Kite Connect Static IP: Fix Your Zerodha Bot on Heroku or Railway

Important Update: Other QG Customers w/ Shared IPs Could Reject Yours (April 3, 2026)

Since the SEBI deadline hit on April 1, we've seen a surge of Indian algo traders signing up for QuotaGuard. That's great, but it's created an unexpected side effect. Because brokers require each IP to be uniquely tied to one trader, a shared static IP can be rejected if another QuotaGuard customer has already registered it with the same broker. The more customers we onboard, the more likely this becomes.

Our recommendation: For the most reliable setup, use our Shield Enterprise plan, which gives you a dedicated proxy with IPs that are exclusively yours. Lower-tier plans (Starter, Production, Business) can still work, and many customers are connecting successfully, but if your assigned IP has already been claimed by another QuotaGuard customer at your broker, you'll need a fresh one.

How the Enterprise setup works:

1. Sign up for the Shield Enterprise plan.
2. Reach out to our team.
3. We'll build your dedicated proxy infrastructure.
4. We'll work with you to rotate through IPs until we find ones that haven't been previously registered with your broker. QuotaGuard has been operating for 13 years with over 100,000 customers, so some IPs in our pool may have been registered by past users. We keep rotating until we find clean ones.
5. Once we find two working IPs, they're yours exclusively. No one else will ever be assigned them.

Have questions or want help choosing the right plan? Contact us and we'll get you sorted.

Route your Zerodha Kite Connect API calls through QuotaGuard Shield's AWS proxy to get a fixed outbound IP that satisfies SEBI's whitelist requirement. SSL passthrough keeps your credentials and order data encrypted end-to-end.

SEBI's static IP mandate took effect April 1, 2026. If you're running a Kite Connect bot on Heroku, Railway, or Render, your orders are now being rejected because those platforms assign dynamic IPs. QuotaGuard Shield gives your app a fixed IP address that you register with Zerodha once. Your bot stays on the platform you already use.

On April 2, 2026 we tested QuotaGuard Shield's AWS IP (52.33.116.20, us-west-2) against api.kite.trade through the proxy. Result: HTTP 200 on the public instruments endpoint. Cloudflare sits in the path and didn't block the request. Zerodha's own forum recommends AWS IPs as a compliant option. You're starting from a verified, broker-endorsed network.

What the SEBI Mandate Requires

SEBI issued circular SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/0000013 in February 2025. The exact requirement:

"not permit open APIs and allow access only through a unique vendor client specific API key and static IP whitelisted by the broker to ensure identification and traceability of the algo provider and the end user"

SEBI Circular SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/0000013, February 4, 2025

SEBI extended the deadline via SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/132 to April 1, 2026. NSE published implementation details in NSE/INVG/67858. Zerodha covered the changes in their Z-Connect compliance overview.

The enforcement date passed. Zerodha now rejects order-placement API calls from unregistered IPs.

Why Cloud Platforms Break the Requirement

Heroku assigns outbound IPs from a shared pool across thousands of apps. Every deploy, every dyno restart, every crash recovery gives your app a new IP. Railway and Render work the same way. There's no setting on these platforms that gives you a fixed outbound IP. The solution has to come from outside the platform.

Get a Static IP With QuotaGuard Shield (Step by Step)

QuotaGuard Shield acts as an egress proxy. Your Kite Connect API calls leave your app, pass through QuotaGuard's AWS infrastructure, and arrive at api.kite.trade from a fixed IP address. Zerodha sees that IP. You register it once. Done.

QuotaGuard Shield uses SSL passthrough. It routes your encrypted traffic without decrypting it. Your Kite Connect credentials and order data are never exposed to the proxy. This is the right product when financial data flows through the connection.

On the Enterprise plan, each account gets a dedicated IP that is exclusively yours. SEBI's requirement is traceability: the IP must map to you specifically. Lower-tier plans assign static IPs, but those IPs may be shared across customers. As we've discovered, Indian brokers are rejecting IPs that were previously registered by another user. See the important update at the top of this post.

On Any Platform (Direct Signup)

Sign up at quotaguard.com/products/pricing. Get your proxy URL and static IP from the dashboard. Set the environment variable in your platform's settings:

QUOTAGUARDSHIELD_URL=http://username:password@proxy.quotaguard.com:9293

On Heroku

Install the add-on:

heroku addons:create quotaguardshield:starter --app your-app-name

This sets QUOTAGUARDSHIELD_URL automatically. Open the QuotaGuard dashboard to find your static IP. That's the IP you'll register with Zerodha.

Python Code: kiteconnect Library

The kiteconnect SDK uses requests under the hood. Set the proxy environment variables before the SDK initializes:

import os

# Set these before importing kiteconnect.
# On Heroku: QUOTAGUARDSHIELD_URL is set automatically by the add-on.
# On other platforms: set it in your environment variables.
proxy_url = os.environ['QUOTAGUARDSHIELD_URL']
os.environ['HTTPS_PROXY'] = proxy_url
os.environ['HTTP_PROXY'] = proxy_url

# Import and initialize the SDK as normal.
from kiteconnect import KiteConnect

kite = KiteConnect(api_key="your_api_key")

# Generate the login URL.
print(kite.login_url())

# After login, set the access token.
data = kite.generate_session("request_token_here", api_secret="your_secret")
kite.set_access_token(data["access_token"])

# All API calls now go through your static IP.
profile = kite.profile()
print(profile)

If you're making direct HTTP calls alongside the SDK, pass proxies explicitly:

import os
import requests

proxy_url = os.environ['QUOTAGUARDSHIELD_URL']
proxies = {
    'http': proxy_url,
    'https': proxy_url,
}

response = requests.get(
    'https://api.kite.trade/instruments',
    headers={'X-Kite-Version': '3', 'Authorization': f'token {api_key}:{access_token}'},
    proxies=proxies,
)
print(response.status_code)  # 200

The First-Login CAPTCHA

The first time you log in from a new IP address, Zerodha's spam detection may show a CAPTCHA. This is a one-time check. Complete it and it won't appear again for that IP. It's not a block. It's Zerodha confirming the new IP is a legitimate user. After the CAPTCHA, your static IP is associated with your session and subsequent logins proceed normally.

Register the IP With Zerodha

Find your static IP in the QuotaGuard dashboard. Log into your Zerodha account. Navigate to the API settings in your Kite Connect developer console. Add the IP to your allowed list. The Kite Connect forum thread on SEBI compliance has developer discussion about the registration process and edge cases worth reading before you go live.

Run a test against a read-only endpoint (like /instruments) before restoring your order-placement logic. Confirm 200. Then redeploy your bot.

The VPS Alternative Costs More Time Than Money

The Kite Connect community forum recommends running your bot on an AWS EC2 instance in Mumbai (ap-south-1) with an Elastic IP. This is a legitimate, Zerodha-endorsed approach.

Are you a trader or are you trying to run 24/7 devops as your primary goal with a little trading on the side? That's the question.

The numbers: a t3.micro in Mumbai runs about $8/month. An Elastic IP adds about $3.60/month. Roughly $12/month total.

The real cost is time and maintenance. You own the server. You handle OS updates, security patches, SSH key rotation, and uptime monitoring. You need a deployment workflow to push code changes to it. If you're already on a cloud platform, you're giving up the deployment tooling you've built. If something goes wrong at 9:15 AM on a trading day, you're debugging a server instead of your strategy.

If you want to minimize monthly spend and you're comfortable with DevOps, the VPS route works. If you want to be back online today without learning server administration, the proxy route is faster. QuotaGuard Shield's Production plan is $49/month. That's the math.

Proxy Latency Won't Affect Your Strategy

QuotaGuard Shield adds roughly 10 to 50ms per request for the proxy hop. Worth being direct about this.

The SEBI static IP mandate is an authentication and identity verification requirement. It's not about trade execution speed. Zerodha checks your IP when it validates your session. That happens once at connection time. It's not applied as overhead to every order in your execution loop.

The traders hitting this problem are running intraday systematic strategies, weekly options bots, or momentum systems on daily timeframes. They're on Heroku and Railway because those platforms are fast to deploy, not because they need microsecond execution. High-frequency traders use NSE co-location. They don't deploy on PaaS cloud platforms. If you're in this situation, 20 to 50ms on authentication calls has no effect on your returns.

From our support data: Most customers route all API traffic through QuotaGuard Shield for simplicity. Others authenticate through the proxy and then connect direct for execution. Both work. With Shield's SSL passthrough, routing everything through the proxy adds no security exposure. For most bots on cloud platforms, routing everything through is simpler and there's no practical downside.

Get Your Zerodha Bot Back Online

Sign up at quotaguard.com/products/pricing. Set QUOTAGUARDSHIELD_URL in your environment. Update your code to route through it. Register the IP with Zerodha.

The same static IP covers all your broker connections. If you're also running through Upstox, Kotak Neo, or Dhan, one QuotaGuard Shield subscription handles all of them from the same IP.