diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index cb7fc62a..a9614925 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -25,16 +25,6 @@ oullin.io {
 		format json
 	}
 
-	route /api/generate-signature/* {
-		@allowed {
-			# Allow requests only from the VPS itself (localhost).
-			ip_range 127.0.0.1 ::1
-		}
-
-		# If the remote IP is not in the allowed range, abort the connection.
-		abort not @allowed
-	}
-
 	# API handler.
 	# 	- Reverse-proxy all requests to the Go API, forwarding Host + auth headers.
 	#	- to: Tell Caddy which upstream to send to.
diff --git a/pkg/middleware/public_middleware.go b/pkg/middleware/public_middleware.go
index 7481b754..790a6db6 100644
--- a/pkg/middleware/public_middleware.go
+++ b/pkg/middleware/public_middleware.go
@@ -61,6 +61,12 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler {
 			return mwguards.RateLimitedError("Too many requests", "Too many requests for key: "+limiterKey)
 		}
 
+		if err := p.HasInvalidIP(r); err != nil {
+			p.rateLimiter.Fail(limiterKey)
+
+			return err
+		}
+
 		vt := mwguards.NewValidTimestamp(ts, p.now)
 		if err := vt.Validate(p.clockSkew, p.disallowFuture); err != nil {
 			p.rateLimiter.Fail(limiterKey)
@@ -83,6 +89,20 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler {
 	}
 }
 
+func (p PublicMiddleware) HasInvalidIP(r *baseHttp.Request) *http.ApiError {
+	ip := portal.ParseClientIP(r)
+
+	if ip == "" {
+		return mwguards.InvalidRequestError("Clients IPs are required to access this endpoint", "")
+	}
+
+	if p.isProduction && ip != p.allowedIP {
+		return mwguards.InvalidRequestError("The given IP is not allowed", "unauthorised ip: "+ip)
+	}
+
+	return nil
+}
+
 func (p PublicMiddleware) GuardDependencies() *http.ApiError {
 	missing := []string{}