Skip to main content
Opt-in mode for partners proxying AGG API calls through your own backend. When enabled on your app, AGG resolves user geo from x-agg-client-ip (populated by your backend) instead of from the request’s connecting IP. Enabled by Snag, per app. Once on, every active API key on the app is trusted.

Requirements

Before requesting enablement:
  1. requireApiKey: true must be set on your app (Security Settings in the partner dashboard). While trusted-proxy is enabled, this cannot be disabled.
  2. Every request must include x-app-api-key. Requests with only x-app-id go through standard geo resolution even when trusted-proxy is enabled.
  3. Your edge proxy must strip or overwrite any inbound x-agg-client-ip header. If an end user can pass x-agg-client-ip through your proxy, geo enforcement is defeated.

Header rules

Set x-agg-client-ip on every request your backend forwards to AGG:
  • Value must be the end user’s client IP as your server observed it.
  • Your proxy must strip or overwrite any inbound x-agg-client-ip.
  • Single IP value. Comma-separated lists are rejected.
  • IPv4 or IPv6, public addresses only. Private/reserved ranges resolve to null.

Behaviour

  • Trusted app + valid x-app-api-key + valid x-agg-client-ip: AGG resolves country from that IP.
  • Trusted app + valid x-app-api-key + missing or unresolvable x-agg-client-ip: AGG falls back to standard geo resolution against your backend’s connecting IP, which is potentially blocked. The request is not rejected with 403.
  • Trusted app + missing x-app-api-key: rejected by requireApiKey enforcement before geo runs.
  • App not trusted: standard geo resolution; x-agg-client-ip is ignored if present.

Responsibilities

Enabling trusted-proxy on your app shifts geo enforcement responsibility from AGG to you. By requesting enablement, you assert:
  • Every x-agg-client-ip value AGG receives originates from your server’s observation of the end-user connection.
  • End users cannot inject x-agg-client-ip through your proxy.
  • You are responsible for geo compliance for your users while trusted-proxy is enabled.
If a user reaches a venue they shouldn’t because your proxy forwarded a spoofed or stale IP, the responsibility sits with your integration.

Limitations

  • Country resolution only. No region or state granularity.
  • ~98-99% accuracy. VPN exits resolve to the VPN’s exit country. Mobile carrier and satellite ranges are occasionally misclassified.
  • The flag is per-app. When enabled, every active API key on the app is trusted. There is no per-key opt-in.

Requesting enablement

Email support@agg.market with:
  • The app ID.
  • Confirmation that requireApiKey: true is set on the app.
  • Confirmation that your proxy strips inbound x-agg-client-ip.
Same-business-day turnaround.