API and Redirect allowlists

For:
Marketers Agencies
Last update:

AppsFlyerAdmin_us-en.png At a glance: Protect your AppsFlyer account by defining API and Redirect allowlists.

Overview

AppsFlyer gives you the option to set up 2 different types of allowlists:

  • The API allowlist limits the IP addresses from which API calls to your AppsFlyer account can originate, protecting your data from unauthorized access.
  • The Redirect allowlist defines the root domains and subdomains to which links you create via AppsFlyer (either with a OneLink method or single-platform attribution links) can be redirected, protecting your links from unauthorized redirects, phishing attacks, and fraud.

 Note

The following characteristics apply to both the API and Redirect allowlists:

  • Only admins can access and manage the allowlists.
  • Use of the allowlists is optional, and both are inactive by default. 
  • Activation of an allowlist is at the account level and applies to all apps in the account.

Accessing the allowlists

To access the Allowlists page through the Security center:

  1. From the menu bar, access the user menu (email address drop-down).
  2. Select Security center.
  3. In the API and Redirect allowlists section, click Manage allowlists to open the Allowlists page.

API allowlists

API allowlist

Using the API allowlist, you create a list of specific IP addresses (or range of IP addresses) from which calls to your AppsFlyer account can be made. Once your allowlist is active, only API calls originating from those IP addresses will be permitted. API calls from all other IP addresses will be denied.

API allowlist specifications

  • To protect your account from unauthorized API calls, the allowlist must be set to Active and include at least one IP address or range.
  • The allowlist applies to all AppsFlyer APIs that utilize the V2.0 token. Calls from APIs that use the V1.0 API token will be permitted from all API addresses.
  • Up to 20 IP addresses or ranges can be added to the allowlist.

Set up the API allowlist

To set up and activate the API allowlist:

  1. Navigate to the API allowlist section of the Allowlists page.
  2. Enter an IP address or range of IP addresses in standard format:
    • Examples: 192.168.1.1, 185.114.120.140
    • To enter a range of IP addresses, use this format: 185.114.120.1/32
      (where 185.114.120.1 is the first address in the range and 185.114.120.32 is the last address in the range).
  3. Click Apply.
  4. [Optional] Click + Add to add an additional IP address or range to the list.
  5. Click the Save list button.
  6. Set the allowlist to Active.

    Note: The allowlist must contain at least one IP address or range before you can save and activate it.

Edit the API allowlist

You can add or delete IP addresses from the allowlist at any time (whether or not the list is active).

To add an IP address or range:

  1. Navigate to the API allowlist section of the Allowlists page.
  2. Click + Add to add an IP address or range to the list.
  3. Enter an IP address or range.
  4. Click Apply.
  5. Be sure to save your changes by clicking the Save list button.

    Note: The list status (active or inactive) will not change when you save the list. Be sure to check the status of the Active toggle and activate/deactivate if necessary.

To delete an IP address or range:

  1. Navigate to the API allowlist section of the Allowlists page.
  2. Click the trash icon next to the IP address you want to delete.
  3. In the confirmation popup, click Delete.
  4. Be sure to save your changes by clicking the Save list button.

Redirect allowlists

redirect allowlist

Using the Redirect allowlist, you create a list of specific root domains and subdomains to which link redirection is allowed. Once your allowlist is active, links you create via AppsFlyer (either with a OneLink method or single-platform attribution links) only redirect users to web URLs if the domain is in your allowlist. Otherwise, users are sent to the app store.

Redirect allowlist specifications

  • To protect your links, the allowlist must be set to Active and include at least one domain.
  • Only root domains and subdomains are allowed, not specific paths. All paths within the specific root domain/subdomain are allowed. 
  • The allowlist affects all the links created via AppsFlyer, either with a OneLink method or single-platform attribution links, whether they were created before or after the allowlist was activated.
  • The allowlist supports and protects redirections for the following parameters:
    • af_r
    • af_web_dp
    • af_ios_url
    • af_android_url
  • Up to 50 domains/subdomains can be added to the allowlist.

Set up the Redirect allowlist

To set up and activate the Redirect allowlist:

  1. Navigate to the Redirect allowlist section of the Allowlists page.
  2. Enter a root domain or subdomain.
  3. Click Apply.
  4. [Optional] Click + Add to add an additional domain or subdomain to the list.
  5. Click the Save list button.
  6. Set the allowlist to Active.

    Note: The allowlist must contain at least one domain or subdomain before you can save and activate it.

Edit the Redirect allowlist

You can add or delete domains from the allowlist at any time (whether or not the list is active).

To add a domain:

  1. Navigate to the Redirect allowlist section of the Allowlists page.
  2. Click + Add to add an additional domain or subdomain to the list.
  3. Enter a root domain or subdomain.
  4. Click Apply.
  5. Be sure to save your changes by clicking the Save list button.

    Note: The list status (active or inactive) will not change when you save the list. Be sure to check the status of the Active toggle and activate/deactivate if necessary.

To delete a domain:

  1. Navigate to the Redirect allowlist section of the Allowlists page.
  2. Click the trash icon next to the domain you want to delete.
  3. In the confirmation popup, click Delete.
  4. Be sure to save your changes by clicking the Save list button.