diff --git a/api.php b/api.php
index d3eebda..f5b861c 100644
--- a/api.php
+++ b/api.php
@@ -127,7 +127,14 @@ function companyFile(string $filename): string {
 }
 
 function getClientIp(): string {
-    return $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
+    $xff = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? '';
+    if ($xff) {
+        // X-Forwarded-For voi sisältää useita IP:itä: "client, proxy1, proxy2" — otetaan ensimmäinen
+        $parts = explode(',', $xff);
+        $ip = trim($parts[0]);
+        if (filter_var($ip, FILTER_VALIDATE_IP)) return $ip;
+    }
+    return $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
 }
 
 /**
@@ -1163,7 +1170,7 @@ switch ($action) {
                 if (empty($allowedCompanies)) {
                     dbRecordLoginAttempt($ip);
                     http_response_code(403);
-                    echo json_encode(['error' => 'IP-osoitteesi ei ole sallittu.']);
+                    echo json_encode(['error' => 'IP-osoitteesi (' . $ip . ') ei ole sallittu.']);
                     break;
                 }
                 $userCompanies = $allowedCompanies;