API tokens are a secure method of authentication used to integrate WHM (Web Host Manager) with billing software like WHMCS (Web Host Manager Complete Solution). While they streamline operations, there's a risk of these tokens being exposed or misused if not properly secured. This article delves into the importance of restricting WHM API tokens by IP address, the potential risks of not doing so, and the steps to secure an existing API token.

The Risks of Unrestricted API Tokens: 

API tokens that are unrestricted can be used from any IP address, which poses a significant security risk. If a token is leaked or stored insecurely, unauthorized users could potentially gain access to sensitive reseller account operations. This could lead to unauthorized creation, modification, or deletion of hosting accounts, access to client data, and other malicious activities.

The Solution: 

Whitelist IPs for API Tokens: 

To mitigate these risks, WHM provides an option to restrict API token usage to specific IP addresses, commonly referred to as 'Whitelisting IPs'. This means that the API token will only be recognized and allowed if the request comes from a whitelisted IP address.

For WHMCS users, the IP address of the WHMCS server should be whitelisted. This ensures that only your WHMCS installation can use the token to communicate with WHM, significantly reducing the risk of unauthorized access.

How to Edit an Existing API Token for IP Restriction: 

If you have an existing API token that you wish to secure further by restricting its use to certain IP addresses, follow these steps:

  1. Log in to the WHM control panel.
  2. Navigate to "Home » Development » Manage API Tokens".
  3. Find the API token you wish to edit and click on the "Edit" option.
  4. In the 'Whitelist IPs' field, enter the IP addresses that you want to allow. For WHMCS, this will be the IP address of your WHMCS server.
  5. Save the changes to ensure that the API token can only be used from the specified IP addresses.


Restricting API tokens to specific IP addresses is a critical security measure for anyone using WHM with external billing software like WHMCS. It prevents unauthorized access and ensures that operations within WHM are performed only by trusted sources. Always remember to keep your API tokens confidential and to regularly review and update your IP whitelists to maintain optimal security.

For further assistance or if you encounter any issues while securing your API tokens, please reach out to our support team.