Proxy Authentication
IP Authentication
ProxyMesh supports four ways to authenticate proxy requests: IP authentication, domain authentication, username:password (Basic auth), and bearer tokens. This article covers each method. For bearer token setup and examples, see Bearer Token Authentication.
We support up to 100 of your own authenticated IP addresses. They will be masked by our proxies. The easiest and most secure authentication method is IP Authentication. To use IP Authentication:
- On the right side of your dashboard, click on the Add an IP or Hostname link. This takes you to the Edit authenticated IPs screen.
- On that screen, fill and submit the form. You are entering your personal IP in the IP Address column. If you don't remember the IP, you'll find it displayed to the right of the form, headed Your IP Address.
If you have a dynamic, frequently changing IP, then you may want to add it where you add IP addresses. For details, please follow the link to Domain Authentication and read about setup with a dynamic DNS service.
Any IP address you add will be able to access the ProxyMesh proxy without a Proxy-Authorization header.
After you add an IP to your account, it will take a few minutes to automatically be authorized at the servers. To avoid a temporary ban of four hours, please be sure to wait until the IP has been authorized at the servers before you make requests from that IP.
That's it! Now any requests you make to a proxy server from the IPs that you've added will successfully authenticate.
- On the Edit authenticated IPs screen, you can enter as many personal IPs as you want. Although your dashboard form has room for only a few entries, once you submit an entry you can fill in the form again to add more.
- You cannot add a proxy's IP to your authorized IP list on the dashboard. The authorized IP list is for your IP addresses.
- IPs for sub-accounts are authenticated by the same methods, via dashboard or API, as a primary account. Also see Creating Sub-Accounts from Your Dashboard.
If for any reason IP authentication fails, it could be that your IP has changed. You can update your IPs again from your account dashboard. However, if your access is temporarily blocked because of too many 407 errors (indicating incorrect authentication), be aware that an IP update performed during a ban does not immediately lift the ban. You will need to wait until the ban expires, typically after 4 hours.
Please see our blog article Are Your IP Addresses Clean?
IP Authentication for Multiple Accounts
You can have multiple ProxyMesh accounts, but the system does not allow the same IP to be authenticated for multiple accounts. An attempt to do so will trigger a message that the IP is already in the system.
An authenticated IP becomes a primary key in the ProxyMesh database and is not unique to a single account. With multiple accounts authorizing the same IP, a proxy server could not determine which account was making a request.
Domain Authentication
If you have a dynamic, frequently changing IP, then you may want to use domain authentication with a dynamic DNS service such as No-IP. Once you have dynamic DNS setup, you can add your domain on the same page where you add IP addresses. Domains are resolved every 10 minutes, causing a potential lag between the DNS IP change, and ProxyMesh's receipt of the update, but this method can work well for you.
Username:Password Authentication
The typical HTTP proxy authentication method is with the Proxy-Authorization header using the Basic access authentication method. Most HTTP client libraries support this authentication method. But if you need to create the header yourself, the steps are
- Base64 encode your username:password.
- Send a header that looks like
Proxy-Authorization: Basic base64-encoded-username:password
The username/password is the same one that you use to sign into your account.
Bearer Token Authentication
On paid plans (ProxyMesh 10 and higher), you can authenticate with a bearer token instead of your account password. Create tokens from your dashboard or via the API; each token starts with pm_ and is shown only once at creation. See Bearer Token Authentication for setup, plan limits, and security guidance.
For proxy connections, send:
Proxy-Authorization: Bearer pm_YOUR_TOKEN
Some clients accept Authorization: Bearer … when they do not support proxy-specific headers. Do not put the token in the proxy URL. Bearer tokens do not support the username:ip_hash:password sticky-IP format used with Basic auth.
curl example:
curl -x "http://us.proxymesh.com:31280" \ --proxy-header "Proxy-Authorization: Bearer pm_YOUR_TOKEN" \ https://example.com/
HTTPS Authentication
Although Python Requests supports username:password authentication with HTTPS URLs, most other libraries do not. The reason is that the Proxy-Authorization header must be sent with the initial CONNECT method, instead of with the rest of the request headers. Otherwise there is no way for the proxy server to read the header.
For HTTPS requests, IP authentication is the most reliable method. Bearer tokens also work when your client sends Proxy-Authorization with the initial CONNECT request. For additional details, please see Proxy Server Requests over HTTPS.