I am an out-of-box thinker, and what I am asking may not follow the norm, so bear with me, please.
Scenario (working)
Client A has a server behind a NAT router on a Dynamic DNS. We create an SSTP VPN from the Clients Router to our CCR, and with a little bit of routing magic we use one of our fixed IPs on the CCR end and assign that to the client's server, and everything works as expected, you can access the server via our FIXED IP.
The scenario now changes.
Client A: now wants to limit access to the server, preferably IP-based, but, the IP addresses connecting to the server will be Dynamic. As the visitor to the webserver will be coming to our fixed ip for access we can add the Dynamic IP address manually each time and allow access. But we want to put that burden on to Client A, the thought process is to have a secure webpage, on a hosted web server that can send API commands to our CHR, When Client A logs in, they will be met with a page that says "Your IP address is xx.xx.xx.xx would you like to give this access to the Client A server? or would you like to manually set one" This should be time-limited so Client can choose how long to give access for.
My question is can this be done over the API directly, if so, can you point me in the direction of best practice