IP allow list enables account access to be restricted to specific IP addresses or IP ranges. This feature is available to Enterprise customers only. When enabled, only requests from approved IP addresses can access the account. All other requests are blocked. This helps enhance security compliance and enforce network-level access controls. This feature is configured at the account level and applies to all users in the account.Documentation Index
Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
To manage the IP allow list, you must have the Manage IP Allow List permission. For more information, read Account roles.Add an IP address to the allow list
- Open the Profile & Account menu in the bottom left corner.
- Select IP Allow List.
- Click Add IP Address.
- Enter a valid IP address or CIDR range.
- (Optional) Add a description to help identify the entry.
- Click Save.
Hybrid SaaS considerations
If you use Hybrid SaaS and call the public API from your own infrastructure, you must also add your ‘s outbound IP address or range to the allow list. Depending on your network configuration, this may include one or more of the following:- NAT gateway addresses.
- Proxy server addresses.
- Public IP address ranges of your cloud provider.
Supported IP address formats
Both IPv4 and IPv6 formats are supported. IPv4 examples:- Single IP address:
203.0.113.45 - CIDR range:
203.0.113.0/24
- Single IP address:
2001:db8::1 - CIDR range:
2001:db8::/32
CIDR notation explained
CIDR (Classless Inter-Domain Routing) notation defines a range of IP addresses.-
Single IPv4 address: Use
/32 -
Example:
203.0.113.45/32 -
Single IPv6 address: Use
/128 -
Example:
2001:db8::1/128 -
Range examples:
/24(IPv4) allows 256 addresses./16(IPv4) allows 65,536 addresses.
Not supported
The following formats can’t be allowlisted:- Private IP ranges:
10.0.0.0/8172.16.0.0/12 → 172.31.0.0/12192.168.0.0/16100.64.0.0/10(carrier-grade NAT)fc00::/7(IPv6 unique local)fec0::/10(IPv6 site-local, deprecated)
- Loopback addresses:
127.0.0.0/8::1
- Special purpose addresses:
169.254.0.0/16/fe80::/10(link-local)224.0.0.0/4/ff00::/8(multicast)0.0.0.0/8/::/128(unspecified)255.255.255.255(broadcast)
- Wildcard notation (e.g.,
203.0.*.*) - Dash-separated ranges (e.g.,
203.0.113.1-203.0.113.20)
Managing the IP allow list
After adding entries, you can:- Enable or disable individual IPs using the options menu (three dots) on the right-hand side.
- Delete IP addresses and ranges.
- Search by IP address, CIDR range, or description.
What happens when restrictions are enabled?
When IP restrictions are enabled:- Only requests from allowed IP addresses can access the account (UI and API).
- All other requests are denied with a 403 Forbidden error.
- Changes may take up to 15 minutes to propagate across all systems.
Troubleshooting
If you are unable to access your account after enabling IP restrictions:- Contact support by raising a support ticket. Support can:
- Temporarily disable IP restrictions to restore access.
- Add your current IP address to the allow list.
Changes not taking effect?
Allow up to 15 minutes for changes to propagate.Unable to add IP address?
Verify that:- The IP address is valid IPv4 or IPv6 with optional CIDR notation that is correctly formatted.
- The address is not in a private IP range.
- No wildcard or dash ranges are used.