When making async requests with the Data API, or listening for status change events with the Payments API, you may want to verify the identity or requests sent to your
We are unable to share IP addresses because we do not use fixed blocks of IP addresses due to our infrastructure being elastic in nature.
What to do next?
If you would like to whitelist calls from TrueLayer you can do so by adding a unique query parameter to the
webhook_uri that will allow you to identify anything that comes from TrueLayer. The example below shows the format in which you should structure your
For added security, you can add in a signed jwt token as a parameter for the webhook callback. Because you have signed the token yourself you can trust it and you can decode it and check the contents of the token match what you have set.