Skip to content

Handbook

Security

Protect your iplyt account and API keys like any production credential.

Account security

  • Use a strong, unique password.
  • Enable two-factor authentication (2FA) under Security — required for some roles by policy.
  • Review active sessions and sign out unused devices.

API keys

  • Create keys only on Professional or Enterprise plans.
  • Rotate keys periodically; revoke compromised keys immediately.
  • Never commit keys to git or expose them in client-side code.

See API keys.

Team access

Invite users with the minimum role needed. Custom roles (Enterprise) let you restrict billing, key management, and settings separately.

Data handling

IP addresses you submit for lookup may be personal data under GDPR. Ensure you have a lawful basis and document processing in your privacy policy.

iplyt does not sell lookup data. Aggregated usage metrics may appear in your dashboard.

Reporting issues

If you discover a security vulnerability, contact support with details. Do not post sensitive findings in public tickets.

Environment variables

For self-hosted or Docker deployments, configure secrets via environment variables — not committed .env files. The internal lookup service URL (IPLYT_API_BASE_URL) is server-only and must not be exposed to browsers.