diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix
index 0f323d3..fa1291c 100644
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@@ -68,6 +68,16 @@ in {
 
             return false
           end
+        
+          function is_ip_whitelisted(ip, whitelist)
+            for _, x in ipairs(whitelist) do
+              if ip == x then
+                return true
+              end
+            end
+            
+            return false
+          end
         }
       '';
 
diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix
index 551dc07..6aaef44 100644
--- a/hosts/architect/openid.nix
+++ b/hosts/architect/openid.nix
@@ -2,7 +2,7 @@
 
 {
   openresty_oidc_block =
-    { access_role ? "" }: ''
+    { access_role ? "", whitelisted_ips ? [] }: ''
       access_by_lua_block {
         local opts = {
           discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@@ -16,25 +16,33 @@
           revoke_tokens_on_logout = true,
           -- access token valid for a day
           access_token_expires_in = 86400
-      }
+        }
 
-      -- call introspect for OAuth 2.0 Bearer Access Token validation
-      local res, err = require("resty.openidc").authenticate(opts)
+        ${lib.optionalString (whitelisted_ips != []) ''
+          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
+                      
+          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
+            return
+          end
+        ''}
+       
+        -- call introspect for OAuth 2.0 Bearer Access Token validation
+        local res, err = require("resty.openidc").authenticate(opts)
 
-      if err then
-        ngx.status = 403
-        ngx.say(err)
-        ngx.exit(ngx.HTTP_FORBIDDEN)
-      end
-
-      ${lib.optionalString (access_role != "") ''
-        if not check_role(res, "${access_role}") then
-          ngx.status = 401
-          ngx.header.content_type = 'text/html';
-          ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
-          ngx.exit(ngx.HTTP_UNAUTHORIZED)
+        if err then
+          ngx.status = 403
+          ngx.say(err)
+          ngx.exit(ngx.HTTP_FORBIDDEN)
         end
-      ''}
+
+        ${lib.optionalString (access_role != "") ''
+          if not check_role(res, "${access_role}") then
+            ngx.status = 401
+            ngx.header.content_type = 'text/html';
+            ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
+            ngx.exit(ngx.HTTP_UNAUTHORIZED)
+          end
+        ''}
       }
     '';
 }