IP Whitelisting & Security
Secure your Deepvue API integration with IP whitelisting, HTTPS enforcement, credential management, and production security best practices.
Overview
Deepvue provides multiple layers of security to protect your API integration. This page covers IP whitelisting, transport security, credential management, and recommended practices for production environments.
IP whitelisting
Deepvue supports IP whitelisting to restrict API access to specific IP addresses. When enabled, only requests from your whitelisted IPs will be accepted — all other requests are rejected with a 403 Forbidden response.
Identify your server IPs
Determine the static IP addresses of the servers that will call Deepvue APIs. If you use cloud infrastructure (AWS, GCP, Azure), use NAT gateway or elastic IPs to ensure a consistent outbound IP.
Do not whitelist dynamic IPs. If your server IP changes, API calls will be blocked until the new IP is added.
Contact support to enable whitelisting
Contact support@deepvue.tech to enable IP whitelisting for your account. Provide the list of IP addresses you want to whitelist.
Test connectivity
After configuring, make a test API call from your whitelisted server to confirm access works. Then verify that requests from non-whitelisted IPs are correctly blocked.
IP whitelisting is optional but strongly recommended for production environments. Contact support@deepvue.tech if you need help configuring it.
Transport security
All Deepvue API communication is secured with TLS/HTTPS:
| Requirement | Details |
|---|---|
| Protocol | HTTPS required for all API calls |
| HTTP requests | Rejected — unencrypted requests will fail |
| TLS version | TLS 1.2 or higher |
| Certificate | Valid SSL certificate on production.deepvue.tech |
Never make API calls over plain HTTP. Credentials and personal data would be transmitted in cleartext, violating compliance requirements.
Credential security
Best practices
- Use environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
- Never hardcode
client_idorclient_secretin source code - Never commit credentials to version control
# Good — use environment variables
export DEEPVUE_CLIENT_ID="your_client_id"
export DEEPVUE_CLIENT_SECRET="your_client_secret"
import os
client_id = os.environ["DEEPVUE_CLIENT_ID"]
client_secret = os.environ["DEEPVUE_CLIENT_SECRET"]
Token security
Access tokens returned by the /v1/authorize endpoint are valid for 24 hours. Follow these practices:
- Cache tokens — Reuse the same token for multiple requests within its validity period instead of generating a new one per request.
- Refresh proactively — Generate a new token before the 24-hour window expires to avoid failed requests.
- Don't log tokens — Exclude access tokens from application logs and error reports.
- Server-side only — Never expose access tokens to client-side applications.
Production security checklist
Use this checklist before going live:
- All API calls use HTTPS
- Credentials stored in environment variables or secrets manager
- No credentials in source code or version control
- IP whitelisting configured for production servers
- Access tokens cached and refreshed proactively
- API usage monitoring enabled in the Dashboard
- Team access to credentials limited to authorized personnel
- Incident response plan in place for credential leaks
Last updated 2 days ago