A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.
Thanks for the feedback! It does allow me to pass a pre-specified parameter along with the callback, which is what I'm currently using for security. Hopefully that will be enough.
Locking it down by IP would be quite spoof-proof, but if the server's IP changed everything would stop working...
Thanks for dredging my post up to give it a proper answer
