Whitelisting is optional. Callback security can be ensured using HMAC (a type of authentication to ensure that a Callback cannot be "Spoofed") signed Callbacks. These can be configured through the Sinch Dashboard.
Refer to the Conversation API Validating Callbacks section of the section of the Sinch Documentation site to learn more.
Learn more about Sinch Conversation API.