Security

Postcoder supports HTTPS requests and a range of API key-based security settings.

Log into your account to manage your security settings.

Rate-limited access from any IP address

By default, your API key will accept up to 5 requests from any identical IP address in a rolling 5-minute period.

You can change the limit to between 1-50 depending on your preference, or disable rate-limited access completely.

Example scenario

Mobile app with address lookups originating from the IP address of each user (i.e. any IP address)

Rate-limited access from trusted websites

You can use rate-limited access (see above) alongside a whitelist of trusted website URLs.

With this option, your API key will accept up to 5 requests from any identical IP address in a rolling 5-minute period, providing the HTTP referer of the request appears on the website URL whitelist.

You can change the limit to between 1-50 depending on your preference, and add multiple website URLs to the whitelist.

Note, while most browsers set the http referer, it may not be set by all and can also be removed by proxy servers or be spoofed. If not set or if it does not match one of your specified website URLs, the request will be rejected.

Example scenario

Website with address lookups originating from the IP address of each user (i.e. a known website URL(s) but any IP address)

Unlimited access from trusted IP addresses

You can add trusted IP addresses and / or ranges to a whitelist of trusted IP addresses.

With this option, your API key will accept unlimited requests from an IP address, providing it appears on the IP address whitelist.

Example scenarios

  • Office application with address lookups originating from a small number of known IP addresses (i.e. the public IP address(es) of the company internet connection)
  • Website or mobile app with address lookups routed via central servers with one or more known IP addresses (i.e. the IP address(es) of the central server(s))