List of IP addresses that POST to external URL via Triggers

[Lindsay Klatzkin]

We are sending API calls to an external API via HTTP Post on a Trigger.  For security purposes, they requested that we provide them with a list of IP addresses that these requests will be coming from.  I could not find this in the old community forum (could only find IPs for emails and DDS).

[Sterio, Louis]

@Lindsay Klatzkin 

Relying on IP whitelisting can be problematic as our public IP addresses may change over time due to various network configuration updates or cloud service policies. This change would potentially disrupt the connectivity if the IP addresses were hard-coded into their security settings.

Could explore the possibility of using domain names instead of IP addresses for the basis of whitelisting. Using our domain name (e.g., intacct.com) would allow their security systems to perform a reverse DNS lookup to verify requests coming from our servers. This method is generally more robust as it adapts to changes in IP addresses without requiring frequent manual updates.

You can also send the sessionid as an argument to your endpoint {!USERPROFILE.SESSIONID!} to validate.

Edited April 15 by Sterio, Louis

[Ember Robb]

Hi @Sterio, Louis, I saw this post and thought it was relevant to my question. I would like to set up triggers or smart events to make calls to an external API (our company's), but they need to be secure. I too had thought about IP whitelisting but you argue that it isn't a good idea and I understand why. You recommend sending the user sessionID as a way to validate these calls. I was wondering if you could provide more details as to how it could be used to validate. My thoughts were that you can use this session to validate against Sage Intacct; send the session back to Sage Intacct and confirm if it is indeed a valid user session, but I couldn't find any functions in the API that support this check.

[Lee Savidge]

I regularly do external API posts for external processing to our services endpoints. I always use the name/value pairs as it does a form post and the data is application/x-www-form-urlencoded so you pick them up from the request header as key/value pairs. It's pretty easy. However, I ALWAYS pass these 3 in all requests:

sessionid={!USERPROFILE.SESSIONID!}
endpoint={!API_ENDPOINT!}
useremail={!USERPROFILE.EMAIL!}

Even if I don't use any of them, I send them as they're handy for logging purposes.

When using the session ID all you do is instead of setting the user ID and password when you set up the client, you just set the session ID and null the user ID and password out. There are some things that may catch you out though. You need to be aware of the users permissions. If they don't have the persmission to do something that is being done in your external call, the request will fail.