Authorized API Sources

Default-deny network gate for non-portal API consumers. Each scope has its own CIDR allowlist. Portal users authenticated via Entra are not gated by this list — they can reach portal endpoints from any IP. Agents are gated by mTLS (cert), not IP. The lists below apply to: HCM webhooks, manager email links, monitoring tools, and per-tenant CSV ingest sources. Any IP not on the relevant scope's list is blocked when STRICT_AUTH_ENABLED=true.