Skip to content

Delegated Authentication

Password management is a headache.

Delegated Authentication makes it easier.

With Delegated Authentication, use a proxy token instead of a password when you connect to a proxy server.

  • The proxy tokens are provided by WonderProxy.
  • Account administrators can decide how long the tokens will work, so users must obtain new ones on a regular basis.
  • Tokens are disposable. You can make a new one as often as you like, and invalidate existing tokens at will.
  • Proxy tokens work in the browser, with our WonderSwitcher browser extension, and in command line and automation tools.

Why use Delegated Authentication?

Credentials for HTTP proxies are inherently insecure.

The insecurity poses a problem when the same credentials are used in other, more privileged contexts, like logging into websites, or for Single Sign-On accounts.

Delegated Authentication avoids these problems by separating the credentials you use on our website from the ones you use to access the proxy network.

Since we're creating the proxy token for you, rather than requiring you to create your own, we can ensure it will work instantly, across the whole network.

How does this work with Single Sign-On?


Before Delegated Authentication, SSO users still needed to manage a separate set of credentials for our proxy network. The extra credentials presented conceptual challenges (I use SSO, but I have a username and password anyway?) that proxy tokens address.

Administrators can configure their proxy tokens with a short expiration window (as little as one day), so users must update their tokens regularly. Generating a new token is fast, especially with a live session on your identity provider.

In the future, deprovisioned SSO users will lose access to the proxy network when their proxy tokens expire, so account administrators won't need to worry about disabling their WonderProxy accounts manually.

What about automated tooling?

It can't tell the difference!

Proxy tokens work with every piece of automated tooling we've tried: just enter the token into the password field.

(Organizations with access to IP Authentication may choose to authenticate their automated tooling by IP, bypassing the need for credentials entirely. We recognize that short-lived tokens may prove to be a challenge with automated tools and will be rolling out better support for that in the near future.)

What if I accidentally expose my proxy token?

No problem.

Individual users can invalidate their own proxy tokens at will. Account administrators may also invalidate any of their users' tokens, or all the proxy tokens for the whole organization, with one click.

What does a proxy token look like?

Here's one:


Is WonderProxy the solution you need?