Verify hostname of the server who invoked the API

You could try the following:

import socketfrom flask import request@app.route("/your_route", methods=["GET"])def your_route():    hostname, aliaslist, ipaddrlist = socket.gethostbyaddr(request.remote_addr)

Note that relying on the remote_addr is unreliable, however as this is unrelated to the topic I will refer to this answer which makes use of ProxyFix:

For more information on socket.gethostbyaddr() please check out: socket.gethostbyaddr()

I suggest you use the decorator pattern for such cases i.e. you add a new config option IP_LIST with some kind of address set divided by comma.

IP_LIST = "127.0.0.1,127.0.0.2,..."

After that add a new decorator function, and decorate any endpoint with the decorator.

def ip_verified(fn):    """    A custom decorator that checks if a client IP is in the list, otherwise block access.    """    @wraps(fn)    def decorated_view(*args, **kwargs):        ip_list_str = current_app.config['IP_LIST']        ip_list = ip_list_str.split(",") if ip_list_str else []        if request.headers.getlist("X-Forwarded-For"):            remote_ip = request.headers.getlist("X-Forwarded-For")[0]        else:            remote_ip = request.remote_addr        if remote_ip not in ip_list:            return "Not sufficient privileges", 403        return fn(*args, **kwargs)    return decorated_view@app.route("/your_route", methods=["GET"])@ip_verifieddef your_route():    ...

One option is to use a Network Load Balancer which preserves the IP address of the client making the request. You can even have the NLB do the TLS termination just like an ELB. An NLB does not alter the data in the network request, with the exception of TLS termination if you choose to use that.