---
title: Managing allow lists and deny lists
description: The API Security Enforcer (ASE) maintains both allow lists and deny lists.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_inline_managing_allow_list_deny_list
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_inline_managing_allow_list_deny_list.html
revdate: June 4, 2024
---

# Managing allow lists and deny lists

The API Security Enforcer (ASE) maintains both allow lists and deny lists.

* Allow list

  List of safe IP addresses, cookies, OAuth2 tokens, API keys, or usernames that are not blocked by ASE.The list is manually generated by adding the client identifiers using command-line interface (CLI) commands.

* Deny list

  List of bad IP addresses, cookies, OAuth2 tokens, API keys, or usernames that are always blocked by ASE.The list consists of entries from one or more of the following sources:

  * API Behavioral Security (ABS)-detected attacks, such as data exfiltration. ABS-detected attacks have a time-to-live (TTL) in minutes. The TTL is configured in ABS.

  * ASE-detected attacks, such as invalid method or decoy API accessed.

  * List of bad clients manually generated by CLI.