Connectivity Overview
Stitch provides a number of ways to connect to our APIs to accommodate different network and security requirements your organisation may have. Most integrations use our standard endpoints and require no special network configuration. If your environment enforces stricter controls such as egress firewalls that only permit traffic to fixed IP addresses, or a requirement for mutual TLS (mTLS), dedicated endpoints are available for both.
Regardless of connectivity method, we strongly encourage the use of HTTP/2 or HTTP/1.1 with keep-alive connections to reduce per-connection latency overhead.
Connectivity Methods
| Method | Endpoints | Fixed IP | Use When |
|---|---|---|---|
| Standard (default) | api.stitch.money, secure.stitch.money | No | Your system does not have any particular network configuration requirements. |
| Static IP | api.static.stitch.money, secure.static.stitch.money | 20.87.94.79 | Your egress firewall requires allowlisting a fixed destination IP address. |
| mTLS | api.mtls.stitch.money, secure.mtls.stitch.money | 20.87.105.80 | Your security policy requires mutual TLS (client certificate) authentication. |
All three methods expose the same API surface and use the same authentication. Only the network path differs.
secure.stitch.money(and itsstatic/mtlsvariants) serves token issuance and user-facing authorization flows.api.stitch.money(and itsstatic/mtlsvariants) serves the GraphQL and REST APIs.
Standard Endpoints
Our standard endpoints are fronted by a global CDN and do not have fixed IP addresses. No network configuration is needed on your side. This is the default described throughout these docs and the right choice unless you have a specific requirement for one of the dedicated methods below.
Static IP Endpoints
If your infrastructure can only make outbound requests to explicitly allowlisted IP addresses, use our static IP endpoints. These resolve to a single, stable IP address that is reserved to Stitch and safe to allowlist on your egress firewall.
mTLS Endpoints
If your security policy requires mutual TLS, our mTLS endpoints authenticate your client certificate on every connection, in addition to standard API authentication. Certificates can either be issued by the Stitch Private Certificate Authority or you may issue certificates using a Certificate Authority of your choice and provide the certificate chain during the onboarding process. The mTLS endpoints also have a fixed IP address that you may add to the allowlist on your egress firewall.
Webhooks (Outbound Connectivity)
Webhook notifications are delivered from Stitch to your server via Svix. If your webhook endpoint sits behind a firewall, or you require webhook deliveries to authenticate themselves with a client certificate, see whitelisting source IPs and authenticating webhook deliveries with mTLS.