Verified AI summary ◀▼
Restrict access to your support and help center by setting IP restrictions, allowing only specified IP ranges to sign in. You can choose to let customers bypass these restrictions while keeping agents and admins within the specified IPs. Be cautious with third-party integrations and review undocumented endpoints that might not adhere to these restrictions. Use wildcards or subnet mask syntax to define IP ranges.
If Zendesk authentication is enabled, you can restrict access to Zendesk Support to users within a specific range of IP addresses. This means that users connecting from these IP addresses are the only users allowed to sign in to Support. For example, to restrict access to users in your company, specify the IP addresses of your company.
You can also allow customers (but not agents and administrators) to bypass IP restrictions. IP restrictions you manage in Admin Center apply to all Zendesk products and Zendesk mobile applications. The restrictions may also affect how other products, such as Gmail attachments, work.
You can specify ranges of IP addresses, separating each range with a space. Two methods are available to specify a range. The first is to use asterisk (*) wildcards. An IP address consists of four numbers separated by periods, such as 192.168.0.1. You can substitute a single asterisk character (*) for any number group to let Zendesk know that it should accept any value in that space. For example, 192.*.*.* allows any IP address whose first number is 192.
The second way to specify an IP range is to use IP subnet mask syntax. For example, 192.168.1.0/25 specifies all the IP addresses between 192.168.1.0 and 192.168.1.127.
You cannot specify IP ranges where the CIDR (Classless Inter-Domain Routing) value is 0. For example, if you specify 10.0.0.0/0, the /0 is invalid.
- In Admin Center, click  Account in the sidebar, then select Security > Advanced. Account in the sidebar, then select Security > Advanced.
- On the IP Restrictions tab, select Enable IP restrictions, then
                    enter the Allowed IP Ranges you want to restrict. Note: Enabling IP-based access restrictions can break third-party integrations. Be sure to include all external IPs that need access to your account via the Zendesk API.
- (Optional) Select the Allow customers to bypass IP restrictions check
                        box.This option ensures that your customers can access your help center and messaging channels regardless of their IP address, even if their IP address is not in the range of allowed IP addresses. Agents and administrators cannot bypass IP address restrictions. 
- (Optional) If your implementation involves any third-party services, such as external bots, make sure their IPs are included in your allowlist.
- Click Save.
Undocumented endpoints
Certain undocumented endpoints are not in-scope for IP restrictions, and may be accessible from any network location, regardless of the IP restrictions in place. Review these endpoints carefully and consider any related security implications before using.
These endpoints are considered unsupported. Zendesk is not responsible for any issues or losses arising from their use. See Undocumented APIs.
| Endpoint | Reason for exemption | 
|---|---|
| /api/v2/pcm/campaign_analytics | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /api/v2/pcm/campaign_list | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /api/v2/pcm/campaign/{campaign-id} | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable_blip | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/accounts/sunco_app | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/admin/brand_config_sets.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/admin/brand_config_sets/default.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/admin/brands | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/admin/brands.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/admin/integrations/{integrations-id} | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/brands.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/config_sets | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/internal/config_sets.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/sdk_channels | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/sdk_channels/{sdk_channels-id} | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/api/sdk_channels/lookup/sunco/{sunco-id} | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/campaigns/{campaigns-id} | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/config | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/messaging/custom_ticket_fields | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /embeddable/preview/config | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /frontendevents/dl | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /frontendevents/pca | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /frontendevents/pv | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /mobile_sdk_api/settings/{settings-id}.json | Public access to this messaging analytics endpoint is required for data collection and reporting by external systems. | 
| /chat/static/css/style_language.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. | 
| /chat/static/css/style_simulatev2.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. | 
| /chat/static/css/style_variables.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. | 
| /voice/calls/ivr_keypress/{ivr_keypress-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. | 
| /voice/calls/ivr_menu/{ivr_menu-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. | 
| /voice/failover/v3/on_exception | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. | 
| /voice/verifications/status/{status-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. | 
| /flow_composer/assets/bot-avatar/{bot-avatar-id} | This endpoint provides avatar images for bots. Centralized asset delivery must remain openly accessible to ensure compatibility across multiple Zendesk products and clients. | 
| /ips | The endpoint provides necessary ingress and egress IP information for customer firewall setup. It must be externally accessible to enable customer operations and integrations. | 
| /api/v2/rapid_resolve/fetch | This helper endpoint requires both an authentication token and an article id for access, ensuring unauthorized use is not possible. Open invocation is necessary to support technical workflows such as feedback widgets. | 
| /theming/api/internal/s3_upload_tracking | This endpoint receives notifications from Amazon Simple Notification Service (AWS SNS) regarding theme upload events and uses SNS signature authentication. Public accessibility is required to enable integration with AWS services. | 
| /integrations/outlook/finish | This endpoint is necessary to complete the Outlook authentication process with Microsoft’s cloud service. Public accessibility is required to support SSO and redirect functionality. | 
| /api/services/talk_recordings/recordings/{recordings-id} | This endpoint supports legacy recording integration during the migration to the Voice product. It will remain open throughout the transition period. | 
| /api/v2/zorgtest/zorgheaders | This endpoint is used for integration testing. Applying access restrictions would prevent automated validation. | 
| /api/v2/zorgtest | This endpoint is used exclusively for internal integration testing and system health checks. Implementing IP restrictions would prevent automation and engineering teams from accessing the endpoint. | 
| /flow_director/smooch/v2/webhook | Public access to the webhook endpoint is necessary for integration with external messaging services. Authentication is handled through the use of unique webhook keys. | 
| All logout endpoints | Logout endpoints must remain publicly accessible so users can securely end their sessions from any network location. |