IP Blacklist

The IP blacklist policy can control whether a list or range of IP addresses can access and interact with a configured API endpoint.


Configuring and applying policies are API management tasks. You need to be a member of the Organization Administrators or API Versions Owner role for the API version that you want to manage.

Blacklisting IP addresses to access your API endpoint

There are currently two options to blacklist addresses for your API:

Option 1: Blacklist access based on the IP address of the request

To blacklist a list of IP addresses, specify them in the blacklist section of this dialog:


All specified addresses are blacklisted to access and interact with your API.

You can specify an address or a range or addresses in the following ways:

  • Define a specific IP address by enumerating it in the white space. For example,

  • Define a subset of addresses by identifying a subnet mask. For example, will include the consolidated range: -

  • Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit. For example, setting 192.168 will include IP addresses from to

Option 2: Blacklist access based on the origin IP address of the x-Forwarded-For header

If the client connects to your API through an HTTP proxy or a load-balancer, you can blacklist the client’s specific IP (the IP originating the request) instead of the address that will appear in the request. For example: Suppose you want to blacklist, the address of a client connecting through an HTTP proxy whose address is The client requests appear with this public address. Typically, applications use the 'X-Forwarded-For' header to identify the origin IP addresses of a request that was redirected to your endpoint.

You can use a Mule expression to instruct the service to look for the IP address in the 'x-Forwarded-For' header:


Insert the IP address in the IP expression field:


This instructs API Platform to look at the first IP address that ranks in the concatenated values of the 'x-Forwarded-For' header of the request.