Static IP for Keygen Cloud: Keygen's Ent Tier QuotaGuard Add-On

If your application calls Keygen's licensing API from a corporate environment that requires firewall allowlisting, the standard api.keygen.sh URL won't work. Keygen Cloud uses dynamic IPs by default. The fix is available as an add-on on Keygen's Ent tier (Ent 1, Ent 2, or Ent 3), and it's powered by QuotaGuard.

Keygen's Ent Tier Offers a Static IPs Add-On With 2 QuotaGuard IPs

Keygen's documentation states it directly: "Keygen uses QuotaGuard to offer dedicated static IP addresses to Keygen Cloud customers on an Ent tier." The static IPs feature is an add-on rather than a default inclusion. Customers on any of Keygen's three Ent levels (Ent 1, Ent 2, or Ent 3) can request static IPs, and Keygen provisions a QuotaGuard inbound proxy on your behalf with a replacement URL.

The original URL looks like this:

POST https://api.keygen.sh/v1/accounts/example-com/licenses/actions/validate-key

After QuotaGuard provisioning, it becomes:

POST https://a62b1d0b4983db763450411fd393b3ce-eu-west-1.getstatica.com/v1/licenses/actions/validate-key

The 32-character hex prefix is unique to your account. The region suffix (eu-west-1 in this example) reflects where Keygen places your proxy. The full hostname resolves to two static IP addresses that your corporate firewall can allowlist. Both IPs go on the allowlist for redundancy, and traffic automatically routes through whichever IP is healthy.

The URL Transformation Is Drop-In

The replacement URL preserves the path structure of the original Keygen API. Your existing client code keeps working with one change: swap the base URL. The account slug shifts from a path component to part of the proxy hostname provisioning, so the v1 path becomes cleaner.

Authentication, request body format, response format, rate limits, and webhook behavior all stay the same. From your application's perspective, you're still talking to Keygen. From your firewall's perspective, every request comes from one of two fixed IP addresses.

How to Add Static IPs to Your Keygen Ent Account

Keygen requires direct contact to provision the QuotaGuard URL. Email Keygen at the contact address on their static IPs documentation page. Confirm your Ent tier (Ent 1, 2, or 3) and which AWS region your customer firewalls are closest to. Keygen handles the QuotaGuard side of provisioning. You don't sign up for QuotaGuard separately when the static IPs are coming through Keygen.

The static IPs add-on pricing varies and isn't published. Keygen handles the quote through their sales process along with whatever Ent tier you're on.

Once Keygen returns your getstatica.com URL and the two static IP addresses, you update your application's base URL configuration and send the IPs to your customer's IT or security team for firewall allowlisting.

QuotaGuard Tip: This Is the Same Inbound Proxy Pattern QuotaGuard Customers Use Directly

Keygen's setup is one example of QuotaGuard's inbound proxy product in action. SaaS companies use it to provide static IPs to their own enterprise customers without building proxy infrastructure themselves. The customer's traffic enters through the getstatica.com hostname, hits two static IPs in the SaaS company's chosen AWS region, and forwards to the SaaS company's backend.

If you're building a SaaS product whose enterprise customers ask for static IPs to allowlist, you can implement the same pattern Keygen uses by signing up at QuotaGuard directly. The inbound proxy provisions a getstatica.com hostname identical in structure to what Keygen provides its customers. Contact QuotaGuard support after signup to enable inbound proxy on your account.

For Keygen Customers: When to Add Static IPs

If your customers' firewalls block api.keygen.sh, you have three options.

The first is to upgrade to a Keygen Ent tier and add the static IPs add-on. This is the cleanest path because it requires no infrastructure work on your side. Keygen handles provisioning, you swap one base URL, and your customer's firewall gets two stable IPs to allowlist. Pricing is quote-based through Keygen's sales process.

The second is to self-host Keygen. Keygen ships two self-hosted options: Keygen CE (Community Edition, free and open-source) and Keygen EE (Enterprise Edition, flat-rate licensing for single-tenant deployments). Running self-hosted means the licensing service exits from whatever IP your VPC's egress assigns. The trade-off is operational overhead: you're now responsible for the licensing service uptime, backups, upgrades, and security.

The third is to ask your customer to allowlist Keygen's full AWS region. This isn't really a solution. AWS regions contain hundreds of thousands of dynamic IPs, the allowlist would need to be updated as AWS adds capacity, and it exposes your customer's network to any compromised instance in that range.

For SaaS Builders: How Keygen's Pattern Translates

If you're building a SaaS product that serves enterprise customers, the static IP question will come up. Enterprise procurement and security teams routinely require that third-party services be reachable from fixed IP addresses, both for outbound calls and for inbound webhooks.

Three things make Keygen's approach work as a template.

First, the static IP feature is gated behind the Ent tier and offered as a paid add-on. Customers on lower tiers get the standard dynamic-IP setup. Static IPs are a paid add-on for the enterprise customers who specifically need them. This avoids over-engineering the product for everyone.

Second, the QuotaGuard URL is provisioned per-customer. Each enterprise customer gets their own unique hostname and dedicated IPs. There's no shared infrastructure between customers from a network perspective. This is what makes the allowlist meaningful.

Third, Keygen owns the customer relationship and provisioning workflow. The customer never logs into QuotaGuard or sees QuotaGuard branding. From their perspective, they're getting a Keygen feature. QuotaGuard runs underneath as infrastructure.

To implement the same pattern, sign up at QuotaGuard, contact support to enable inbound proxy on your account, and build the per-customer provisioning workflow into your own admin tooling.

Frequently Asked Questions

Does Keygen Cloud have IP allowlisting on inbound requests by default?

No. Keygen Cloud accepts API requests from any client IP by default. The static IP feature exists for the opposite direction: when your customer's firewall needs to allowlist outbound traffic to Keygen, the dynamic Keygen Cloud IPs make that allowlist impossible to maintain. The QuotaGuard URL gives them two stable IPs to put on the allowlist.

What's a getstatica.com URL?

It's the hostname QuotaGuard uses for inbound proxy customers. The 32-character hex prefix is unique to each customer's account, and the region suffix indicates which AWS region hosts that customer's proxy. The hostname resolves to two static IP addresses with automatic failover between them.

How many static IPs do I get with Keygen's static IPs add-on?

Up to 2. Keygen's documentation specifies "up to 2 static IP addresses" per QuotaGuard URL. Both IPs go on your customer's firewall allowlist. If one IP becomes unhealthy, traffic routes through the other automatically.

Can I use Keygen self-hosted instead of the Ent tier add-on for static IPs?

Yes, if you want full control over the network path. Keygen ships two self-hosted options: Keygen CE (Community Edition, free and open-source) and Keygen EE (Enterprise Edition, paid singleplayer or multiplayer licensing). Self-hosted Keygen runs in your own VPC, so the outbound IP is whatever your infrastructure assigns to that VPC's egress. The trade-off is operational overhead: you're now running the licensing service yourself, including uptime, backups, and security patching. For most teams that don't already operate critical internal services at this level, the Keygen Ent static IPs add-on is simpler.

What region should I request for the static IPs?

Choose the AWS region closest to where your customers' applications run. If most of your customers are in Europe, eu-west-1 (Ireland) or eu-central-1 (Frankfurt) reduces latency. If they're in North America, us-east-1 (N. Virginia) or us-west-2 (Oregon) is typical. The IPs are static once provisioned, so pick based on long-term geography rather than your current customer mix.

Can I get a static IP for Keygen without being on Keygen's Ent tier?

Not through Keygen directly. The static IPs add-on is restricted to Ent 1, Ent 2, and Ent 3 customers. If you're on Keygen Cloud's lower tiers and need static IPs urgently, the alternatives are upgrading to an Ent tier and adding the static IPs add-on, or running Keygen CE or EE self-hosted in your own VPC. Routing your traffic through a separate outbound proxy on your end doesn't solve the inbound-allowlist problem your customer's firewall has.

How does this compare to using QuotaGuard directly for outbound calls to Keygen?

It solves a different problem. Outbound proxy gives your application a fixed identity when calling Keygen's API. Keygen's static IPs add-on gives your customer's firewall a fixed identity for Keygen to allowlist. The first is for when you need to satisfy Keygen's outbound IP allowlist (Keygen doesn't have one). The second is for when your customer's firewall needs to allowlist Keygen.

Does QuotaGuard also offer this inbound proxy pattern to non-Keygen customers?

Yes. QuotaGuard's inbound proxy product is available to any customer. Sign up at quotaguard.com and contact support to enable inbound proxy on your account. The setup mirrors what Keygen provides: a per-customer getstatica.com URL backed by two static IPs in your chosen AWS region.

The Pattern Stays Stable

Keygen's static IPs add-on has been built on QuotaGuard since they introduced it. The architecture solves a specific problem cleanly: enterprise customers need stable IPs to allowlist, dynamic cloud IPs make that allowlist impossible to maintain, and a per-customer inbound proxy gives them two IPs that don't change.

For Keygen customers hitting the firewall problem, the path is short: be on an Ent tier, add the static IPs add-on, swap your base URL. For SaaS builders watching the pattern, the same QuotaGuard infrastructure is available directly.

Questions about the inbound proxy setup, multi-region deployments, or pricing for builders implementing this pattern themselves? Contact QuotaGuard. To start with QuotaGuard's standard outbound proxy product first, see pricing.