Access Control

Access on your terms. Declarative access controls that enforce where, when, and whether data can flow. Define rules once; enforcement is automatic.

Geo restrictions

Control where your data can be accessed with allow/deny lists by region.

Allow list

Only allow requests from specified regions:

access:
  geo_allow:
    - US
    - EU
    - CA

Deny list

Block requests from specified regions:

access:
  geo_deny:
    - CN
    - RU

Requests from denied regions receive a 403 Forbidden response.

Expiration

Set hard expiration dates on any Virtual API. Expiration is configured through the Virtual API UX. After expiration:

All requests receive 410 Gone
No data is served
Virtual API can be renewed with a new expiration date

Instant shutdown

Revoke access immediately via the Virtual API UX. No waiting for tokens to expire. Revocation is instant. All subsequent requests receive 403 Forbidden.

Combining access controls

Geo restrictions can be combined with expiration and instant shutdown for layered access control:

access:
  geo_allow:
    - US
    - EU

Next steps

Backplane Control

Add infrastructure-level source protection

REST API Delivery

See how access rules apply at the REST delivery layer

Backplane ControlGroup rate limiting and IP restrictions for Virtual APIs.

Access Control
Geo restrictions
Allow list
Deny list
Expiration
Instant shutdown
Combining access controls
Next steps

Getting Started

Documentation Index

​Access Control

​Geo restrictions

​Allow list

​Deny list

​Expiration

​Instant shutdown

​Combining access controls

​Next steps