> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devinenterprise.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP Access Lists

> Restrict API and webapp access to specific IP addresses or CIDR ranges

IP access lists let enterprise administrators restrict access to the Devin platform from specific IP addresses or CIDR ranges. When an IP access list is configured, only requests originating from the allowed IP ranges can access Devin's APIs and webapp.

## How It Works

When you configure an IP access list, Devin enforces it at the enterprise level:

* **API requests** from IPs not in the access list are rejected with a `401 Unauthorized` response
* **Webapp access** is restricted to users connecting from allowed IP ranges

This is useful for enterprises that need to ensure Devin is only accessed from corporate networks, VPN endpoints, or other trusted IP ranges.

## Configuring IP Access Lists

IP access lists are managed via the [Enterprise API v3](/api-reference/v3/ip-access-list/get-ip-access-list). The following operations are available:

### Viewing the Current Access List

Retrieve the current IP access list for your enterprise:

```bash theme={null}
GET /v3/enterprise/ip-access-list
```

Returns the list of allowed IP ranges currently configured.

### Replacing the Access List

Replace the entire IP access list with a new set of IP ranges:

```bash theme={null}
PUT /v3/enterprise/ip-access-list
```

The request body should be a JSON object with an `ip_ranges` field containing an array of IP ranges in CIDR notation. Individual IP addresses can be specified with a `/32` suffix.

```json theme={null}
{
  "ip_ranges": ["10.0.0.0/8", "192.168.1.0/24", "203.0.113.50/32"]
}
```

<Warning>
  The PUT endpoint **replaces** the entire list. Any IP ranges not included in the request will be removed. Make sure to include all desired ranges in each update.
</Warning>

### Clearing the Access List

Remove all IP restrictions by clearing the access list:

```bash theme={null}
DELETE /v3/enterprise/ip-access-list
```

When the access list is empty, no IP-based restrictions are enforced.

## Permissions

Managing IP access lists requires the `ManageEnterpriseSettings` permission. This is typically available to enterprise administrators.

## Best Practices

* **Include all office and VPN egress IPs** before enabling the access list to avoid locking out users
* **Use CIDR ranges** instead of individual IPs where possible to simplify management
* **Test with a broad range first**, then narrow down as needed
* **Keep a record** of configured ranges outside of Devin in case you need to restore access

<Note>
  If you accidentally lock yourself out by configuring an incorrect IP access list, contact [support@cognition.ai](mailto:support@cognition.ai) for assistance.
</Note>