Skip to main content
← All Guides
Networking · 5 min read

How to Set Up BungeeGuard Authentication

Learn how to install and configure BungeeGuard to secure your BungeeCord or Waterfall network with token-based authentication.

Why BungeeGuard Matters

BungeeCord's default IP forwarding relies on a simple flag in spigot.yml. Any player who discovers your backend server's address and port can connect directly, bypassing the proxy entirely. They can spoof any UUID or username they want. BungeeGuard authentication minecraft networks need solves this by adding a secret token that the proxy sends with every connection. Backend servers reject any connection that lacks a valid token.

If you run BungeeCord or Waterfall and cannot switch to Velocity, bungeeguard authentication minecraft is the best way to lock down your backend servers.

Installation

On the Proxy

  1. Download BungeeGuard from its official resource page.
  2. Place the .jar file in your BungeeCord or Waterfall plugins folder.
  3. Restart the proxy.
  4. Open plugins/BungeeGuard/config.yml and note the generated token value.

On Each Backend Server

  1. Download the BungeeGuard backend plugin (Spigot/Paper version).
  2. Place it in the backend's plugins folder.
  3. Restart the backend.
  4. Open plugins/BungeeGuard/config.yml on the backend and paste the same token from the proxy config into the allowed-tokens list:
allowed-tokens:
  - "your-secret-token-here"

How It Works

When a player connects through BungeeCord, the BungeeGuard proxy plugin injects the token into the login handshake. The backend plugin reads this token and checks it against the allowed list. If the token is missing or wrong, the player gets kicked immediately. This is the core of bungeeguard authentication minecraft security.

Multiple Proxies

If you run more than one proxy instance (for example, behind a load balancer), each proxy generates its own token. Add all proxy tokens to the allowed-tokens list on each backend. For large-scale setups, consider RedisBungee for multi-proxy coordination.

Firewall Rules

BungeeGuard adds a layer of authentication, but you should still use firewall rules to restrict direct access to backend ports. On Linux:

iptables -A INPUT -p tcp --dport 25566 -s PROXY_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 25566 -j DROP

This ensures even if someone bypasses the token check somehow, they cannot reach the backend at all without going through your proxy. Combined with bungeeguard authentication minecraft tokens, this creates a strong defense.

Testing

  • Try connecting directly to a backend server's IP and port. You should be kicked.
  • Connect through the proxy. You should join normally with your correct UUID and skin.
  • Change the token on one backend to a wrong value. Confirm that proxy connections to that backend fail.

For DDoS protection on top of this setup, see our DDoS protection guide. To learn about forwarding with Velocity instead, read the Velocity modern forwarding guide.

With bungeeguard authentication minecraft properly configured, your network is protected against one of the most common attack vectors in BungeeCord setups.

See a polished network in action: Astroworld MC, IP play.astroworldmc.com, Java + Bedrock.

Related Tools & Resources

🔧

Minecraft Tools

Calculators, generators & server tools

🧱

Item Database

Browse all Minecraft items, stats & recipes

⚒️

Crafting Recipes

Visual crafting guides for every recipe