IP Access Control
Authenticate SIP traffic by whitelisting source IP addresses.
IP Access Control
Authenticate SIP traffic by whitelisting source IP addresses. This method is ideal for PBXs and SBCs with static IP addresses, providing simple and secure authentication without the need for credentials.
How It Works
- Add your PBX/SBC IP addresses to the trunk's Access Control List (ACL)
- TryVox allows SIP traffic from whitelisted IPs without requiring digest authentication
- Traffic from non-whitelisted IPs is rejected
This approach provides a clean separation between trusted and untrusted traffic sources.
Add IP to ACL
POST https://api.tryvox.io/v1/account/{account_id}/trunks/{trunk_id}/ip-aclRequest Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| ip | string | yes | IP address to whitelist (IPv4 or IPv6) |
| mask | integer | no | CIDR mask for subnet (default: 32 for single IP) |
| description | string | no | Friendly description for this ACL entry |
Example Request (Single IP)
curl -X POST https://api.tryvox.io/v1/account/acc_1a2b3c/trunks/trunk_4x5y6z/ip-acl \
-H "Authorization: Bearer tvx_sk_live_..." \
-H "Content-Type: application/json" \
-d '{
"ip": "203.0.113.45",
"mask": 32,
"description": "Production PBX - Primary"
}'Example Request (Subnet)
curl -X POST https://api.tryvox.io/v1/account/acc_1a2b3c/trunks/trunk_4x5y6z/ip-acl \
-H "Authorization: Bearer tvx_sk_live_..." \
-H "Content-Type: application/json" \
-d '{
"ip": "203.0.113.0",
"mask": 24,
"description": "Office subnet"
}'Response
{
"id": "acl_3d4e5f",
"trunk_id": "trunk_4x5y6z",
"ip": "203.0.113.45",
"mask": 32,
"cidr": "203.0.113.45/32",
"description": "Production PBX - Primary",
"created_at": "2026-04-09T10:40:00Z"
}CIDR Notation Guide
Use the mask parameter to specify subnet ranges:
/32— Single IP address (default)/31— 2 IP addresses/30— 4 IP addresses/29— 8 IP addresses/28— 16 IP addresses/24— 256 IP addresses (Class C subnet)/16— 65,536 IP addresses (Class B subnet)
For most use cases, use /32 for individual PBX/SBC IP addresses.
List ACL Entries
GET https://api.tryvox.io/v1/account/{account_id}/trunks/{trunk_id}/ip-aclRetrieve all IP ACL entries for a trunk.
curl https://api.tryvox.io/v1/account/acc_1a2b3c/trunks/trunk_4x5y6z/ip-acl \
-H "Authorization: Bearer tvx_sk_live_..."Response
{
"data": [
{
"id": "acl_3d4e5f",
"trunk_id": "trunk_4x5y6z",
"ip": "203.0.113.45",
"mask": 32,
"cidr": "203.0.113.45/32",
"description": "Production PBX - Primary",
"created_at": "2026-04-09T10:40:00Z"
},
{
"id": "acl_4e5f6g",
"trunk_id": "trunk_4x5y6z",
"ip": "203.0.113.46",
"mask": 32,
"cidr": "203.0.113.46/32",
"description": "Production PBX - Backup",
"created_at": "2026-04-09T10:45:00Z"
}
]
}Delete ACL Entry
DELETE https://api.tryvox.io/v1/account/{account_id}/trunks/{trunk_id}/ip-acl/{acl_id}Remove an IP address from the trunk's ACL. Traffic from this IP will be immediately rejected.
curl -X DELETE https://api.tryvox.io/v1/account/acc_1a2b3c/trunks/trunk_4x5y6z/ip-acl/acl_3d4e5f \
-H "Authorization: Bearer tvx_sk_live_..."Best Practices
- Use static IPs — IP ACL works best with static IP addresses. If your PBX has a dynamic IP, consider using credential authentication instead.
- Document each entry — Use the
descriptionfield to identify what each IP address is for. - Keep it minimal — Only whitelist IPs that need access. Avoid using broad subnets unless necessary.
- Monitor your IPs — Regularly audit your ACL entries and remove obsolete entries.
- Combine with firewall rules — Use IP ACL in conjunction with your own firewall rules for defense in depth.