IP Whitelisting
IP whitelisting adds an extra layer of security to your partner integration by restricting API access to specific server IP addresses. When enabled, any request originating from a non-whitelisted IP will be rejected regardless of whether the signature is valid.
Why Use IP Whitelisting
IP whitelisting adds a second layer of defense on top of request signing:
- Prevent unauthorized access even if your private key is somehow compromised
- Restrict API usage to your infrastructure only โ no public access possible
- Reduce attack surface by blocking requests from unknown origins
- Meet compliance requirements that mandate network-level access controls
Applies to both environmentsIP whitelisting applies to both the production and sandbox environments. Submit the IPs relevant to each environment you operate in.
When Should You Enable It
| Scenario | Recommendation |
|---|---|
| Production integration | Strongly recommended |
| High-volume or high-risk partners | Required |
| Development and testing | Optional |
| Dynamic or serverless environments | Not recommended โ see deployment considerations |
Request Flow with Whitelisting Enabled
When IP whitelisting is configured, this is how every request is processed:
- Request reaches CoinMENA
- Source IP is checked against your registered whitelist
- If IP is not whitelisted โ request is rejected with
401 Unauthorized - If IP is whitelisted โ signature validation continues
- If signature is valid โ request is accepted
Connection to AuthenticationIP validation and signature validation are independent checks. A valid signature does not bypass IP whitelisting, and a whitelisted IP does not bypass signature validation. Both must pass.
What Gets Validated
CoinMENA checks the source IP of the incoming request against your registered whitelist. This check happens before or alongside signature validation.
- You can register multiple IPs โ requests are allowed if any registered IP matches
- There is no priority or ordering between whitelisted IPs โ any matching IP is accepted
- There is no limit on the number of IPs you can register
- The IP is taken from the request source before proxies, unless your setup is configured otherwise โ if you are using Cloudflare or another proxy, the source IP seen by CoinMENA may differ from your server IP
How to Request Whitelisting
To add or update your whitelisted IP addresses, send an email to [email protected] with:
- Your Partner ID
- The IP address or addresses you want whitelisted
- Whether this is a new addition or a full replacement of existing IPs
- The environment the IPs apply to (production, sandbox, or both)
Changing your server IP?Contact CoinMENA at [email protected] before the change takes effect to avoid service interruption.
How to Find Your Server Public IP
Make sure you submit your server's public IP, not your local machine IP.
curl ifconfig.meor
curl https://api.ipify.orgRun this from the server that will be making API calls, not from your local machine.
Deployment Considerations
Different infrastructure setups require different approaches:
| Setup | What to whitelist |
|---|---|
| Single server | The server's public IP |
| Multiple servers | All outbound IPs for each server |
| Load balancer | The outbound public IP of the load balancer (all requests will appear from this IP) |
| AWS / GCP / Azure | Use a static or elastic IP โ cloud IPs can change |
| Serverless (Lambda, Cloud Functions) | Not recommended โ IPs are dynamic and unpredictable |
| NAT Gateway | Whitelist the NAT Gateway's outbound IP |
Cloud environmentsIf you are running on AWS, GCP, or Azure, make sure to use a static or elastic IP address. Default cloud instance IPs can change on restart, which will cause intermittent
401failures.
What Happens If My IP Is Not Whitelisted
If your IP is not on the whitelist, the API returns:
{
"code": 401,
"msg": "Unauthorized"
}This response is identical to a signature failure (401 Unauthorized), so you must check both signature correctness and IP whitelisting when debugging.
- If your signature logic is correct but you are still getting
401โ check your IP - If you are on a new server or changed infrastructure โ your new IP likely needs to be whitelisted
- If you are getting intermittent
401errors โ your IP may be dynamic
Still stuck?If you have ruled out IP issues and still receive
401, the cause is likely signature-related. See the Authentication guide's troubleshooting section for a systematic debugging checklist.
Common Issues
| Issue | Cause | Fix |
|---|---|---|
Intermittent 401 errors | Dynamic IP changing between requests | Use a static IP |
Constant 401 after server migration | New server IP not whitelisted | Submit new IP to CoinMENA |
| Works locally but fails in production | Local machine IP whitelisted instead of server IP | Run curl ifconfig.me from your server |
| Works in test but fails in production | Different IPs for test and production environments | Whitelist both environments separately |
| Sudden failures after no code changes | Server IP changed (e.g. cloud restart) | Check current IP and update whitelist |
| Working behind a VPN | VPN may mask your server's outbound IP | Disable the VPN or whitelist the VPN's exit IP |
Debug TipIf you are unsure whether a
401is caused by a signature issue or an IP issue, temporarily disable IP whitelisting (if allowed by your account configuration) to isolate the problem to signature validation only. Re-enable whitelisting once your integration is stable.
Updated 2 days ago
| Next Step | Description |
|---|---|
| Authentication | Full breakdown of the signing algorithm, rules, and troubleshooting |
| Pagination | How to work with paginated list endpoints |
| Error Codes | Reference for every error the API returns |