6.4. IP Allowlisting for Magento 2 API endpoints

This feature restricts the access from third-party system communicating with the Magento 2 API endpoints, by default. It supports the merchant to meet the GDPR principles.

The configuration blocks access to REST API endpoints that require authentication. Only the IP addresses defined in the allowed list will have access granted.

The module supports IPv4 and IPv6.

Admin settings

The configuration can be found in Stores -> Configuration -> Services -> Magento Web API -> Web API Security

SCR-20240807-duh.png

The fnmatch PHP function is used for IP matching so * is allowed to define groups of addresses.