Skip to main content

IP Allowlist

IP allowlisting restricts access to a Sealmetrics site (account) to a defined set of IP patterns, adding a network-level control on top of passwords and 2FA.

The allowlist is configured per site in the dashboard under Site Config → Settings → IP Allowlist, and is also available through the IP Allowlist API for automation.

info

IP Allowlist is a plan-gated feature (Enterprise). If your plan doesn't include it, the tab shows an upgrade notice instead of the configuration controls.

What Is IP Allowlisting?

When an account's allowlist is enabled, requests from an IP that doesn't match any active pattern are rejected — even with valid credentials. When the allowlist is disabled, the account is reachable from any IP.

Request to an account

Allowlist enabled? ──No──► Allow
│ Yes
IP matches an active pattern? ──No──► Block
│ Yes
Allow

If a user belongs to several accounts, login filters the accounts they can reach from their current IP: accounts whose allowlist blocks the IP are dropped, while accounts without an active allowlist remain available.

Settings

Each site's allowlist has these settings:

SettingDefaultDescription
is_enabledfalseWhether the allowlist is enforced for the site
enforce_for_dashboardtrueApply the IP check to dashboard / JWT authentication
enforce_for_api_tokenstrueApply the IP check to API token authentication

In the dashboard, the IP Allowlist tab exposes the Enable IP Allowlist toggle (is_enabled) and the list of patterns. The enforce_for_dashboard and enforce_for_api_tokens flags default to enabled and can be adjusted through the API — for example, to enforce the allowlist for dashboard logins while leaving API token access unrestricted, or vice versa.

Pattern Types

Each entry in the allowlist is a pattern with one of three types:

TypeExampleMatches
ip192.168.1.100, 2001:db8::1One exact IPv4 or IPv6 address
cidr192.168.1.0/24, 10.0.0.0/8All addresses in a CIDR range
regex^192\.168\..*Any address matching the regular expression

Each pattern can also carry an optional label (e.g. "Office Network") and description, and can be toggled active or inactive.

Typical Setup

  1. Go to Site Config → Settings → IP Allowlist.
  2. Add your patterns first with Add IP Pattern — every IP, CIDR range, or regex you need, including your current IP and any VPN exit IPs. Each pattern can have a label.
  3. Enable the allowlist with the Enable IP Allowlist toggle.
warning

Enabling enforcement without a pattern that matches your own connection can lock you out of the site. The dashboard warns you to add your current IP before enabling — always confirm it's covered first.

Examples

Office network and a static home IP

Office network (CIDR):  192.168.1.0/24   label: "Office"
VPN range (CIDR): 203.0.113.0/28 label: "VPN"
CEO home (IP): 83.45.123.78 label: "CEO Home"

Dynamic IPs

If your ISP assigns dynamic addresses, prefer a CIDR range that covers the pool, or route through a VPN with a static exit IP and allowlist that. A broad regex pattern is also possible but harder to reason about — use it sparingly.

When Access Is Blocked

A blocked login is rejected with an "IP not allowed" error. Access attempts (granted and denied) are recorded with the IP address, authentication type (dashboard or API token), and which pattern matched, so you can review them via the API.

There is no in-product "request access" workflow or self-serve admin bypass. If you lock yourself out, connect from an already-allowed network (office or VPN), have a teammate with access add your IP, or contact support to disable enforcement.

Best Practices

  • ✅ Add and verify your current IP before enabling enforcement
  • ✅ Include VPN exit IPs (the public exit IP, not the internal VPN address)
  • ✅ Use CIDR ranges for office networks instead of listing each address
  • ✅ Label each pattern so its purpose is clear
  • ✅ Review the allowlist periodically and remove patterns you no longer need
  • ❌ Don't enable enforcement with no matching pattern for your own connection
  • ❌ Don't use overly broad ranges that defeat the purpose

Troubleshooting

Locked out

  1. Connect from an already-allowed location (office, VPN)
  2. Ask a teammate with access to add your IP
  3. Contact support to disable enforcement, then re-add your IP

Can't access from VPN

  1. Confirm you're allowlisting the VPN exit IP, not the internal VPN address
  2. Find the exit IP with curl ifconfig.me
  3. Add that IP (or its CIDR range) to the allowlist