🇪🇺 Dutch bank. Fixed EU egress.

🇪🇺 Static IP for Bunq

Automating payments or PSD2 flows with Bunq from containers or serverless? Every redeploy shifts the IP, breaking API-key trust and PSD2 audit trails. Route your Bunq calls through two fixed static EU IPs.

payment.py

import requests

# leaves through static EU IP

# HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443

r = requests.post(

  "https://api.bunq.com/v1/user/.../monetary-account/.../payment",

  headers={"X-Bunq-Client-Authentication": "TOKEN"},

  json={"amount": {"value": "10.00",

           "currency": "EUR"}}

)

Why Bunq automation needs a steady source IP

Bunq is a Dutch bank with PSD2 obligations, so where your payment calls come from is part of the compliance story. Rotating egress makes that hard to tell.

API keys tied to a source address

Teams restrict their Bunq API key to specific IPs. When a pod or function moves to a new address, requests to api.bunq.com come back unauthorized, and payment and PSD2 calls silently stop working.

A new address on every scale event

Cloud functions and Kubernetes assign a fresh outbound IP on each deploy and autoscale. A scheduled payment that worked at noon can fail at midnight with no code change, because the source IP shifted underneath it.

PSD2 and GDPR audits

Processing payment data under PSD2 means strong customer authentication and traceable access. Auditors want a documented, stable egress for banking calls, not an address list that changes every release.

300+ endpoints, one moving target

The Bunq API exposes over 300 operations across payments, accounts, cards, and PSD2 flows. Each call from each environment rides a different rotating IP, so there is no single, predictable address to whitelist or audit.

When the compliance review asks

"Which IP addresses do our Bunq API calls come from?"

You want one fixed answer, not "it depends which pod served the payment."

The Solution

Send Bunq calls through a fixed EU IP

Your banking app

HTTPS Proxy

(Static EU IP)

Bunq API

Bunq sees your calls from the same pair of EU addresses every time, whether it's a payment, a PSD2 authorisation, or an account query. Two IPs back the account, and if one is down the other takes over.

One env var covers every endpoint you hit at api.bunq.com, with no SDK rewrite.
The address holds across pod restarts and autoscaling, so whitelists and audit answers stay valid.
TLS passes straight through, so payment data, auth tokens, and your API key stay unreadable at the proxy.

What this gives a Bunq integration

Two fixed EU addresses to whitelist, with automatic failover between them. You stop chasing rotating egress and give Bunq one stable thing to trust.
EU to EU end to end. Bunq is a Dutch bank, and the proxy runs in EU infrastructure, so your payment traffic stays within the same jurisdiction.
Lines up with PSD2 and GDPR. A documented, stable egress is exactly what a payment-compliance or data-protection review wants to see.
Covers the whole API surface. Payments, accounts, cards, PSD2 authorisation, and webhook callbacks all leave through the same pair of IPs.
Works with the Bunq SDK, requests, fetch, and anything that honours the standard proxy environment variables.

Who it's built for

Fintech engineers

Automating payments, transfers, or account management through the Bunq API who need their key to keep working through every deploy.

PSD2 service providers

Building PSD2-compliant integrations that connect to Bunq user accounts and need traceable, EU-resident outbound access.

EU SaaS builders

Shipping EU products that use Bunq for payments and need IP-whitelisted, GDPR-aligned access across dev and prod.

Compliance officers

Accountable for where payment data and PSD2 flows are sent, who want a documented EU egress rather than a moving address.

Implementation

Set HTTPS_PROXY and your Bunq calls leave through your fixed EU IP. No rewrite to your payment code.

Python (requests)

Drop HTTPS_PROXY into your environment and requests honours it automatically. The payment call below already leaves through your static IP.

# .env or shell
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
BUNQ_SESSION_TOKEN=your_session_token

import os
import requests

# requests reads HTTPS_PROXY from the environment automatically
resp = requests.post(
    "https://api.bunq.com/v1/user/123/monetary-account/456/payment",
    headers={"X-Bunq-Client-Authentication": os.environ["BUNQ_SESSION_TOKEN"]},
    json={
        "amount": {"value": "10.00", "currency": "EUR"},
        "description": "Invoice #1234",
        "counterparty_alias": {"type": "IBAN", "value": "NL.."},
    },
)

print(resp.json()["Response"][0]["id"])

Node.js (fetch)

Node's fetch doesn't read the env var on its own, so pass the proxy explicitly with https-proxy-agent.

// .env or shell
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
BUNQ_SESSION_TOKEN=your_session_token

const { HttpsProxyAgent } = require('https-proxy-agent');

const agent = new HttpsProxyAgent(process.env.HTTPS_PROXY);

// This POST leaves through your static EU IP
const res = await fetch('https://api.bunq.com/v1/user/123/monetary-account/456/payment', {
  method: 'POST',
  headers: {
    'X-Bunq-Client-Authentication': process.env.BUNQ_SESSION_TOKEN,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    amount: { value: '10.00', currency: 'EUR' },
    description: 'Invoice #1234',
  }),
  agent,
});

console.log(await res.json());

Docker / Kubernetes / Lambda

Set the variable in your platform config, the same approach in every environment. Never paste the proxy string in plaintext.

# Docker Compose: load a .env file
services:
  app:
    env_file:
      - .env

# Kubernetes: pull it from a Secret
env:
  - name: HTTPS_PROXY
    valueFrom:
      secretKeyRef:
        name: outboundgateway-proxy
        key: proxy-url

# AWS Lambda: function environment variables
HTTPS_PROXY=${OUTBOUNDGATEWAY_PROXY_URL}

Two IPs, so a payment doesn't depend on one box

Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Register both against your Bunq API key. If one proxy node is briefly unavailable, traffic shifts to the other, so an overnight redeploy isn't the thing that breaks a scheduled payment.

📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.

EU egress for EU banking

Bunq is a Dutch bank with PSD2 obligations, so the outbound path should stay in Europe.

European infrastructure

The proxy runs in EU data centres, so your Bunq API traffic stays within European borders rather than wherever a container happens to be scheduled.

PSD2 and GDPR aligned

Processing payment data is regulated under PSD2 and GDPR. A stable, documented EU egress is the kind of detail a payment-compliance review asks for.

No transatlantic detours

Traffic doesn't bounce through US infrastructure on its way to Bunq, which keeps payment data inside the EU and removes a wrinkle from PSD2 data-transfer reviews.

An egress you can name

When a reviewer asks where your Bunq calls originate from, the answer is two fixed EU addresses, not a list that changes every release. The failover pair covers maintenance windows.

Why teams route Bunq through OutboundGateway

A pair of fixed IPs

Two addresses to register against your key, with automatic failover, so your traffic isn't riding on a single point of failure.

No app rewrite

Add one env var and your existing requests, fetch, or Bunq SDK code starts routing through the proxy.

EU-hosted

European data centres and a GDPR-conscious setup. Bunq is Dutch, so your traffic stays in the EU, end to end.

All Bunq endpoints

Payments, accounts, cards, PSD2 authorisation, webhooks all go out through the same stable pair of IPs.

Encrypted end to end

TLS passthrough means the proxy can't read your traffic. Payment data, auth tokens, and your API key stay private the whole way.

Flexible plans

Starting from €29/month. Flexible plans for every scale. Cancel anytime.

Give your Bunq calls a fixed EU egress

Stop letting pod restarts and autoscaling decide which IP your payments come from. Put Bunq behind one stable, PSD2-conscious EU address.

€29/month starter plan • 7-day refund policy • Direct founder support

Frequently asked questions

Does this work with the Bunq SDK and OAuth?

Yes. The Bunq SDK and standard HTTP clients use HTTP under the hood, so setting HTTPS_PROXY applies to their calls whether you authenticate with an API key or an OAuth session token. You can also call api.bunq.com directly with requests or fetch and get the same effect.

Will an IP-restricted Bunq API key keep working after a redeploy?

That's the main reason teams add the proxy. Bunq keys can be tied to specific source IPs, but containers and functions get a new address on every deploy, which would normally break that restriction. By routing outbound calls through a fixed pair of EU addresses and registering both against the key, the key keeps authorising requests no matter how often your deployment restarts.

Does it cover PSD2 authorisation flows, not just payments?

Yes. The proxy isn't endpoint-specific. Any call your app sends to api.bunq.com, whether it's a payment, a PSD2 registration, an account query, or a card operation, leaves through the same fixed pair of EU IPs. One whitelist covers the whole API surface.

Still weighing it up?

Happy to talk through how a two-IP egress fits your specific Bunq setup, whether it's payments, PSD2, or account automation.

Contact Our Founders →