SEBI's Static IP Mandate Is Live: Fix Your Cloud Trading Bot Now

Every major Indian broker now requires a dedicated static IP for API order placement. Route your cloud app through QuotaGuard Shield, register the IP with your broker, and your bot works again.

The enforcement deadline passed on April 1, 2026. If your bot stopped placing orders yesterday, this is the reason. It's not a broker outage. It's not an API key problem. SEBI's circular is live and every major Indian broker is rejecting order calls from unregistered IPs.

In my experience running QuotaGuard since 2013, I've never seen a regulatory change create this much sudden demand for static IPs. We ran connectivity tests against all nine major Indian broker APIs through QuotaGuard Shield on April 2, 2026. Every single one returned a server response through the proxy. No broker blocks AWS datacenter IPs at the network layer. The path is open. You just need the static IP.

What SEBI Requires: One Dedicated, Traceable IP Per Trader

In February 2025, SEBI issued Circular SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/0000013 on safer participation of retail investors in algorithmic trading. The key requirement: any retail trader using an API to place orders must register a static IP with their broker. The broker's system will only accept order calls from that pre-registered IP.

SEBI's exact language:

"not permit open APIs and allow access only through a unique vendor client specific API key and static IP whitelisted by the broker to ensure identification and traceability of the algo provider and the end user"

SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/0000013, February 4, 2025

The timeline:

• February 4, 2025: SEBI issues the original circular.
• September 30, 2025: SEBI extends the deadline via Circular SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/132.
• NSE implementation: NSE/INVG/67858 operationalizes the requirement at the exchange level.
• April 1, 2026: Enforcement begins. Brokers start rejecting API calls from non-whitelisted IPs.

The regulation's intent is traceability. A dedicated, static IP creates an auditable link between a trader's identity and their automated activity on the exchange. Shared rotating proxy pools don't qualify. The IP must be traceable to you specifically.

Cloud Platforms Can't Provide This. That's by Design.

Heroku, Railway, Render, Fly.io, AWS Lambda, Google Cloud Functions, and similar platforms assign outbound IP addresses dynamically from large shared pools. Your app's outbound IP can change between requests, between deployments, mid-session as the platform scales your containers.

This isn't a flaw. It's how PaaS platforms run thousands of apps efficiently on shared infrastructure. But you can't whitelist a moving target. The moment your outbound IP changes, the broker's gateway rejects the call.

If you chose Heroku or Render to avoid managing servers, that was a reasonable engineering decision. The regulatory change created the conflict, not your architecture.

Every Major Indian Broker Is Enforcing This Now

• Zerodha (Kite Connect): The largest retail broker in India by volume with the largest developer community. Published a detailed breakdown on Zerodha Z-Connect. Active compliance threads on the Kite Connect forum.
• Upstox: Second largest in the developer community. Official announcement at community.upstox.com.
• Kotak Neo: One of the few brokers with clear setup documentation at kotakneo.com. Note: Kotak Neo's trading API is firewalled to only accept connections from pre-registered IPs. You can't reach it before completing the whitelist step. That's expected and by design.
• Dhan (dhanhq): Growing broker with an active developer community and a well-maintained Python library. Enforcing the mandate.
• Angel One (SmartAPI): Widely used for systematic strategies. Popular in the Python trading community. Enforcing.
• ICICI Direct (Breeze API): Enforcing.
• AliceBlue: Enforcing.
• Flattrade: Enforcing.
• Shoonya / Finvasia: Enforcing.
• Any broker on the Noren OMS platform: Noren is the backend OMS used by multiple Indian brokers. If your broker runs on Noren, the mandate applies.

If your broker isn't listed, check their developer documentation. The mandate is broad. Enforcement is active.

QuotaGuard Shield Connects to All Nine Brokers

We tested QuotaGuard Shield's AWS-based static IPs against every major Indian broker API on April 2, 2026. Results:

Any HTTP response code means the request reached the server. A 401 or 404 from a financial API is an auth or routing error, not a network block.

The Fix: QuotaGuard Shield

QuotaGuard Shield routes your app's outbound HTTPS requests through a dedicated, static IP assigned exclusively to your account. You register that IP with your broker. Your API calls are accepted. Setup takes minutes.

Shield uses SSL passthrough. Your broker credentials and order data are never decrypted by the proxy. It routes the encrypted TLS stream as a blind conduit. Your broker sees the connection from your static IP. The content stays between you and the broker. This is the right architecture for financial applications.

Each customer gets a dedicated IP. Not a shared pool. That satisfies SEBI's traceability requirement. Plans: Starter, Production ($49/month), Business, Enterprise.

QuotaGuard Shield Setup (Under 10 Minutes)

Step 1: Sign up and get your static IP. Go to quotaguard.com/products/pricing and pick a plan. Your dedicated static IP and proxy URL are in the dashboard immediately after signup.

Step 2: Set the environment variable. Add QUOTAGUARDSHIELD_URL to your platform's environment settings. The value is your proxy URL from the dashboard. This works on Railway, Render, Fly.io, EC2, or any platform where you control environment variables.

QUOTAGUARDSHIELD_URL=http://username:password@proxy.quotaguard.com:9293

Step 3: Register the IP with your broker. Follow your broker's specific instructions. For Kotak Neo: kotakneo.com/platform/kotak-neo-trade-api/static-ip-details/. For other brokers, check their API dashboard or developer docs.

Step 4: Route your app's requests through the proxy.

import os
import requests
 
proxy_url = os.environ.get("QUOTAGUARDSHIELD_URL")
proxies = {"http": proxy_url, "https": proxy_url}
 
response = requests.get("https://api.broker.in/v1/authenticate", proxies=proxies)

Or set HTTPS_PROXY and HTTP_PROXY as environment variables so your broker SDK picks them up automatically without code changes.

Step 5: Test before going live. Confirm your broker's auth endpoint returns a response through the proxy. Any HTTP response confirms the network path is open. Test order placement with a minimal position before running your full strategy.

If you're on Heroku: QuotaGuard Shield is also available as a Heroku add-on at elements.heroku.com/addons/quotaguardshield. Run heroku addons:create quotaguardshield:starter and the environment variable is set automatically. Same product, same static IP, just a different billing path.

Latency Won't Affect Your Strategy

QuotaGuard Shield adds roughly 10-50ms per request. This comes up every time, so here's the direct answer.

HFT firms use NSE co-location and dedicated fiber. They don't run on Heroku. The developers hitting the static IP wall are running systematic intraday strategies, options plays, or daily-rebalancing bots. For those strategies, 10-50ms is noise.

The SEBI mandate is about authentication and identity verification. The static IP check happens at session establishment. Once authenticated through your registered IP, your execution path is unaffected.

Get Your Bot Running Again Today

Every day your bot sits idle is a day of missed execution.

Sign up for QuotaGuard Shield at quotaguard.com/products/pricing. Also available as a Heroku add-on.

Broker-specific setup guides:

• Zerodha Kite Connect static IP setup
• Upstox API static IP fix
• Kotak Neo Trade API static IP setup
• Dhan API static IP setup