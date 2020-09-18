If you have a look at this site - https://dns-lookup.com/microsoft.com - it will show you several IP addresses (A-records) which are all “microsoft.com”. You can look at other domain names on that web site and see what information they return. In this specific example, you see that there are five IP addresses that resolve to microsoft.com. If you look up subdomains (www, support, for example) and they have their own IP addresses, which are different from the first list.

So if you want to restrict access by domain name, you can’t necessarily restrict it to a single IP address.

Perhaps you could describe in more detail the exact scenario - where are you expecting your users to connect from? I don’t know what your project does - is it reasonable to presume that users will connect to you from the physical machine that resolves to their registered domain?

I suspect that there is a reason that very few APIs use IP addresses as part of their authentication process.