Mercury Bank Static IPs
QuotaGuard provides the fixed outbound IPs that Mercury Bank requires for Read and Write API token allowlisting.
Mercury's own documentation recommends QuotaGuard.
The Simple Path to Static IPs
When your app needs to call Mercury Bank's API with a Read and Write token, Mercury requires IP allowlisting. QuotaGuard provides the simplest solution.
No platform migration, no infrastructure rebuild. Just one environment variable in your app's settings and your backend gains two fixed outbound IPs that you register with Mercury once.Mercury's own API documentation recommends QuotaGuard by name.
Their API Token Security Policies page lists QuotaGuard among the recommended static IP solutions, alongside platform-native approaches for AWS and other infrastructure providers.
The Trusted Foundation: Reliability, Speed, and Support
All QuotaGuard solutions are built on a decade of experience and a high-availability architecture designed to scale with your Mercury integration.
Load Balanced Pair of Static IPs
Each subscription has a load balanced pair of static IP addresses. If one IP fails, traffic automatically routes through your second IP with health checks and automated failover, guaranteeing zero downtime and zero manual intervention.
Both IPs go on Mercury's allowlist. Mercury's token IP allowlist supports multiple entries, so you register both QuotaGuard IPs once and Mercury accepts requests from either one.
Ultra-Low Latency and Global Reach
You select what app region you want for ultra-low latency. Our proxies run on 11 AWS regions, ensuring your traffic to Mercury stays fast regardless of where your app or Mercury's API is hosted.
Region is set at sign-up and can be changed by contacting QuotaGuard support.
Demonstrated Reliability and Scalability
QuotaGuard has maintained 99.98% uptime since 2013.
We provide a solution that is trusted and proven to scale, including the production workloads typical of fintech apps handling real customer transactions, recipient management, and automated treasury operations.
Flexibility, Security, and Enterprise Control
Features that handle the toughest requirements, from Node.js backends to regulated banking data handling.
FAQs
Common questions about Mercury Bank static IPs and QuotaGuard.
It depends on the token type.
Mercury requires IP allowlisting for Read and Write tokens and Custom tokens with write scopes. Read Only tokens don't require IP allowlisting.
If your integration only fetches balances and transactions, you don't need a static IP. If it initiates transactions, manages recipients, or performs any write operation, you do.
2 minutes for the QuotaGuard side: add one environment variable to your app, configure your HTTP client to use it as a proxy for requests to api.mercury.com.
Approximately 30 seconds to register your two QuotaGuard static IPs in Mercury's developer settings under the token's IP allowlist.
QuotaGuard Static is sufficient for most Mercury integrations. It satisfies Mercury's IP allowlist requirement and works for standard banking API calls.
Use Shield if your application is subject to PCI, SOC 2, or HIPAA compliance, or if your internal security policies require that no third party can decrypt data flowing between your app and Mercury.
Shield uses SSL passthrough so QuotaGuard never sees the banking data in transit.
Yes. Mercury's documentation explicitly supports both individual IPs (IPv4 and IPv6) and CIDR ranges.
The problem isn't Mercury. PaaS providers like Heroku, Render, and Railway don't publish narrow enough CIDR blocks to be useful for security allowlisting.
Registering an entire AWS region's CIDR range in Mercury would expose your account to attacks from any compromised instance in that range. QuotaGuard's two specific IPs are the cleaner path.
Yes. Mercury's OAuth2 flow returns API tokens that work the same way as directly-created tokens, including the IP allowlist requirement for write access.
The same QuotaGuard setup applies. Configure your HTTP client to proxy outbound requests to api.mercury.com through QuotaGuard, and the OAuth2-issued token will work normally as long as both QuotaGuard IPs are on the token's allowlist.
Mercury MCP is a hosted server run by Mercury that connects AI tools to your account via OAuth. It's limited to read-only actions, so it doesn't need a static IP.
If you're using Mercury MCP from ChatGPT, Claude, or another supported AI tool, no QuotaGuard setup is needed.
If you're building a custom AI agent that calls Mercury's standard API with a Read and Write token, you need QuotaGuard like any other production integration.
Yes. Dedicated IPs are available on QuotaGuard Enterprise plans ($219/month for Static, $269/month for Shield).
Dedicated IPs are not shared with other QuotaGuard customers, which is appropriate when Mercury's allowlist needs to remain isolated from any other organization's traffic.
Submit a request to QuotaGuard support after signup with your username and preferred region.
Mercury lets you update the IP allowlist on each token from the token management page in your Mercury developer settings.
If your QuotaGuard plan changes regions or you add a dedicated IP, update the allowlist in Mercury at any time. The load-balanced pair on QuotaGuard's side stays the same through plan changes, so most upgrades and downgrades don't require updating Mercury's allowlist at all.
Yes. Mercury's documentation specifically mentions QuotaGuard for Heroku, but QuotaGuard works on every other major platform too, including Render, Railway, Fly.io, AWS Lambda, Vercel, Netlify Functions, Kubernetes, and direct VPS hosts.
The same proxy URL pattern works across all of them. Mercury used Heroku as the example in their docs because Heroku has a long-standing QuotaGuard marketplace add-on, but the integration pattern is identical regardless of where your app is hosted.
QuotaGuard handles outbound traffic from your app to Mercury.
Mercury webhooks flow in the opposite direction: from Mercury to your server's inbound endpoint.Your inbound IP is unrelated to your outbound egress IP. Inbound webhooks don't require allowlisting on your side; they just require that your endpoint URL is publicly reachable.
If you need a static inbound endpoint for additional security or compliance reasons, QuotaGuard Static includes inbound proxy capabilities on all direct plans starting at $19/month.
Still have questions?
We don’t outsource Support to non-Engineers.
Reach out directly to the Engineers who built Shield to discuss your specific architecture, integration challenges, or compliance constraints here 👇
🚀 Ready to Get Started? Choose Your QuotaGuard Path
QuotaGuard STATIC
QuotaGuard SHIELD
Quotaguard has amazing customer service. Some of the best I've interacted with for B2B companies.
Whenever there are snags or setup issues, their support answers emails quickly and hops on zooms to debug with us.
Even with very little notice, they'll hop on zooms to debug. That is absolutely incredible.
Before I found QuotaGuard, I had tried to use Fixie Socks.
However, I couldn't get it to work even after downloading a separate library that they recommend (fixie-wrench). So I was relieved to find QuotaGuard.
The QuotaGuard team clearly cares about their product and their customers. I enjoyed my interactions with them, and their product seems reliable so far.
Overall a solid choice for Heroku/MongoDB Atlas builds.
Reliability Engineered for the Modern Cloud
For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.
Get the fixed identity and security your application needs today.