The IP address whitelisting is generally for Javascript clients only, where the API key will be visible to the client and therefore not “secret”. Thus, it doesn’t make sense to use this for server-side API access.
If you’re calling the API from the server and not client-side javascript, then your API key remains private and you don’t need to employ whitelisting.
Have you implemented client or server-side calls to our API?