How to filter external site made request?


I’m implementing a payment gateway, and they need a callback endpoint for it to update the payment status. I have disabled the verify_authenticity_token before_action callback. But I wish to whitelist the server that making the request, and I don’t know how to. Any help?