Does anyone know if its possible to limit the API access to a shop only to certain IP addresses.
For example, I have a private app that makes API calls, so ideally Id like to limit the access to that websites IP only.
If the API key is compromised in some way, it then wouldn't matter.
There are so many scoundrels out there!
Do you mean that you would like to restrict the inbound IP's that are accessing your private app, or restrict Shopify's side so that only your private app is accessing the Shopify API? If it's the former then your private app's hosting side could enforce IP restrictions. If it's the latter, then that is more challenging. Since your private app hitting Shopify's API on the client side looks like the actual user's origin endpoints.
What I do in my use cases where I want to restrict things is implement a Shopify app proxy --> https://shopify.dev/tutorials/display-dynamic-store-data-with-app-proxies. That way my private apps behave like a virtual extension of the Shopify store based on the URL's being proxied. And I can validate access based on HMAC signature validation. Maybe that's a step in the right direction?