# IP whitelisting IP Whitelisting adds an additional security layer by allowing API access only from trusted server IP addresses configured on your KwikPaisa merchant account. When IP Whitelisting is enabled: * Only approved server IPs can access production APIs * Unauthorized requests are automatically blocked * API security is significantly improved IP Whitelisting is strongly recommended for all production merchants handling payments and payouts. *** ## Why IP Whitelisting is Important IP Whitelisting helps protect against: * Unauthorized API access * Credential misuse * Malicious API requests * Unauthorized payout attempts * External attack vectors Even if API credentials are compromised, requests from unapproved IP addresses will be rejected. *** ## How IP Whitelisting Works When a request reaches the KwikPaisa infrastructure: 1. The source server IP is validated 2. The IP is matched against approved merchant IPs 3. Requests from approved IPs are processed 4. Requests from unapproved IPs are blocked automatically *** ## Recommended Use Cases IP Whitelisting is highly recommended for: * Production payment systems * Payout processing systems * Banking integrations * Financial reconciliation systems * Backend transaction services *** ## Recommended Server Types Whitelist only trusted backend infrastructure such as: * Dedicated servers * Cloud application servers * Secure API gateways * Production backend systems * VPN-restricted infrastructure Avoid whitelisting: * Personal devices * Dynamic residential IPs * Public networks * Development machines *** ## Example Production Request Headers ```http Content-Type: application/json Accept: application/json X-API-KEY: pk_live_xxxxxxxxx X-SIGNATURE: GENERATED_SIGNATURE X-TIMESTAMP: GENERATED_TIMESTAMP ``` ## Supported IP Types KwikPaisa supports: * IPv4 addresses * Static public IPs * Dedicated cloud server IPs Example: ```bash 103.21.244.15 ``` *** ## Multiple IP Support Merchants may whitelist multiple IP addresses for: * Load-balanced infrastructure * Multi-server deployments * Backup production systems * Disaster recovery environments *** ## Environment Separation Sandbox and production environments may use different IP configurations. Ensure: * Production IPs are whitelisted separately * Sandbox testing IPs are configured correctly * Environment credentials are not mixed *** ## IP Change Management If your production server IP changes: 1. Contact KwikPaisa support 2. Submit updated IP addresses 3. Wait for confirmation before sending production traffic Requests from unapproved IPs may fail immediately. *** ## Example Access Failure If a request originates from a non-whitelisted IP: ```json { "status": false, "code": 403, "message": "IP address is not whitelisted." } ``` *** ## Common Reasons for IP Rejection Possible reasons: * Incorrect production IP * Dynamic IP changes * Load balancer IP mismatch * Cloud infrastructure migration * Environment configuration issues *** ## Security Recommendations * Use static public IPs only * Restrict API access to backend servers * Rotate credentials periodically * Combine IP Whitelisting with webhook verification * Monitor unauthorized access attempts *** ## Best Practices * Maintain updated IP records * Whitelist backup infrastructure carefully * Review IP access regularly * Remove unused IPs immediately * Avoid exposing production APIs publicly *** ## Operational Recommendations Merchants should maintain: * IP inventory records * Infrastructure documentation * Backup IP procedures * Emergency access escalation workflows *** ## Important Notes * IP Whitelisting is a production security feature * Whitelisting does not replace signature verification * All API requests must still include valid authentication headers * Requests from blocked IPs will not reach transaction processing systems *** ## Recommended Security Stack KwikPaisa recommends combining: * IP Whitelisting * HMAC SHA256 signatures * HTTPS-only communication * Webhook verification * Replay attack protection * Secure credential storage for maximum production security. ## Geo-Restricted IP Access For additional compliance and fraud prevention, KwikPaisa may enforce geo-restricted API access for payout services. This means payout APIs should generally be accessed only from server infrastructure located in the same country as the registered merchant entity. Example: * Indian merchants should use Indian server infrastructure * UAE merchants should use UAE-hosted infrastructure * UK merchants should use UK-hosted infrastructure *** ## Why Geo Restrictions are Important Geo-restricted access helps: * Prevent unauthorized international payout activity * Reduce fraud risks * Improve regulatory compliance * Enhance banking security controls * Protect merchant payout infrastructure *** ## Example If a merchant account is registered in India: ✅ Recommended: * India-based cloud servers * India-hosted backend infrastructure * Indian static public IP addresses ❌ Not Recommended: * Foreign VPS servers * International proxy routing * Dynamic overseas infrastructure *** ## Supported Infrastructure Recommended hosting providers: * AWS India * Google Cloud India * Azure India * Indian dedicated server providers * Secure India-based VPS infrastructure *** ## Important Notes * Geo validation may apply only to payout APIs * Payment Gateway APIs may have different restrictions * Cross-border payout enablement may require additional approval * Certain international payout corridors may support global infrastructure separately *** ## Compliance Recommendations Merchants should: * Use static public IPs * Host payout systems in the merchant operating country * Avoid routing payout APIs through VPNs or proxies * Maintain infrastructure compliance documentation *** ## Security Recommendations KwikPaisa recommends combining: * Geo-restricted IP access * IP whitelisting * HMAC SHA256 signatures * HTTPS-only communication * Webhook verification for maximum payout security. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.kwikpaisa.com/v3-guide/going-live/ip-whitelisting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.