π—π€πˆ π—π€ππˆ

Access Control (ACL)

The XAI XAPI provides a powerful Access Control List (ACL) mechanism, allowing you to finely manage the API call behavior of an account to enhance security.

IP Whitelist (AllowIPs)

By setting AllowIPs, you can restrict an account to make API calls only from specified IP addresses or IP ranges. This is crucial for protecting your API Key from being leaked and misused.

  • Format: AllowIPs is a string that supports single IPs or CIDR notation. Multiple entries can be separated by spaces or commas.
  • Example: "192.168.1.100 10.0.0.0/8" means that only requests from 192.168.1.100 and the 10.0.0.0/8 network segment are allowed.
  • Inheritance Rule: A child user's AllowIPs must be a subset of its parent's AllowIPs. If the parent user has set an IP whitelist, the child user can only further narrow down the scope within that list.
  • Special Operations:
    • Add: "118.23.21.0/24"
    • Remove: "-118.23.21.0/24"
    • Restore default (no restrictions): "*"
    • Allow local calls only: "-*"

Model Whitelist (AllowModels)

By setting AllowModels, you can control which AI models an account is allowed to use. This is very useful for cost control and feature restriction.

  • Format: AllowModels is a string containing model names, separated by spaces or commas. It supports the use of * as a wildcard.
  • Example: "gpt-4o gpt-4o-mini claude-*" means the account can only use gpt-4o, gpt-4o-mini, and all models starting with claude-.
  • Inheritance Rule: A child user's AllowModels must be a subset of its parent's AllowModels.
  • Special Operations:
    • Add: "gpt-4o gpt-4o-mini"
    • Remove: "-gpt-4o"
    • Restore default (no restrictions): "*"
    • Prohibit all models: "-*"

Resource Path Whitelist (Resources)

This is a lower-level access control where you can restrict an account to access only specific API paths (Endpoints).

  • Format: Resources is a string containing API paths, separated by spaces or commas.
  • Example: "/v1/chat/completions /v1/embeddings" means the account can only perform chat and embedding operations.
  • Inheritance Rule: A child user's Resources must be a subset of its parent's Resources.
  • Special Operations:
    • Add: "/v1/chat/completions"
    • Remove: "-/v1/embeddings"
    • Restore default (no restrictions): "*"
**Security Best Practice**: We strongly recommend setting a strict `AllowIPs` whitelist for all API Keys used in production environments. This is the most effective way to prevent misuse if a key is leaked.
← Supported Model Providers
API Reference →