Restricting access to Custom endpoints and Persisted queries by IP

In order to allow access to some Custom Endpoint or Persisted Query only to visitors from a certain IP or IP range, we can add a filter hook on Hooks::FORBID_ACCESS (triggered by method isAccessForbidden):

use GraphQLAPI\GraphQLAPI\Services\CustomPostTypes\Hooks;

// ID of the Custom Endpoint or Persisted Query
$customEndpointPostID = 34;
function(bool $forbidAccess) use ($customEndpointPostID): bool
if (!is_single($customEndpointPostID)) {
return $forbidAccess;
$visitorIP = $_SERVER['REMOTE_ADDR'];
$allowedIPs = [
foreach ($allowedIPs as $allowedIP) {
if (filter_var($visitorIP, FILTER_VALIDATE_IP)) {
// Allowed IP => Do not forbid access
return false;
// No allowed IP matches => forbid access
return true;

And also make sure to not enable Cache Control on the endpoint, as the response must not be cached.