 2. Manually authorize IP addresses and review all unknown IP addresses.
  • Option 3. Disable the Authorized IPs option and allow all IP addresses to make API calls.
❗️ Important
Only account owners can authorize new IP addresses. 

To access the Authorized IPs section, click the account dropdown > Security > Authorized IPs

Option 1. Automatically authorize IP addresses [by default] 

By default, this option is enabled on your account and is the quickest and safest way to secure who asks for API calls. Keep this option enabled if you want Brevo's powerful algorithm to automatically filter every unknown IP address trying to make API calls and authorize on your behalf the IP address we don't consider suspicious

If Brevo cannot automatically authorize an IP address, we send you an email. In the email, you get to directly:

  • Authorize the new IP address.
  • Unauthorize it and change the API Key.
  • Stop the review of IP addresses and authorize every new IP address.

➡️ Once an IP address is authorized, the IP address is added to the list of authorized IP addresses. 

Option 2. Authorize and review unknown IP addresses yourself

Choose this option if you want to authorize unknown IP addresses yourself: from a warning email or manually from Brevo. 

Every time an IP address that isn't in your authorized IP addresses list tries to make an API call, we will send you an email warning you about it. In the email, you get to directly:

  • Authorize the new IP address.
  • Unauthorize it and change the API Key.
  • Stop the review of IP addresses and authorize every new IP address. 

Manually authorize new IP addresses

Authorizing an IP address from an email we sent you is not the only way to do it. You can also manually authorize new IP addresses:

  1. Click Authorize new IP address
  2. Type the IP address or IP address range you want to authorize.
    💡 Good to know
    An IP address is structured as a sequence of 4 numbers separated by dots, with each number ranging from 0 to 255 (e.g., 118.29.251.24). An IP address range is a group of IP addresses (e.g., 192.168.0/16).
  3. Click Authorize new IP

Option 3. Disable the IP address detection and authorization

If you disable IP address authorization, every IP address that makes API calls on your account will be accepted. The next API calls made on your account will not be filtered and will be automatically accepted. The list of authorized IP addresses will also disappear.

Manually remove authorized IP addresses

As we saw earlier, when an IP address is authorized, it is added to the Authorized IPs page. From this page, you can manually remove an IP address:

  1. Go to the Authorized IPs page. 
  2. Select the IP address you want to exclude. 
  3. Click Remove this authorized IP address

The IP address has been removed and cannot perform API calls anymore. 

However, if the automatic authorization option is enabled and the IP address performs another API call, the removed IP address can be authorized again if it is considered trustworthy. Or you can receive a confirmation email again to authorize it.

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

💬 Was this article helpful?

3 out of 6 found this helpful