Skip to content

Blacklisting and Whitelisting Requests

This section guides you through the following areas:

IP Whitelisting

IP whitelisting is a way of configuring a filter to extract a particular set of known IP addresses to grant access to API requests which are received from those IPs only. This can be achieved by creating and Advanced Throttling policy and attaching it to the required API.

Creating the Advanced Throttling policy
  1. Login to the admin portal of WSO2 API Manager (https://<ip_address>:9443/admin).
  2. Open Throttling Policies tab and navigate to Advanced Throttling.
  3. Click ADD NEW POLICY to add a new Throttling tier.

  4. Fill the details as below and click Add Conditional Group .

  5. Open the Conditional Group added and fill the details.

    Property Value
    IP Condition Policy Checked
    IP Condition Type Specific IP
    IP Address E.g.
    Invert Condition Checked (If Invert Condition check then condition only apply to the IPs which not mention in IP Address above)
    Request Count 0

    Following is an example configuration.


    In above configuration we are whitelisting a Specific IP. You can whitelist a range of IP as well by selecting IP Range for the IP Condition Type in the Conditional Group and specifying the range as follows.

  6. Click Save .

    You have now successfully created the policy. Now we should engage this policy to an API.

Engage the policy with an API
  1. Login to API Publisher https://:9443/publisher.
  2. Selct the API and go to the Resources menu.
  3. Enable API level under Operational Configuration and select the newly created Throttling policy.

  4. Save and Publish the API. Now the API will be accessible only by the IP specified in the throttling policy.


    The policy will be re-enforced for every unit time. Each time the policy is enforced a minimum of 1 request will be allowed to pass before blocking the requests. Having a smaller unit time will increase the frequency of requests passing through. Hence, having an larger unit time is suitable to minimize the number of requests passing through.

Blacklisting requests

By blacklisting requests, you can protect servers from common attacks and abuse by users. For example, if a malicious user misuses the system, all requests received from that particular user can be completely blocked. Tenant administrative users can block requests based on the following parameters:

  • Block calls to specific APIs
  • Block all calls from a given application
  • Block requests coming from a specific IP address
  • Block a specific user from accessing APIs

To blacklist a request,

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Black List under the Throttle Policies section and click Add Item .

Select the item to black list, enter a value and click Blacklist .


You can temporary on/off the blacklisting condition by enabling/disabling the Condition status that is auto enabled when a blacklisting condition is created.

Blacklisting PhoneVerification API

As described above you can blacklist requests for APIs, by Applications, to IP Addresses and for Users. Let's see how we can blacklist the requests for an API.

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Black List under the Throttle Policies section and click Add Item .
  3. Select API Context and provide the Context of PhoneVerification API with version as the Value.

  4. Click Blacklist.

  5. Now login to API Developer Portal using the URL https://localhost:9443/devportal and invoke the API. You will see the following response.