IPinfo's token security feature restricts API token usage to specific domains or IP addresses. This helps such that even if a token is exposed, requests from unauthorized sources will be rejected and not counted towards your usage.
To configure these restrictions, visit the API token page.
Frontend Implementations
For frontend code, whitelist (allowlist) the domains that will make API requests. Browsers automatically include a referrer header with each request, which IPinfo uses to verify the request origin against the allowed domains.
Backend Implementations
For backend code, whitelist (allowlist) the server's IP address or domain name. If using a domain name, include the referrer header in API requests. Without it, IPinfo can't determine the request origin, and requests won't succeed.
Example header:
Referer: https://yourdomain.com
Troubleshooting
If API requests are failing after enabling token restrictions, check the following:
- The requesting domain or IP address is added to the allowlist on the API token page.
- For backend requests using a domain name restriction, the referrer header is included in each request.