> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kadoa.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP ACL

> Restrict access to your Kadoa workspace to a trusted set of IP addresses.

## Overview

IP ACL (IP Access Control List) restricts access to your Kadoa workspace so that
authenticated requests are only accepted from IP addresses you trust. Once
enabled, a request carrying a valid session or API key is still rejected if it
does not originate from an allowed address.

IP ACL applies across the API, the custom services API, and the realtime and
event streams, so the same trusted set of addresses governs every way your team
connects to Kadoa.

<Card title="Enterprise feature" icon="building">
  IP ACL is available on the Enterprise plan and can be managed by team Admins
  and Owners.
</Card>

## How it works

The list holds one or more IPv4 addresses or CIDR ranges. A single address such
as `203.0.113.10` covers one host; a range such as `203.0.113.0/24` covers a
whole subnet. Add the public egress addresses your team and integrations connect
from — your office network, VPN, or a static NAT gateway.

IP ACL is scoped to your organization, so a single list protects every team in
your workspace.

## Modes

You control enforcement with a three-way switch in the dashboard:

| Mode         | Behavior                                                                                                                                            |
| ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Disabled** | IP ACL is inactive. All authenticated requests are accepted.                                                                                        |
| **Audit**    | Requests are never blocked, but any request that would be denied is recorded in your Activity log. Use this to validate your list before enforcing. |
| **Enabled**  | Requests from addresses not on the list are rejected.                                                                                               |

We recommend starting in **Audit** mode. Let your team work normally for a day
or two, review the Activity log for any would-be denials, add any missing
addresses, and then switch to **Enabled**.

## Setting it up

1. Go to **Settings → IP ACL** in the dashboard.
2. Add the IP addresses or CIDR ranges your team connects from. The current IP
   you are connecting from is shown so you can confirm it is covered.
3. Choose a mode. To prevent accidental lockout, you cannot switch to
   **Enabled** unless your current IP is already on the list.
4. Save.

<Card title="Avoid locking yourself out" icon="lock">
  Kadoa will not let you enable enforcement, or remove the last entry covering
  your own address, if doing so would block your current connection. You can
  still prune a redundant entry as long as another entry still covers your IP.
  If you do get locked out, contact [support@kadoa.com](mailto:support@kadoa.com)
  to restore access.
</Card>

## Auditing

Both **Audit** and **Enabled** modes record activity you can review in your
team's Activity log:

* Denied (or would-be-denied) connections appear as **Access denied · IP ACL**,
  with the user and the originating IP address.
* Changes to the list itself, and changes to the mode.

This gives you an ongoing record of where your workspace is being accessed from.

## Limitations

* IPv4 addresses and CIDR ranges are supported. IPv6 is not yet supported.
* IP ACL governs authenticated API and stream access. Sign-in itself is not
  gated — a blocked address may complete sign-in, but the resulting session is
  rejected on its first request to a Kadoa service.

For questions about configuring IP ACL for your organization, contact your
account team or [support@kadoa.com](mailto:support@kadoa.com).
