Docs

Setting Up a Domain or IP Address Allowlist

Suggest Edits

Before you begin integrating with the PayNearMe platform, you will need to add paynearme.com on the appropriate port or add PayNearMe's static server IP addresses to your system's allowlist . Additionally, you'll want to add the IP addresses for PayNearMe's enhanced Content Delivery Network (CDN) solution using Fastly. As a best practice, we recommend one of the following solutions:

A. If you have a web application layer firewall (WAF) (e.g., AWS WAF, F5 WAF, and Cloudflare WAF) you should allowlist via domain (preferred)

B. If you have a network firewall (IP address only), update the allowlist to include the PNM static server IP addresses and the Fastly IP addresses listed below.

📘

PayNearMe Allowlist

PayNearMe's preferred allowlist configuration is via the paynearme.com and paynearme-sandbox.com domains. PayNearMe does NOT restrict inbound or response IPs.

Production IPs

ProductDomain + PortIP Addresses
API CallsAllow HTTPS Port 443 from Your Server api.paynearme.com
API Callback WebhooksAllow HTTPS Port 443 from paynearme.com to Your Server Endpoint
  • 52.73.199.135
  • 18.236.19.74
  • 52.73.193.175
  • 52.27.253.6
Business PortalAllow HTTPS Port 443 from Your Workstations to paynearme.comAgent workstations need to be able to communicate over HTTPS Port 443 to paynearme.com and access the Fastly IP Addresses.
SFTP AccessAllow SFTP Port 22 from Your Server to files.paynearme.com

Sandbox IPs

ProductPortIP Addresses
API CallsAllow HTTPS Port 443 from Your Server to api.paynearme-sandbox.com
API Callback WebhooksAllow HTTPS Port 443 from paynearme-sandbox.com to Your Server Endpoint
  • 52.86.94.202
  • 52.73.80.135
  • 52.4.121.158
  • 52.86.169.172
  • 52.5.196.244
Business PortalAllow HTTPS Port 443 from Your Workstations to paynearme-sandbox.comAgent workstations need to be able to communicate over HTTPS Port 443 to paynearme-sandbox.com and access the Fastly IP Addresses.

SFTP-Supported Configuration

Decryption MethodData
Ciphersaes256-ctr
Kex Algorithmscurve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs[email protected],[email protected],hmac-sha2-512,hmac-sha2-256

Fastly IPs

🚧

Updated IP List

To ensure you have the most updated list of Fastly IP addresses, please copy and paste the list provided by Fastly here to your network and firewall rules. While we make every effort to ensure the list displayed below is kept updated, using the dynamic list provided directly from Fastly will ensure your service remains uninterrupted.

{
  "addresses": [
    "23.235.32.0/20",
    "43.249.72.0/22",
    "103.244.50.0/24",
    "103.245.222.0/23",
    "103.245.224.0/24",
    "104.156.80.0/20",
    "140.248.64.0/18",
    "140.248.128.0/17",
    "146.75.0.0/17",
    "151.101.0.0/16",
    "157.52.64.0/18",
    "167.82.0.0/17",
    "167.82.128.0/20",
    "167.82.160.0/20",
    "167.82.224.0/20",
    "172.111.64.0/18",
    "185.31.16.0/22",
    "199.27.72.0/21",
    "199.232.0.0/16"
  ],
  "ipv6_addresses": [
    "2a04:4e40::/32",
    "2a04:4e42::/32"
  ]
}

Required TLS Settings

To ensure secure communication and protect data in transit, all clients connecting to our APIs must meet the following Transport Layer Security (TLS) requirements:

Minimum TLS Version

  • TLS 1.2 or higher is required
  • TLS 1.0 and 1.1 are not supported

Deprecated Cipher Suites

Connections using the following will be rejected:

  • SSL/TLS protocols below TLS 1.2
  • Cipher suites using:
    • RSA key exchange without PFS
    • SHA-1 or MD5 hashes
    • Block ciphers without AEAD (e.g., CBC without GCM)

Cipher Suite Requirements for Clients

  • Ensure your client libraries (e.g., OpenSSL, Java, curl) are up to date
  • Validate that your system negotiates TLS 1.2+ with modern cipher support according to Fastly’s TLS Guidelines
  • Avoid hardcoding legacy ciphers or TLS versions

The following ciphers are supported on TLS 1.2, the minimum standard version of TLS supported by Fastly.

RFC Cipher Nameopenssl Cipher Name
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256ECDHE-RSA-CHACHA20-POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256ECDHE-ECDSA-CHACHA20-POLY1305
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHE-RSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256ECDHE-ECDSA-AES128-SHA256

For full compatibility details, refer to Fastly’s TLS configuration guide.

👍

Security Checkup

For a step-by-step guide on how to check your site's TLS version and cipher suites, see Reviewing Your TLS Version and Cipher Suites.

Updated 3 months ago