Backfill — canonicalize existing API-key allowlists
POST/invostaq-admin/api-keys/normalize-allowlists
Admin-only. One-shot backfill that scans every TenantApiKey row
with a non-empty AllowedIps value, runs each through
IpAllowlistMatcher.TryValidate, and either persists the
canonicalized form or reports the row as invalid for manual
follow-up. Idempotent — re-running on already-normalized rows is a
no-op.
Use this once after landing the validation path on PUT/PATCH to
fix pre-existing rows that were written before canonicalization was
enforced. Invalid rows are not auto-cleared — the operator
decides whether to fix the entry with a targeted PUT or wipe it
entirely. Verify the output before committing a non-dry-run.
On a successful apply, the in-process ip-allow:{keyHash} cache
entry is evicted for every mutated key so the canonical form takes
effect on the next request.
Request
Responses
- 200
- 401
- 403
Backfill report (apply or dry-run)
Missing or invalid credentials
Caller is not on the admin email allowlist