IP Allowlist
Restrict vault access to specific IP addresses and CIDR ranges.
IP allowlisting restricts machine access to your vault based on the source IP address of each request. When enabled, any machine request from an IP not on the allowlist is rejected with a generic "Access denied" response before authentication is even attempted.
This is a paid feature available on Pro and Enterprise plans.
How It Works
- Enable IP allowlisting in the dashboard under IP Allowlist
- Add the IP addresses or CIDR ranges your machines connect from
- Machine requests from IPs not on the list are rejected immediately
The allowlist is checked as the first step in every machine request, before signature verification, nonce tracking, or any database queries. A rejected request reveals nothing about the vault, the machine, or the reason for rejection.
What It Protects Against
SikkerKey already authenticates every request with Ed25519 signatures. IP allowlisting adds a network-level restriction on top of that. Even if a machine's private key is compromised, the attacker cannot use it unless they are also on an allowed network.
This is meaningful in environments where:
- Machines run in a known VPC or office network with a static IP range
- Compliance requires network-level access controls (SOC 2, PCI-DSS)
- You want to limit exposure after a key compromise to machines on the correct network
Enabling
Navigate to IP Allowlist in the dashboard sidebar under the Vault section.
Click Enable to activate the allowlist. If no IPs have been added yet, a confirmation dialog warns that enabling with an empty list will block all machine requests.
An empty allowlist blocks everything. This is intentional. There is no grace period and no fallback. If you enable the allowlist without adding your machines' IPs, those machines are immediately blocked.
Adding IPs
Click the + button to open the add dialog. Enter an IP address or CIDR range:
| Input | What it matches |
|---|---|
203.0.113.50 | A single IPv4 address |
10.0.0.0/8 | An IPv4 CIDR range (10.x.x.x) |
192.168.1.0/24 | A /24 subnet (192.168.1.0 - 192.168.1.255) |
2001:db8::1 | A single IPv6 address |
2001:db8::/32 | An IPv6 CIDR range |
Each entry has an optional label (e.g. "Office", "AWS us-east-1", "CI/CD runners") for identification. Labels can be edited by clicking them in the table.
Managing Entries
The allowlist table supports:
- Search by IP or label
- Sort by IP, label, or date added
- Bulk select for removing multiple entries at once
- Inline label editing by clicking the label text
- Pagination for large lists
Disabling
Click Disable to turn off the allowlist. Your entries are preserved but the check is no longer enforced. Machine requests from any IP will be accepted (subject to normal Ed25519 authentication).
You can always disable the allowlist, even if your plan changes.
How Blocked Requests Are Handled
A request from an IP not on the allowlist is rejected immediately, before any other authentication steps run. The response is a generic "Access denied" -- identical to any other denied request. No information about the vault, the machine, or the reason for rejection is revealed.
IPv4 and IPv6
Both are fully supported. An IPv4 entry only matches IPv4 requests and vice versa. There is no cross-family matching.
Plan Availability
| Plan | IP Allowlist |
|---|---|
| Free | Not available |
| Pro | Available |
| Enterprise | Available |
Free plan users can see the IP Allowlist page in the dashboard but cannot enable it. Attempting to enable or add entries shows an upgrade prompt.
Audit Trail
All allowlist management actions are recorded in the audit log:
| Action | When it fires |
|---|---|
ip_allowlist_enable | IP allowlisting was enabled |
ip_allowlist_disable | IP allowlisting was disabled |
ip_allowlist_add | An IP or CIDR was added to the allowlist |
ip_allowlist_remove | An IP or CIDR was removed (single or bulk) |