Last updated

Inject client IP

Frontegg's rate limit policies ensure the reliability and performance of your application by preventing overloads and abuse. However, when all user requests originate from the same backend server IP, rate limits can be triggered unfairly, affecting multiple users at once.

The Inject Custom IP feature allows you to send the real IP address of each user along with your requests. This ensures that rate limits are calculated per user based on their unique IP, rather than the backend server's IP.

Follow these steps to inject custom IPs for your requests:

Step 1: Request feature access

You first need to submit a request to enable this feature for your account.

Step 2: Retrieve the shared secret

The shared secret is a security key that you’ll use to secure your requests to Frontegg. You can retrieve it using the Frontegg APIs.

  1. Use your environment token to make a GET request to the Get application client credentials API to retrieve the shared secret.

Important

Keep this shared secret safe as it is a secret key used for securing your communication.


  1. If the secret is empty or missing, you can regenerate it using a POST request to the Regenerate application shared secret API. Then, retrieve the shared secret again using the GET request.

Step 3: Add headers to your requests

Once you have the shared secret, you need to add four custom headers to each request sent to Frontegg:

  1. x-frontegg-headers-verifier: Set this header to the shared secret you retrieved in Step 2.
  2. x-frontegg-forwarded-for: Set this header to the real IP address of the user making the request (not the backend server’s IP).
  3. frontegg-vendor-id: Set this header to your unique vendor ID provided by Frontegg.
  4. frontegg-application-id: Set this header to your application ID provided by Frontegg.

Here's an example cURL request to the Signup user API:


curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/signUp \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-application-id: <YOUR_APPLICATION_ID>' \
  -H 'frontegg-vendor-host: <YOUR_VENDOR_HOST>' \
  -H 'x-frontegg-headers-verifier: <YOUR_SHARED_SECRET>' \
  -H 'x-frontegg-forwarded-for: <REAL_USER_IP>' \
  -H 'frontegg-vendor-id: <YOUR_VENDOR_ID>' \
  -d '{
    "provider": "local",
    "metadata": "string",
    "email": "string",
    "name": "string",
    "profilePictureUrl": "string",
    "password": "string",
    "skipInviteEmail": true,
    "roleIds": [
      "string"
    ],
    "emailMetadata": {},
    "companyName": "string",
    "recaptchaToken": "string",
    "invitationToken": "string",
    "phoneNumber": "string"
  }'