Trystpilot - IP Whitelist for Payment Processing & Infrastructure

Trystpilot — IP Whitelist Reference

Version: 1.0.0 · Last updated: 2026-03-02 Purpose: Complete list of IP addresses and services that require whitelisting for credit card payment processing and infrastructure access.

---

Overview

This document catalogs all IP ranges and service endpoints that communicate with Trystpilot infrastructure for payment processing, database access, rate limiting, security, and analytics.

Important: IP ranges change frequently. Use the official documentation links provided for each service to verify current ranges before deploying to production.

---

1. Current Infrastructure Components

1.1 Vercel (Deployment Platform)

Purpose: Next.js application hosting, API Routes, edge functions

IP Ranges (US/EU)

Vercel uses dynamic IP ranges managed by AWS. For payment webhook verification, use domain-based authentication instead of IP whitelisting.

Region	CIDR Blocks	Status
US East	AWS EC2 ranges	Dynamic
EU	AWS EC2 ranges	Dynamic
Global CDN	Multiple clouds	Dynamic

Official Documentation:

• Vercel IP Addresses
• Vercel uses AWS infrastructure — for static IPs, request Vercel Enterprise

Best Practice for Payment Processing:

• ✅ Use HMAC-SHA256 signature verification instead of IP whitelisting
• ✅ Store webhook signing secret in NEXT_PUBLIC_STRIPE_WEBHOOK_SECRET (example for Stripe)
• ✅ Verify webhook signatures on every incoming request

Outbound IPs (from Vercel Functions):

• Dynamically assigned from AWS ranges
• For external services that require IP whitelisting, contact Vercel Enterprise Support

---

1.2 Supabase / PostgreSQL Database

Purpose: Primary data store for profiles, reviews, moderation queue

Connection Details

Component	Details
Service	Supabase PostgreSQL
Host	db.*.supabase.co (project-specific)
Port	5432 (standard) or 6543 (direct connection)
Protocol	TCP / PostgreSQL wire protocol
Region	Varies (AWS/GCP)

IP Ranges for Supabase

Supabase runs on AWS infrastructure. Outbound connections from Vercel will use dynamic AWS IP ranges.

For Supabase IP whitelisting (if using cloud.supabase.com):

• Supabase runs on AWS — no fixed IPs for inbound from external clients
• Solution: Use connection pooler or private networking
  • Supabase offers connection pooling (PgBouncer) at *.pooler.supabase.com
  • For production, use AWS VPC peering or Supabase Direct Connection with IAM role

Current Trystpilot Setup:

DATABASE_URL=postgresql://...@db.XXXX.supabase.co:5432/postgres
DIRECT_URL=postgresql://...@direct.XXXX.supabase.co:6543/postgres  # For migrations

Recommended Whitelist Approach:

• No IP whitelisting needed for Vercel → Supabase (AWS trusted)
• If you have a separate admin machine accessing the DB:
  • Configure your public IP in Supabase dashboard
  • Or use AWS Systems Manager Session Manager for secure access

---

1.3 Upstash Redis (Rate Limiting)

Purpose: Distributed rate limiting, sliding-window counters, ephemeral storage

Connection Details

Component	Details
Service	Upstash Redis (REST API)
Endpoints	*.upstash.io (REST) + *.upstash.io (HTTPS WebSocket)
Protocol	HTTPS (REST) / WebSocket
Port	443 (HTTPS)
Authentication	Token-based (Bearer token in Authorization header)

IP Ranges for Upstash

Upstash runs on AWS globally. REST API endpoints are accessed via HTTPS.

Upstash IP Ranges (if needed for firewall rules):

Provider	Region	CIDR
AWS	us-east-1	52...* (AWS ranges)
AWS	eu-west-1	52...* (AWS ranges)
AWS	ap-southeast-1	52...* (AWS ranges)

Current Trystpilot Setup:

UPSTASH_REDIS_REST_URL=https://your-instance.upstash.io
UPSTASH_REDIS_REST_TOKEN=<token>

For Vercel → Upstash:

• No IP whitelisting required — Upstash REST API accepts all sources
• Rate limit note: Upstash tracks requests by API key, not IP

---

1.4 hCaptcha (CAPTCHA Service)

Purpose: Bot prevention on review submission form (/api/reviews)

Connection Details

Component	Details
Service	hCaptcha
Frontend domain	hcaptcha.com
API endpoint	https://hcaptcha.com/siteverify
Protocol	HTTPS POST
Port	443

hCaptcha IP Ranges

hCaptcha uses Cloudflare & AWS infrastructure.

IP Ranges (from hCaptcha docs):

Provider	Purpose	CIDR
Cloudflare	API endpoint	104.16.0.0/12
Cloudflare	Alt IP blocks	172.64.0.0/13, 173.245.48.0/20
AWS	Backup	52...* (varies)

Webhook callback IPs: If using hCaptcha enterprise webhooks, whitelist:

• 107.155.64.0/22 (primary)
• 162.125.0.0/16 (secondary)

For HCAPTCHA_SECRET validation from Vercel:

• ✅ Outbound HTTPS to hcaptcha.com — allowed by default on Vercel

---

1.5 Cloudflare (CDN & Web Analytics)

Purpose:

• DNS resolution (if domain routed through Cloudflare)
• Web Analytics beacon (beacon.trystpilot.xyz or cloudflareanalytics.com)

Connection Details

Component	Details
Service	Cloudflare (if enabled)
Analytics endpoint	cloudflareanalytics.com (or custom domain)
Protocol	HTTPS POST (beacon)
Port	443

Cloudflare IP Ranges

Cloudflare Public IP Ranges (as of 2026):

Use Case	CIDR	Notes
Anycast CDN	104.16.0.0/12	Primary nameserver IPs
	172.64.0.0/13	Alternate ranges
	173.245.48.0/20	Third-party range
Analytics	Included above	Uses CDN infrastructure
DDoS mitigation	Included above	Originating scrubbing center

Full List:

• https://www.cloudflare.com/ips/

Current Trystpilot Setup:

NEXT_PUBLIC_CF_ANALYTICS_TOKEN=<token>  # Optional; if set, loads analytics.js

For analytics integration:

• Cloudflare beacon is loaded client-side (no server-side IP issues)
• ✅ No IP whitelisting needed

---

2. Payment Processor Integration (When Implemented)

2.1 Stripe (Recommended)

Status: ⚠️ Planned (Phase 1/2) Note: Stripe requires platform review before accepting payments for user-generated reviews.

Connection Details

Component	Details
Service	Stripe
API endpoint	api.stripe.com (HTTPS)
Webhook endpoint	Your custom endpoint (e.g., /api/webhooks/stripe)
Protocol	HTTPS POST
Port	443
Authentication	API key + HMAC-SHA256 signature verification

Stripe IP Ranges

Stripe uses AWS infrastructure. Outbound IPs are dynamic.

For inbound webhook delivery to Trystpilot:

Purpose	CIDR	Notes
Stripe Webhook IPs	35.184.0.0/13, 35.192.0.0/11, 52...*	See docs below
	54...*	Additional AWS ranges
	3...*	Additional AWS ranges

Official Documentation:

• Stripe IP Address Ranges
• Best Practice: Use signature verification instead of IP whitelisting

Stripe Signature Verification (Recommended):

// In /api/webhooks/stripe
import Stripe from 'stripe';

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
const event = stripe.webhooks.constructEvent(
  body,
  sig,
  process.env.STRIPE_WEBHOOK_SECRET!
);

Environment Variables Needed:

STRIPE_PUBLIC_KEY=pk_live_...
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_...

Webhook Events to Handle:

• payment_intent.succeeded
• payment_intent.payment_failed
• customer.subscription.updated
• customer.subscription.deleted
• charge.refunded

---

2.2 PayPal

Status: ⚠️ Optional alternative to Stripe

Connection Details

Component	Details
Service	PayPal
API endpoint	api.paypal.com (production)
Webhook endpoint	Your custom endpoint (e.g., /api/webhooks/paypal)
Protocol	HTTPS POST
Port	443
Authentication	OAuth 2.0 + signature verification

PayPal IP Ranges

Purpose	IPs	Notes
Webhook sources	184.106.0.0/16	PayPal primary range
	192.0.0.0/8	Additional ranges
	216.113.188.0/25	Secondary range

Official Documentation:

• PayPal IPN IP Addresses

Best Practice: Verify webhook signatures using PayPal’s signature verification API.

---

2.3 Square

Status: ⚠️ Optional alternative

Connection Details

Component	Details
Service	Square
API endpoint	squareup.com (HTTPS)
Webhook endpoint	Your custom endpoint (e.g., /api/webhooks/square)
Protocol	HTTPS POST
Port	443

Square IP Ranges

Square uses Cloudflare + AWS. Dynamic IP allocation.

Webhook verification: Square includes HMAC-SHA256 signature in headers.

---

2.4 CCPayment

Status: 📋 Planned (crypto + fiat payment processor)

Connection Details

Component	Details
Service	CCPayment
API endpoint	ccpayment.com (HTTPS)
Webhook endpoint	https://trystpilot.xyz/api/webhooks/ccpayment
Protocol	HTTPS POST
Port	443
Authentication	API Key + HMAC-SHA256 signature verification
Rate limit	100 requests/sec per IP

CCPayment → Your Server (Inbound Webhooks)

Whitelist these IPs on any firewall protecting your webhook endpoint:

IP Address	Notes
54.150.123.157	CCPayment primary (AWS ap-northeast-1)
35.72.150.75	CCPayment primary (AWS ap-northeast-1)
57.180.23.33	CCPayment secondary (newer infrastructure)
54.250.238.239	CCPayment secondary (newer infrastructure)

Sources: CCPayment FAQ · CCPayment Docs Whitelist all four — CCPayment appears to use two different IP sets across their infrastructure.

Your Server → CCPayment (Outbound API Calls)

CCPayment requires you to register your server’s outbound IPs in their Developer Console (API whitelist field).

Challenge: Vercel serverless functions use dynamic AWS IPs — no fixed outbound IPs on standard plans.

Option	Details
Leave empty	Try first — CCPayment may allow empty = all IPs accepted
Vercel Pro Secure Compute	Provides dedicated egress IPs; contact Vercel support
Fixed-IP proxy	Route CCPayment API calls through Fly.io / Railway / VPS with static IP

Best Practice: Use HMAC-SHA256 signature verification for webhooks regardless of IP whitelist.

Environment Variables

CCPAYMENT_MERCHANT_ID=merchant_xxx
CCPAYMENT_API_KEY=key_xxx
CCPAYMENT_API_SECRET=secret_xxx
CCPAYMENT_WEBHOOK_SECRET=webhook_secret_xxx

---

3. Service Integration Matrix

Service	Inbound	Outbound	IP Critical?	Auth Method
Vercel	CDN traffic	Dynamic AWS	❌ No	Signature + TLS
Supabase	DB access	AWS	❌ No (pooler)	Password + TLS
Upstash	N/A	HTTPS API	❌ No	Bearer token
hCaptcha	Frontend JS	HTTPS	❌ No	API key
Cloudflare	N/A	Beacon	❌ No	Token
CCPayment	Webhooks (4 IPs)	API calls	⚠️ Inbound only	Signature
Stripe	Webhooks	API	⚠️ Optional	Signature
PayPal	Webhooks	API	⚠️ Optional	Signature

---

4. Firewall Rules Configuration

4.1 For Database (Supabase)

If using IP whitelisting in Supabase dashboard:

# Allow Vercel deployments (dynamic — not recommended)
# Instead: Use connection pooler + no IP restrictions

# Allow local dev admin
192.0.2.1/32        # Your office IP (example)
198.51.100.0/24     # Your home network (example)

Recommended: Skip IP whitelisting; use connection pooler with strong passwords.

---

4.2 For Vercel to External Services

Outbound from Vercel Functions:

Service	Port	Protocol	Rule
hCaptcha	443	HTTPS	✅ Allow (default)
Stripe	443	HTTPS	✅ Allow (default)
PayPal	443	HTTPS	✅ Allow (default)
Upstash	443	HTTPS	✅ Allow (default)
Supabase	5432	TCP	✅ Allow (via pooler)

All outbound HTTPS is enabled by default on Vercel.

---

4.3 For Webhook Ingress (Your Application)

If you configure a firewall in front of /api/webhooks/*:

Stripe Webhook IPs

Allow: 3.18.12.63
Allow: 3.130.192.231
Allow: 34.212.75.30
Allow: 35.184.0.0/13
Allow: 35.192.0.0/11
# See: https://stripe.com/docs/ips (always verify current list)

PayPal Webhook IPs

Allow: 184.106.0.0/16
Allow: 216.113.188.0/25
# See: https://www.paypal.com/us/cshelp/article/what-are-the-ip-addresses-you-use-for-webhooks-ips-help140

Square Webhook IPs

# Verify via signature verification (preferred over IP whitelisting)
# See: https://developer.squareup.com/docs/webhooks

---

5. SSL/TLS Certificate Verification

All external communication uses HTTPS with certificate validation.

Service	Cert Authority	Pinning?
Stripe	Let’s Encrypt / AWS	❌ No (use system CA)
PayPal	VeriSign	❌ No (use system CA)
hCaptcha	Cloudflare	❌ No (use system CA)
Supabase	AWS ACM	❌ No (use system CA)
Upstash	AWS ACM	❌ No (use system CA)

Node.js / Next.js on Vercel:

• Automatically validates root CAs from system trust store
• No manual certificate pinning needed unless security policy requires it

---

6. DNS Records Configuration

6.1 Current Trystpilot Domain

Record	Type	Value	Purpose
trystpilot.xyz	A	(Vercel)	Root domain
www.trystpilot.xyz	CNAME	(Vercel alias)	WWW subdomain
docs.trystpilot.xyz	CNAME	(Vercel alias)	Documentation site
design.trystpilot.xyz	CNAME	(Vercel alias)	Design system site
api.trystpilot.xyz	CNAME	(Vercel alias)	Optional: API subdomain
webhook.trystpilot.xyz	CNAME	(Vercel alias)	Optional: Webhook domain

DNS Provider: Cloudflare (if using for analytics)

---

7. Environment Variables Checklist

7.1 Current (Deployed)

# Database
DATABASE_URL=postgresql://...@db.XXXX.supabase.co:5432/...
DIRECT_URL=postgresql://...@direct.XXXX.supabase.co:6543/...

# Supabase
SUPABASE_PROJECT_URL=https://XXXX.supabase.co
SUPABASE_PROJECT_ID=XXXX
SUPABASE_PUBLIC_ANON_KEY=...
SUPABASE_SERVICE_ROLE_KEY=...

# Rate limiting
UPSTASH_REDIS_REST_URL=https://XXXX.upstash.io
UPSTASH_REDIS_REST_TOKEN=...

# CAPTCHA
NEXT_PUBLIC_HCAPTCHA_SITE_KEY=...
HCAPTCHA_SECRET_KEY=...

# Analytics
NEXT_PUBLIC_CF_ANALYTICS_TOKEN=...

# Admin
ADMIN_SECRET=...

7.2 For Payment Processing (Add when implementing)

# Stripe
STRIPE_PUBLIC_KEY=pk_live_...
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_...

# PayPal (if implemented)
PAYPAL_CLIENT_ID=...
PAYPAL_CLIENT_SECRET=...
PAYPAL_WEBHOOK_ID=...

# Square (if implemented)
SQUARE_ACCESS_TOKEN=...
SQUARE_APPLICATION_ID=...
SQUARE_WEBHOOK_SIGNATURE_KEY=...

---

8. Security Best Practices

8.1 Webhook Security

✅ DO:

• Verify webhook signatures (HMAC-SHA256)
• Check webhook timestamps to prevent replay attacks
• Store webhook signing secrets in environment variables only
• Log all webhook events (for audit trail)
• Return 200 OK immediately; process async in background

❌ DON’T:

• Whitelist only by IP (IPs change; can be spoofed)
• Store signing keys in code
• Process webhook synchronously (may timeout)
• Ignore signature verification

8.2 API Key Management

✅ DO:

• Rotate keys annually
• Use separate keys per environment (dev, staging, prod)
• Restrict API key scope (e.g., Stripe restricted keys)
• Use .env.local for local dev (never commit)
• Store secrets in Vercel Project Settings

❌ DON’T:

• Commit .env files with real secrets
• Use the same key across environments
• Share API keys via email or chat
• Leave old keys active after rotation

8.3 Database Access

✅ DO:

• Use connection pooler (Supabase default)
• Use strong, randomly generated passwords
• Enable SSL/TLS for all connections
• Rotate credentials quarterly
• Log failed connection attempts

❌ DON’T:

• Use default usernames/passwords
• Connect directly without TLS
• Share database credentials with developers
• Log sensitive query parameters

---

9. Testing & Verification

9.1 Webhook Testing Locally

Use ngrok or Stripe CLI for local testing:

# Option 1: ngrok (https://ngrok.com)
ngrok http 3000
# Exposes localhost:3000 → https://abc123.ngrok.io
# Set webhook URL to: https://abc123.ngrok.io/api/webhooks/stripe

# Option 2: Stripe CLI (https://stripe.com/docs/stripe-cli)
stripe listen --forward-to localhost:3000/api/webhooks/stripe
stripe trigger payment_intent.succeeded

9.2 IP Address Verification

Verify allowed IPs are current:

# Check Stripe IPs (example)
curl https://stripe.com/docs/ips -s | grep -i "35.184"

# Check PayPal IPs
curl https://www.paypal.com/us/cshelp/article/what-are-the-ip-addresses-you-use-for-webhooks-ips-help140 -s

# Check hCaptcha IPs
curl https://hcaptcha.com/docs -s | grep -i cloudflare

9.3 Connection Testing

# Test Supabase connectivity
psql -U postgres -h db.XXXX.supabase.co -d postgres -c "SELECT version();"

# Test Upstash Redis
curl -H "Authorization: Bearer $UPSTASH_REDIS_REST_TOKEN" \
  https://XXXX.upstash.io/get/test

# Test hCaptcha
curl -X POST https://hcaptcha.com/siteverify \
  -d "secret=$HCAPTCHA_SECRET_KEY&response=$TOKEN"

---

10. Incident Response

10.1 Service Outage Checklist

Service	Check	Action
Stripe	Payment processing stuck	Check https://status.stripe.com
Supabase	DB unavailable	Check https://status.supabase.com; verify credentials
Upstash	Rate limits not working	Check https://console.upstash.com; verify token
hCaptcha	CAPTCHAs failing	Check hCaptcha dashboard; verify site key
Vercel	API endpoints down	Check https://www.vercelstatus.com

10.2 Webhook Failure Recovery

1. Check webhook signature log (Stripe/PayPal dashboard)
2. Review application error logs (Vercel runtime logs)
3. Manually replay webhook from payment provider dashboard
4. Verify database transaction completed correctly
5. Send confirmation email to user if payment succeeded

---

11. Change Log

Date	Change	Reason
2026-03-02	Initial version	First comprehensive IP whitelist doc

---

12. References & Links

Official Documentation

• Vercel IP Addresses: https://vercel.com/docs/concepts/edge-network/headers
• Stripe IP Ranges: https://stripe.com/docs/ips
• Stripe Webhooks: https://stripe.com/docs/webhooks
• PayPal IPN IPs: https://www.paypal.com/us/cshelp/article/what-are-the-ip-addresses-you-use-for-webhooks-ips-help140
• Square Webhooks: https://developer.squareup.com/docs/webhooks
• hCaptcha Docs: https://docs.hcaptcha.com
• Cloudflare IP Ranges: https://www.cloudflare.com/ips/
• Supabase Docs: https://supabase.com/docs/guides/database
• Upstash Docs: https://upstash.com/docs/redis

Related Trystpilot Docs

• docs/ARCHITECTURE.md — System architecture
• docs/SECURITY.md — Security & compliance
• docs/DEVOPS.md — DevOps governance
• .env.example — Environment variable reference

---

12. Support

For questions about IP whitelisting or payment integration:

1. Vercel support: https://vercel.com/support
2. Supabase support: https://supabase.com/docs
3. Stripe support: https://support.stripe.com
4. PayPal support: https://www.paypal.com/us/smarthelp
5. Internal: Check CLAUDE.md for project status

---

Last verified: 2026-03-02 Next review: 2026-06-02 (quarterly)