IP Address Restrictions for Application API Key

[TheCyberDesk]

Feature Request: IP Address Restrictions for Application API Keys

Problem Statement

Currently, application API keys have full access to the Panel API without any IP-based restrictions. This creates a security concern, especially for admin-level API tokens that have broad permissions across the entire panel.

If an API key is compromised (leaked in logs, exposed in a compromised system, etc.), there's no way to limit from where that key can be used. An attacker could use the token from anywhere in the world.

Proposed Solution

Add the ability to configure allowed IP addresses or CIDR ranges for each application API key. This would work similarly to how many services (AWS, Cloudflare, etc.) allow IP restrictions on API tokens.

Implementation Ideas

When creating or editing an application API key, add a field for "Allowed IP Addresses" where administrators can specify:

• Individual IP addresses (e.g., 203.0.113.5)
• CIDR ranges (e.g., 203.0.113.0/24)
• Multiple entries (comma or newline separated)
• Optional: Leave blank for "any IP" (current behavior)

The Panel would then validate incoming API requests and reject any that don't originate from the configured IP ranges with a 403 Forbidden response.

Use Cases

1. Admin API keys used in automation scripts - Restrict to specific server IPs where scripts run
2. Integration with external billing systems - Lock keys to the billing server's IP only
3. Development vs Production keys - Different IP restrictions for different environments
4. Third-party integrations - Limit access to vendor IP ranges

Benefits

• Defense in depth: Even if a key leaks, it's useless outside allowed networks
• Compliance: Helps meet security requirements for hosting providers
• Audit capability: Combined with server logs, makes it easier to track legitimate vs suspicious API usage
• Zero trust approach: Aligns with modern security practices

Additional Considerations

• This would be purely optional to maintain backward compatibility
• Could display the requesting IP in the activity log for easier debugging
• Consider supporting IPv6 CIDR ranges as well as IPv4

Would love to hear thoughts from the maintainers and community on this. Happy to provide additional context or use cases if helpful.