Showing results for 
Search instead for 
Did you mean: 

post ips uses for relay response

I am a developer currently trying to implement the SIM method on a server with high security settings.  Because of this I need to know a range or list of IP addresses I can expect to use when posting back transaction results using the relay response.


Is there anyone from that can give me the ips I need.  I imagine I can't be the only one that has had this problem, but I have failed to find anything for sure.  The best I could find searching online is [ authorize-net.allowed-ip= ].


I tried calling and they told me to send an email because they do not have this information.  I sent an email yesterday and will hopefully hear back soon today.




Unfortunately has failed to respond to my email sent about this issue in less than 24 hours.  They clearly state...


"..Customer Support will respond to your inquiry within 24 hours."




"Please allow 24 hours for a response."


This is the second email I have sent in hoping for a reply.  I never received a response to the first email I had sent.


We do not publish our IP range. Instead we recommend that you use our domain name as our IP range is not static and may change at any time without notice.



Thank you,



Trusted Contributor
Trusted Contributor

Elaine -


Thank you for the response, but your response does not make sense to me.  Are you saying you want our firewalls to do a reverse DNS on each request, then allow it if it's from or *  And if so, is that even possible?


Right now we are being hit by which doesn't even exist in DNS.



** server can't find NXDOMAIN

There is a way to control this without IP restriction. Make the return URL for the API to post to stored within your account and not in the script and attach a get code to the end like ?key=sey4hd56dh4567h568 and have your script detect if $_GET['key'] is set and if so if it matches the one you have as the authroized key and if not then just die(). Then people can post whatever they want to your script and only's API will get through to your actual functions for storing a valid payment.

I had this problem too. 


I block unauthorized users with the .htaccess script, so Idon't think the method that checks $_GET  for a key would work.


You can find out the (albeit temporary) ip address by checking your access.log to see which ip address comes in from after a transaction. Then just add that to your .htaccess ip exceptions to allow in without a username/password.


You'll have to monitor if/when the ip address changes. 


For me, the access log is located in /var/log/apache2/access.log. It might be in other log files as well.