Skip to main content

Overview

IP ACL (IP Access Control List) restricts access to your Kadoa workspace so that authenticated requests are only accepted from IP addresses you trust. Once enabled, a request carrying a valid session or API key is still rejected if it does not originate from an allowed address. IP ACL applies across the API, the custom services API, and the realtime and event streams, so the same trusted set of addresses governs every way your team connects to Kadoa.

Enterprise feature

IP ACL is available on the Enterprise plan and can be managed by team Admins and Owners.

How it works

The list holds one or more IPv4 addresses or CIDR ranges. A single address such as 203.0.113.10 covers one host; a range such as 203.0.113.0/24 covers a whole subnet. Add the public egress addresses your team and integrations connect from — your office network, VPN, or a static NAT gateway. IP ACL is scoped to your organization, so a single list protects every team in your workspace.

Modes

You control enforcement with a three-way switch in the dashboard:
ModeBehavior
DisabledIP ACL is inactive. All authenticated requests are accepted.
AuditRequests are never blocked, but any request that would be denied is recorded in your Activity log. Use this to validate your list before enforcing.
EnabledRequests from addresses not on the list are rejected.
We recommend starting in Audit mode. Let your team work normally for a day or two, review the Activity log for any would-be denials, add any missing addresses, and then switch to Enabled.

Setting it up

  1. Go to Settings → IP ACL in the dashboard.
  2. Add the IP addresses or CIDR ranges your team connects from. The current IP you are connecting from is shown so you can confirm it is covered.
  3. Choose a mode. To prevent accidental lockout, you cannot switch to Enabled unless your current IP is already on the list.
  4. Save.

Avoid locking yourself out

Kadoa will not let you enable enforcement, or remove the last entry covering your own address, if doing so would block your current connection. You can still prune a redundant entry as long as another entry still covers your IP. If you do get locked out, contact support@kadoa.com to restore access.

Auditing

Both Audit and Enabled modes record activity you can review in your team’s Activity log:
  • Denied (or would-be-denied) connections appear as Access denied · IP ACL, with the user and the originating IP address.
  • Changes to the list itself, and changes to the mode.
This gives you an ongoing record of where your workspace is being accessed from.

Limitations

  • IPv4 addresses and CIDR ranges are supported. IPv6 is not yet supported.
  • IP ACL governs authenticated API and stream access. Sign-in itself is not gated — a blocked address may complete sign-in, but the resulting session is rejected on its first request to a Kadoa service.
For questions about configuring IP ACL for your organization, contact your account team or support@kadoa.com.