Access Control

Secure MarketCheck API access using IP whitelisting, origin restrictions, and per-key endpoint permissions

MarketCheck API supports multiple layers of access control to protect your API usage. These include account-level IP whitelisting and API key-level controls such as endpoint restrictions and origin restrictions.

IP Whitelisting

IP whitelisting restricts API access to specific IP addresses at the account level. Once enabled, all API keys under your account will only accept requests from approved IP addresses.

Key Details

Account-wide enforcement across all existing and future API keys
Restricts access to requests originating from approved IP addresses or CIDR ranges
Both IPv4 and IPv6 formats are supported
Requests from non-whitelisted IPs are rejected with an authentication error

Setting Up IP Whitelisting

To configure IP whitelisting:

Navigate to your account profile page
Under Update IP Restrictions, enter the IPs or CIDR ranges to allow
Click Update IP Restrictions to save your changes

Changes take effect immediately for all existing and future API keys under your account.

Endpoint Restrictions

Control which API endpoints each key can access, implementing the principle of least privilege for enhanced security. Unlike account-level IP whitelisting, endpoint restrictions are configured individually for each API key.

Key Details

New API keys have full access by default — you can restrict them later
Permissions are set per individual API key (not account-wide)
Requests to restricted endpoints return authorization errors
Permissions can be updated without regenerating the API key

Setting Up Endpoint Restrictions

To configure endpoint restrictions:

Go to the API keys page in your MarketCheck Universe dashboard
Select the API key and click the 🔒 permissions icon next to the key name
In the Allowed Endpoints dropdown, select the endpoints to allow
Click Update to save your changes

Changes take effect immediately for the selected API key.

Origin Restrictions

Control which domains can use your API keys by restricting access based on the request's Origin header. This provides an additional security layer, particularly useful for protecting production API keys from unauthorized domain usage.

Key Details

Configured per individual API key (same as endpoint restrictions)
Requires exact case-sensitive match of the Origin header value
Multiple origins can be added per API key
Requests with non-matching origins return authorization errors
Primarily designed to secure browser-based and domain-specific integrations

Setting Up Origin Restrictions

To configure origin restrictions:

Go to the API keys page in your MarketCheck Universe dashboard
Select the API key and click the 🔒 permissions icon next to the key name
In Allowed Origins section, add the domains that should be allowed to use this API key
- Enter exact domain strings as browsers send them in the Origin header
- Include protocol, subdomains, and ports if applicable
- Add multiple origins if your application runs on different domains
Click Update to save your changes

Changes take effect immediately for the selected API key. Ensure all legitimate domains are included before saving.

Origin Format Examples

Origins must match exactly how browsers send them in the Origin header:

Correct formats:

https://www.example.com
https://example.com
http://localhost:3000
https://app.mydomain.com
https://staging.mydomain.com:8080

Important notes:

Include the full protocol (http:// or https://)
Include subdomains (www, app, staging, etc.)
Include ports if non-standard (:3000, :8080, etc.)
No trailing slashes
Case-sensitive matching

Security Considerations

Layered Security Approach

These three access control mechanisms work together to provide comprehensive protection:

IP whitelisting ensures requests originate from trusted infrastructure
Endpoint restrictions limit what data and operations each key can access
Origin restrictions prevent unauthorized domain usage of your API keys

Best Practices

IP Whitelisting:

Use when accessing the API from fixed locations (offices, servers)
Use CIDR notation to define IP ranges when needed
Validate access after changes using test requests (e.g., via curl or Postman)

Endpoint Restrictions:

Apply the principle of least privilege — grant only required endpoint access
Use separate keys for different services or integrations
Regularly audit and remove unused endpoint permissions

Origin Restrictions:

Use for production web applications to prevent domain abuse
Include all necessary domain variations (www vs non-www, staging domains)
Test across all domains before deploying to production
Use browser developer tools to verify exact Origin header values

Combined Usage Strategies

For Server-to-Server Integrations:

Primary: IP whitelisting for infrastructure security
Secondary: Endpoint restrictions for functional security
Origin restrictions: Not typically needed

For Browser-Based Applications:

Primary: Origin restrictions for domain security
Secondary: Endpoint restrictions for functional security
IP whitelisting: Usually not practical due to dynamic client IPs

For Partner/Third-Party Access:

Combine all three: IP whitelisting for their infrastructure, endpoint restrictions for limited access, origin restrictions for their domains
Use separate API keys for each partner

Release Policy

Versioning and deprecation policy for MarketCheck APIs

Quota and Rate Limits

Understand API quotas, rate limits, and usage restrictions for the MarketCheck API across Free, Basic, Standard, and Enterprise subscription tiers.