The IP Allowlist lets you restrict which IP addresses can authenticate with the Smartling API using your account's API tokens. Once a rule is added, API token authentication is only accepted from IP addresses or CIDR ranges you've explicitly approved.
This adds a network-level layer of security to API access, on top of your API key credentials. It's commonly used to meet enterprise security policies and vendor security assessments that require restricting where API access can originate from, and it also limits the impact if an API key is ever leaked or compromised.
The IP Allowlist controls API token authentication only, across all API tokens on the account. It does not affect user logins to the Smartling Dashboard, including SSO and password logins.
Accessing the IP Allowlist
Account Owners can access the IP Allowlist by clicking the Account Settings menu, then, under Integrations, selecting IP Allowlist.
This opens the IP Allowlist page, where you can view, create, and manage allowlist rules, and review recent authentication activity for your account.
Creating an allowlist rule
-
From the Allowed IP addresses & ranges tab (the default view), click + Add rule.
-
In the Add rule dialog that opens, complete the following fields. A rule groups one or more IP addresses or CIDR ranges under a single, descriptive name.
- Rule name (required): a descriptive label for the rule, for example the office location, VPN, or service the IP addresses belong to (for example, Headquarters office).
- Description (optional): additional detail to help identify the rule later (for example, New York HQ, wired network).
-
IP addresses & ranges (required): one or more IP addresses or CIDR ranges this rule allows. Both IPv4 and IPv6 are supported.
- IPv4 example:
203.0.113.50/32 - IPv6 example:
2001:db8::/48 - Click the + icon to add additional IP addresses or ranges to the same rule.
- IPv4 example:
- Click Add rule to save it to your allowlist.
When the allowlist is empty, all IP addresses are permitted. As soon as you save your first rule, the allowlist becomes Enforced for the entire account: any API authentication request from an IP address not covered by an active rule is rejected. Add every IP address or range your integrations authenticate from before saving your first rule, to avoid unintentionally locking out active integrations.
Viewing your allowlist rules
The Allowed IP addresses & ranges tab lists all rules on your account, along with:
- A count of active rules, and an Enforced status badge once at least one rule exists
- Name / description of each rule
- Allowed IPs & ranges covered by the rule
- Last updated date and Updated by user
Managing allowlist rules
Click the ellipsis (โฆ) at the end of a rule's row to edit it, view its change history, or delete it.
- Edit: update the rule name, description, or IP addresses and ranges.
- View change history: opens the change history log, filtered to changes made to this rule.
- Delete: remove the rule from the allowlist. If you delete your last remaining rule, the allowlist is no longer enforced and all IP addresses are permitted again.
Before editing or deleting a rule, confirm the change won't unintentionally block an active integration that authenticates from that IP address or range.
Viewing recent authentication attempts
Click the Recent authentication attempts tab to see the most recent API authentication requests made against your account, including both successful and failed attempts.
This is useful for confirming a new rule is working as expected, or for investigating unexpected authentication failures after adding a rule.
Viewing change history
Click View change history from the IP Allowlist page to see an audit log of every change made to your allowlist rules, including rules that were added, updated, or removed.
Each entry in the change history log shows:
- Date & time of the change
- Action: Added, Updated, or Removed
- Name and rule UID of the affected rule
- Allowed IPs & ranges at the time of the change
- Changed by: the user who made the change
Use the filters on the left (Rule name, Rule UID, Action, and Changed by) to narrow down the log, for example to review only rules that were removed, or all changes made by a specific user.