API key security
Postcoder provides enhanced security options for your API key to help you safeguard your account.
|API key access||Option|
|Rate-limited||Any IP address (default)|
Any IP address can make up to X requests every 5 minutes. You choose a value for X between 1 and 50, the default is 5 requests.
Useful for client-side integrations where you don't know the IP address (e.g. you've integrated Postcoder into a mobile phone app).
|Any IP address on trusted websites|
As above plus each request must originate from a website that exists on your trusted website URL list.
Postcoder checks the HTTP referer of the request, which is usually automatically set by the web browser.
|Trusted||Trusted IP addresses only|
Only IP addresses that exist on your valid IP address list can make requests.
Useful for server-side integrations that run on servers or compute platforms with a known IP address range.
Manage the security settings for your API key or contact support if you need any help or advice.
Firewalls and security layers
You can allow Postcoder through your firewall and security layers by allow-listing the domain of ws.postcoder.com.
We do not recommed allow-listing by IP address since Postcoder is load-balanced across multiple IP addresses which change frequently.