SePay IP Addresses

List of IP addresses used by SePay to send webhooks, IPN callbacks, and other outbound connections to your systems. Add these IPs to your firewall allowlist to ensure you receive notifications from SePay.

SePay uses the IP addresses listed below to send outbound connections to your systems. These connections include:

Webhooks — Real-time transaction notifications
IPN (Instant Payment Notification) — Payment notifications from Payment Gateway and BankHub
Other callbacks — All connections from SePay to your server

If your system uses a firewall or any IP filtering mechanism, you must add all IP addresses below to your allowlist (whitelist) to ensure you receive notifications from SePay.

IP Address List

Code

172.236.138.20
172.233.83.68
171.244.35.2
151.158.108.68
151.158.109.79
103.255.238.139

Important

You must allowlist all IP addresses above. SePay may send requests from any IP in this list. The IP list may be updated in the future — check this page periodically or follow announcements from SePay.

Firewall Configuration

If you need to configure your firewall, allow inbound connections from the IPs above to the port your server listens on (typically port 443 for HTTPS).

HTTPS Required

Your webhook and IPN URLs must use HTTPS. SePay does not send requests to unencrypted HTTP URLs.

Configuration Examples

iptables (Linux):

Bash

# Allow connections from SePay to port 443
iptables -A INPUT -s 172.236.138.20 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 172.233.83.68 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 171.244.35.2 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 151.158.108.68 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 151.158.109.79 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 103.255.238.139 -p tcp --dport 443 -j ACCEPT

Nginx (allow directive):

NGINX

# In the location block that receives webhooks
location /webhook {
    allow 172.236.138.20;
    allow 172.233.83.68;
    allow 171.244.35.2;
    allow 151.158.108.68;
    allow 151.158.109.79;
    allow 103.255.238.139;
    deny all;
 
    proxy_pass http://your_backend;
}

Verifying Request Origin

In addition to IP filtering, SePay recommends using the following authentication methods:

API Key — SePay sends an Authorization: Apikey YOUR_API_KEY header with every request. Verify this header to confirm the request is from SePay.
OAuth 2.0 — For integrations requiring higher security levels.

Combining IP filtering with API Key/OAuth 2.0 authentication provides two layers of security for your system.

Getting Started with Webhooks — Overview guide for webhook integration
Programming Webhooks (PHP) — Sample code for receiving webhooks with PHP
Programming Webhooks (Node.js) — Sample code for receiving webhooks with Node.js
Balance Change Notifications (BankHub) — IPN configuration for BankHub

IP Address List

Firewall Configuration

Configuration Examples

Verifying Request Origin

Related Documentation