# Authentication

ISP supports the same two authentication models as the gateway products, but the wiring is different — there's no gateway to authenticate against, so credentials go to each individual IP.

## Model A — User + password (default)

Each IP in your list ships with the same user/password. Pass them as you would to any HTTP proxy:

```bash
curl -x http://helo_s1a2b3c4d5e:PASSWORD@198.51.100.42:8000 \
     https://example.com
```

Client encodes `helo_s1a2b3c4d5e:PASSWORD` as Base64 and sends:

```
Proxy-Authorization: Basic aGVsb19zMWEyYjNjNGQ1ZTpQQVNTV09SRA==
```

**Pros**

* Works from any source IP — no infrastructure setup
* Same credentials across the entire batch — easy to load and rotate

**Cons**

* Credentials sit in your code or config

## Model B — IP whitelist

Register your egress IPs in the dashboard once. Requests from those IPs to your ISP proxies are accepted with no `Proxy-Authorization` header.

```bash
curl -x http://198.51.100.42:8000 https://example.com
```

(Note: no username/password at all — the source IP is the identity.)

To enable:

1. **Dashboard → ISP → My IPs → {Batch} → Whitelisted IPs**.
2. Add up to 50 IPv4 addresses or CIDR ranges. **The whitelist is per batch**, not per IP — adding one entry authorizes that source for every IP in the batch.
3. Changes take effect within 60 seconds.

> Each batch has its own whitelist. Adding an IP to batch A does not authorize it for batch B.

**Pros**

* No secret in code
* Simpler request — bare URL

**Cons**

* Useless for dynamic-egress clients (laptops, autoscaling containers without a NAT gateway)

## Choosing between them

| Scenario                             | Recommended                                    |
| ------------------------------------ | ---------------------------------------------- |
| Server with static egress IP         | IP whitelist                                   |
| Container fleet behind a NAT gateway | IP whitelist (the NAT IP)                      |
| Laptop / dynamic egress              | User + password                                |
| Antidetect browser farm              | User + password (the tools store creds anyway) |

## Per-batch credential rotation

To rotate the password for an entire batch:

1. **Dashboard → ISP → My IPs → {Batch} → Rotate password**.
2. New password effective in 60 seconds.
3. Old password stops working immediately.
4. Re-download the list.

You cannot rotate the username — it's the sub-user identifier and is permanent for the batch.

## API

Whitelist and rotation are also exposed via:

* [Whitelists API](/api-reference/whitelists.md) (scope `product=isp`, `batch_id=...`)
* [Orders API](/api-reference/orders.md) (rotation endpoint)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.helodata.com/products/overview-2/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.