IP allow-list for dashboard access

The IP allow-list lets you restrict who can access the Elido dashboard to a specific set of IP addresses or ranges. Once enabled, any login attempt from an IP not on the list is blocked at the gate — regardless of whether the credentials are correct.

Short links continue to redirect for everyone. The allow-list only affects dashboard (and API) access, not the redirect path.

Set up an allow-list#

1. Go to Settings → Security → IP Allowlist.
2. Click Enable to turn the feature on. The toggle shows Disabled by default — enabling it does not immediately block you, because you're adding rules first.
3. Enter a CIDR range or a single IP in the CIDR field. Examples:
   • 203.0.113.0/24 — an entire /24 subnet.
   • 198.51.100.42 — a single IP (equivalent to /32).
   • 10.0.0.0/8 — a private range (useful for VPN-only access).
4. Optionally add a Label (e.g. office, vpn, home). Labels are for your own reference.
5. Click Add. Repeat for each range you want to permit.

Once at least one rule exists and the allowlist is enabled, only IPs matching a rule can reach the dashboard.

Supported CIDR formats#

Both IPv4 and IPv6 CIDR notation are accepted:

• 192.168.1.0/24 — IPv4 subnet
• 10.0.0.1 — bare IPv4 (treated as /32)
• 2001:db8::/32 — IPv6 prefix
• ::1 — IPv6 loopback (treated as /128)

There's no limit on the number of rules. For large allow-lists (hundreds of ranges), use the API:

curl -X POST https://api.elido.app/v1/ip-rules \
  -H "Authorization: Bearer $ELIDO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"workspace_id": 42, "cidr": "203.0.113.0/24", "label": "office"}'

Remove a rule#

Go to Settings → Security → IP Allowlist, find the row you want to remove, and click Remove. If you remove all rules while the allowlist is still enabled, the dashboard becomes inaccessible from everywhere. Disable the allowlist first if you want to clear all rules.

Disable the allow-list#

Click the Disable button at the top of the page. The existing rules are preserved — disabling just stops them from being enforced. Re-enabling picks up where you left off.

If you lock yourself out#

Locking yourself out means you've enabled the allowlist with rules that don't include your current IP. Recovery options:

1. Connect to the network that's on the list (e.g. your office VPN) and log in from there to fix the rules.
2. Contact support at support@elido.app from your account email. We verify ownership and can disable the allowlist for you after identity confirmation. Response time is one business day.

To avoid lockouts: before enabling the allowlist, add at least one rule that covers your current IP. You can check your IP at whatismyip.com or similar. Add a backup rule for your phone's carrier IP or your home network before you enable.

Troubleshooting#

I added my IP but I'm still blocked. CIDR ranges are matched exactly — check for typos in the prefix length. A /25 excludes half the addresses a /24 would cover. Also confirm whether your IP is NAT'd: the IP reaching us is your external IP, not an internal 10.x.x.x address.

The allowlist is enabled but not enforcing. The feature requires at least one active rule to block anything. If the rules list is empty, the allowlist is effectively open. Add a rule that covers your expected range to confirm it's working.

API keys are also blocked. Yes — the IP allowlist applies to API requests as well as browser sessions. If your server's IP isn't on the list, API calls will return 403. Add the server's outbound IP to the allowlist.

I need to allow a dynamic IP range. Use a /24 or larger prefix to cover the range. If the IP changes completely unpredictably, consider using a VPN with a fixed exit IP instead of trying to keep the allowlist up to date.