Set the org's IP-allowlist + session-security policy
PUT/api/v1/organizations/current/security-policy
Configure IP allowlist + session security. Admin/owner only.
Enabling the IP allowlist (ip_allowlist_enabled=true) is admission-gated
behind release_session_policy (404 when off) and requires at least one
valid CIDR block. Each entry is normalized to canonical CIDR form; a
malformed entry is a 400. Disabling is always allowed.
Self-lockout protection: when the allowlist is enabled, the admin making the change must be calling from an IP that the new allowlist admits otherwise the change would immediately lock the configuring admin (and every other admin on that network) out of the org. Such a request is rejected with a 422 so the misconfiguration never lands.
Request
Responses
- 200
- 400
- 401
- 403
- 404
- 409
- 422
- 429
- 500
Successful Response
Bad request — malformed input or failed validation.
Missing, expired, or invalid credentials.
Authenticated but not authorized for this resource. Note: cross-organization reads return 404, not 403.
Resource not found, or hidden for tenant-enumeration safety (the caller lacks permission to know whether the resource exists).
Conflict — the current resource state does not allow this operation (e.g. assessment already started, email already in use).
Semantic validation failure — request shape was valid but contents were not.
Too many requests — rate limited. Retry after the window resets.
Internal server error — unexpected failure.