Search

Block unknown IP addresses for API security

Brevo logs every IP address that attempts to make API calls using your API keys. To help protect them, Brevo can automatically block API requests from unknown IP addresses.

Good to know

Only account owners or users with the SMTP & API - Authorized IPs permission can manage the blocking of unknown IP addresses or manually authorize IP addresses.

➡️ To learn more about user permissions, check our dedicated article User permissions in Brevo.

How does blocking unknown IP addresses work?

To help protect your API keys, Brevo can automatically block API calls from unknown IP addresses.

🟢 Initial phase: IPs are automatically authorized

When you first use an API key, Brevo automatically authorizes the IP addresses that make API calls with it. This "learning phase" means IP restriction is inactive, so you can set up and test freely.

🔐 After 30 days with no new IPs: Blocking is activated

If no new IPs are detected for 30 days, Brevo will automatically:

  • Activate the blocking of unknown IP addresses.

  • Block all API calls from unknown IP addresses.

  • Sends you an email notification with details about the blocked IP address and the API key that was used. 

You’ll then have the option to:

  • Authorize the unknown IP address and add it to your list of authorized IPs.

  • Deny authorization and rotate the API key if needed.

  • Deactivate the automatic IP review to allow all IPs again.

💡 Good to know
IPs automatically authorized by Brevo use a /24 subnet. For example, if the IP address is 192.168.1.25, Brevo will authorize the entire range from 192.168.1.0 to 192.168.1.255 (256 IPs).

Why block unknown IP addresses?

Blocking unknown IP addresses helps protect your API keys by:

  • Preventing unauthorized access from unknown or suspicious IPs.
  • Ensuring only trusted IP addresses that you’ve previously used or manually approved can access your API.
  • Detecting unusual behavior early, such as unexpected calls from unfamiliar sources.

This adds an extra layer of security to your API usage and helps you respond quickly to potential threats.

Activate or deactivate the blocking of unknown IP addresses

Activate the blocking of unknown IP addresses

You can activate the blocking of unknown IP addresses if it's not already enabled on your account. 

  1. Go to your account name and select Security > Authorized IPs.
  2. If you see the message "Blocking of unknown IP addresses used in API calls is deactivated", click Activate blocking of unknown IP addresses.
    account_ip-auth_activate-blocking_en-us.png

Once activated, any unknown IP addresses will be blocked from making API calls. You’ll receive an email notification whenever Brevo blocks an IP, giving you the option to authorize the IP or deny it and take action.

Deactivate the blocking of unknown IP addresses

❗️ Important
Deactivating the blocking of unknown IP addresses reduces the security of your API keys. Only do this if you're sure the API usage environment is fully controlled.

If needed, you can deactivate the blocking of unknown IP addresses:

  1. Go to your account name and select Security > Authorized IPs.
  2. Click Deactivate blocking.
    account_ip-auth_deactivate-blocking_en-us.png
  3. Click Deactivate blocking again to confirm.

The feature has been deactivated. All IPs can now make API calls with your API keys.

💡 Good to know

Your list of authorized IPs will be saved in case you choose to activate the feature again later.

Manually add or remove authorized IP addresses

Manually authorize IP addresses

To prevent trusted IP addresses from being blocked, you can manually add them to your list of authorized IPs. This ensures that API calls from these IPs are always allowed and enables Brevo to automatically review and block only unknown IP addresses.

  1. Go to your account name and select Security > Authorized IPs.
  2. Click Add authorized IP address.
    account_ip-auth_add-authorized-ip_en-us.png
  3. Enter the IP address or IP address range you want to authorize.
    💡 Good to know
    An IP address is a sequence of four numbers separated by dots (e.g., 118.29.251.24). An IP range defines a group of IPs, such as 192.168.0/16.
  4. Click Add authorized IP address.
    account_authorized-IPs_add2_en-us.png

The IP address will now appear in your list of authorized IPs and won't be blocked by the security feature.

Manually remove authorized IP addresses

If an IP address is no longer in use or should no longer have access, you can manually remove it from your list of authorized IPs.

  1. Go to your account name and select Security > Authorized IPs.
  2. Select the IP address you want to remove. 
  3. Click Delete this authorized IP address.
    account_authorized-IPs_delete_en-us.png
  4. Click Delete IP address to confirm.

The IP address will be removed from your list and will no longer be able to make API calls if the automatic IP blocking feature is active.

Best practices for API security

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo Agency partner.

💬 Was this article helpful?

14 out of 29 found this helpful