Many Generative AI APIs allow you to restrict an API key or token to specific IP addresses, like Vertex AI, Google AI studio. This is a useful security measure that prevents unauthorized use of your token from unknown locations. There have been cases of stolen tokens, and spend lot of money charged to victims. To specify IP that can use specific token is the good practice. I believe almost necessary.

However, determining the correct IP address to allow can be confusing especially when working from a laptop connected to Wi-Fi or behind a router. This guide explains how to find the correct IP on Windows in several common configurations.

Local Network (Private IP)

If your application communicates with a local service inside the same network, you may need the local private IP of your computer. This is not a case of Googles Vertex API.

Open Command Prompt or PowerShell and run:

ipconfig

Look for the active network adapter (Wi-Fi or Ethernet):

Example:

Wireless LAN adapter Wi-Fi

IPv4 Address . . . . . . . . . . : 192.168.1.23

Common private IP ranges:

  • 192.168.x.x

  • 10.x.x.x

  • 172.16.x.x – 172.31.x.x

These addresses work only inside your local network.

Public Internet IP (Most Important for API Restrictions)

Most API providers see the public IP address of your internet connection, not your local private address.

To get the public IP from PowerShell, run:

(Invoke-RestMethod "https://api.ipify.org").Trim()

Example output:

83.45.112.201

This is the IP address that external APIs will see, and it is usually the one you must add to the API allowlist. This option needs to be enabled, by default is is not set. It is not a problem to use gen API key provided by google ai studio on free tier. Once you will change tier to paid. It is good practice to set IP to one that use token acess. Ether your public IP of your internet connection to windows, mac or Linux machine. Or IP of WM running in cloud. This will restrict possible misuse of token by attacker for himself.

Good practices for production

  • Secret Management
    Keys are stored in secure vaults instead of source code.
    Examples: environment variables, secret managers (AWS Secrets Manager, HashiCorp Vault).

  • Backend-Only Usage
    API keys are kept server-side and never exposed in client apps (browser/mobile).

  • IP Allowlisting
    Requests are restricted to known server IPs (e.g., cloud server or API gateway).

  • Key Rotation
    Keys are rotated regularly and revoked if compromised.

  • Least Privilege
    Each key has limited permissions and access only to required endpoints.

  • Monitoring & Rate Limits
    Logs, usage monitoring, and rate limits detect abuse quickly.

Summary

To restrict an API token on Windows:

  1. Check your public IP (most important):

Invoke-RestMethod https://api.ipify.org

Using the correct public IP address ensures that your API token restrictions work reliably and improves the security of your locally running gen API application.