IP Authentication

If your proxy vendor supports multiple authentication methods, start by understanding Proxy Authentication at a high level. This page focuses on IP-based authentication, also called IP allowlisting, and shows when it is the right fit and how to set it up without headaches.

What is IP-based authentication?

IP-based authentication lets a proxy provider accept connections from specific source IP addresses without Username/Password. You register one or more source IPs with the provider, and any traffic from those IPs is allowed.

In practice you may see the terms “IP allowlist”, “IP binding”,  “IP-based auth”, or “source-IP allowlisting”. The older term “IP whitelist” is still used in places, but it is deprecated.

When IP allowlisting is the better choice

For stable, server-side workloads where the egress IP rarely changes, IP allowlisting is simpler and slightly faster than credentials. It avoids storing secrets in code, CI, or headless tools.

Good fits include: long-running scrapers on fixed VMs, server-to-server API jobs, headless browsers in the cloud, and cron tasks on a static egress. Teams that centralize traffic through a single gateway or VPN also benefit.

When it is a bad fit

If your source IP changes often, IP auth will break until the allowlist is updated. This is common on mobile networks, home ISPs with dynamic addresses, co-working NATs, or users behind CGNAT.

Roaming users, laptops moving between networks, ADSL connections, and tools that hop across regions should use a stable egress first or switch to credentials.

How IP auth works end to end

You discover the exact egress IP your traffic uses, submit that IP to the provider’s allowlist, wait a short propagation window, then connect to the proxy as usual without credentials.

The proxy’s exit IPs and rotation policy do not change because of allowlisting. IP auth controls who can use the gateway, not which exit IP you receive.

Typical flow

1. Identify your egress IPv4 and, if used, IPv6.
   
2. Submit the address(es) to the provider.
   
3. Wait for propagation, usually a few minutes.
   
4. Test with a simple HTTP request through the proxy.
   
5. Put changes under version control or an ops runbook.
   

Finding your egress IP

You must register the egress IP the target sites will see, not an internal address. Verify it from the same host and network that will run the job.

Command line

• curl -4 https://ifconfig.io for IPv4
  
• curl -6 https://ifconfig.io for IPv6
  

Browser
Open an IP-check site from the exact environment that will connect via proxy. Avoid corporate VPNs or browser extensions that mask the real egress unless those are part of the final setup.

Containers and K8s
Exec into the running container or pod and run the same curl commands. Do not assume the node’s IP equals the pod’s egress.

Behind a VPN
Your egress is the VPN’s public IP. If the VPN region changes, the egress changes.

Dual stack
Register whichever family your client will use. If your stack prefers IPv6, include IPv6 in the allowlist or force IPv4 with client flags.

Submitting the allowlist request

Provide exact addresses and a label for each entry so teammates know what it is. If your provider accepts CIDR, use the smallest range that covers your case.

Prefer single IPs over broad ranges. Big ranges are risky and may be rejected. Ask about the maximum number of entries per account and any limits on update frequency.

Expect a short propagation delay after each change. For teams, standardize on a fixed egress such as a small cloud VM or a managed VPN hub so you do not chase changing office IPs.

Testing after allowlisting

A correct allowlist returns a normal response from the proxy. A missing or wrong entry typically returns 407 Proxy Authentication Required or a vendor specific block page.

HTTP proxy quick checks

# Replace host:port with your proxy gateway

curl -I --proxy http://host:port https://example.com

curl -s --proxy http://host:port https://ifconfig.io/ip

SOCKS5 quick checks

curl -I --socks5-hostname host:port https://example.com

You should see 200 responses and outbound IPs that match the provider’s network. If you see 407 or connection refused, re-check your source IP and propagation time.

Rotation, pools, and gateways with IP auth

IP auth does not change how exit IP rotation works. It only decides whether your client may use the gateway. Sticky sessions, time or request based rotation, and pool selection behave the same as with credentials.

If you switch gateways or products inside the same provider, confirm whether each gateway has its own allowlist. Some vendors scope allowlists per account, others per endpoint.

Common pitfalls and how to avoid them

Most IP auth failures come from moving clients to a different network, silent VPN changes, or mixed IPv4 and IPv6 behavior.

Checklist

• Lock the egress path. Use a fixed cloud VM or a stable VPN.
  
• Register both IPv4 and IPv6 if your client may choose either.
  
• Document who can edit the allowlist and how to roll back.
  
• Monitor for 407 spikes. They often indicate an egress change.
  
• Schedule periodic re-validation in CI or a health check job.
  

Edge cases you might meet

Some corporate ISPs use CGNAT. The public IP can change without notice, which breaks IP auth. In this case, use a fixed VPN gateway or switch to credentials.

IPv6 privacy addresses can rotate. If you must use IPv6, use static addressing on the egress or pin your traffic to IPv4.

Rare model: some providers offer combined binding, for example Username/Password plus an IPv4 CIDR such as a /21 subnet. Treat this as an exception for high risk environments, not the default.

FAQs

Does IP auth make proxies faster?
It is slightly more direct because no credentials are checked on each request. The difference is small, but it removes a point of failure and secret storage.

Can I allowlist a domain instead of an IP?
No. Allowlisting is by source IP or CIDR only. If you need flexibility, use a fixed VPN egress or switch to Username/Password.

What if our office IP changes every few days?
Terminate traffic through a small cloud server with a static IP or a stable VPN hub, and allowlist that egress.

Do I need to re-allowlist when I change the proxy gateway?
Sometimes. Some vendors scope allowlists per account, others per gateway. Check your provider’s rules and plan the change window.

Will IP auth affect exit IP rotation or sticky sessions?
No. It only controls access to the gateway. Rotation and stickiness policies are unchanged.

Related in this topic

• User / Pass Auth