Access filters serve as your project's defense mechanism, safeguarding it from any unwanted or suspicious activity.
With Endpoint allowlist you have the capability to restrict access to Blockfrost API at endpoint level. This allows you to enable access solely to endpoints necessary for your project. Additionally, we provide an IP and Origin Allowlist, serving as an additional layer of security. This mechanism ensures that only your specific applications are granted access to the Blockfrost API.
You have the flexibility to use either one of these filters, or all of them simultaneously. With multiple filters enabled, only request that pass all the filters are allowed.
You can navigate to Access filters directly from the Project page.
Once enabled only allowed IP addresses will be able to access Blockfrost API on behalf of the project. Requests from all other IP addresses will receive error response with status code 403.
You can enter both IPv4 and IPv6 addresses. IP ranges using prefix length are also supported (
Once enabled only allowed endpoints will be accessible from the project. Requests to all other endpoints will receive error response with status code
403. We recommend to enable access solely to endpoints necessary for your project.
If endpoint allowlist is enabled for the project, but there is no entry in the list of enabled endpoints, then all requests will be rejected.
Origins filter allows you to restrict access to your project to specific URLs using HTTP header
Once enabled only requests from allowed origins will be allowed for the project. Requests from all other origins will receive error response with status code 403. Requests with missing
Origin headers will also be rejected with status code 403.
Origin allowlist supports wildcard (*) for a subdomain. For example, "https://*.example.com" allows requests coming from any subdomain of
An entry configured with a specific scheme, such as HTTPS, will exclusively permit requests initiated from that particular scheme. If you want to permit any scheme, simply exclude it from the entry. For instance, by entering
example.com, the system will accept requests from any protocol.
Keep your API key (
Wherever you can, use IP and Origin-based filters and enable access only to those endpoints your project truly needs.
Create a new project for each application. This lets you to tailor access filters to each application's specific needs.