In order to mitigate the risk of misuse, usage of your API Key usage can be controlled in the following ways:
For each of the above mitigations keep in mind whether you intend to create a frontend or backend integration.
We can check the
Origin headers of inbound HTTP requests against a whitelist of URLs provided by you.
Each API Key has a configurable list of URLs, accessible via your dashboard.
This only works for frontend integrations where the client is a web browser. Should you wish to work in a non-browser environment, the headers may be unset. In such a scenario, you may wish to create a separate API key for staging/development.
URL matching will behave differently depending on whether it's prefixed with the protocol type (
https://will look for matches which start with that string, e.g.
https://foo.comwill match both
http[s]://will look for positive substring matches, e.g.
foo.com/barwill match both
|Daily||Limits the number of requests made on your API key per day. Limit is reset at midnight. Email is sent to the notification list when 90% or 100% of the cap is reached|
|Individual||Limits the number of requests made on your API key from a specific IP address. Limit is reset for each IP address at midnight|
Each API Key can configured be with a hard limit amounting to the total number of allowed lookups per day.
The API Key notification list will be emailed when you reach 90% and 100% of this cap.
This can be used in both frontend and backend integrations.
Each API Key can limit the number of lookups an individual IP address can make in a day.
This can be used in both frontend and backend integrations. However, backend integrations require IP address forwarding enabled.
For backend integrations you can also enable a per IP address daily limit to your API key if you forward your user's IP Address to us using the custom request header
Following a successful forward, your response will also contain a
IDPC-Source-IP header carrying the rate limited IP address.
Malformed IP addresses passed with the
IDPC-Source-IP header will result in a
400 response code.
If IP Address Forwarding is enabled, but no
IDPC-Source-IP header is provided, then the original IP address will be limited.
IP Address Forwarding should not be permitted for client-side integrations as this would circumvent daily rate limiting.