# How to Set Up BungeeGuard on Your Minecraft BungeeCord Network (/docs/minecraft/setup-bungeguard)



import { Step, Steps } from 'fumadocs-ui/components/steps';

**BungeeGuard** prevents players from bypassing your BungeeCord proxy and connecting directly to your backend servers. Without it, anyone who discovers a backend's IP can connect with `online-mode=false` and impersonate any player — including admins.

Why BungeeGuard Is Essential [#why-bungeeguard-is-essential]

BungeeCord requires backends to run with `online-mode=false` so the proxy can handle authentication. The trade-off is that backends will accept any username from any client. BungeeGuard adds a shared secret token that backends verify on every connection — only connections coming through the proxy carry the token, so direct connections are rejected.

Install BungeeGuard [#install-bungeeguard]

<Steps>
  <Step>
    Download BungeeGuard [#download-bungeeguard]

    Get the latest from [BungeeGuard on GitHub](https://github.com/lucko/BungeeGuard).
  </Step>

  <Step>
    Install on the proxy [#install-on-the-proxy]

    In the [XGamingServer Panel](https://panel.xgamingserver.com), click **Files** on your BungeeCord proxy. Upload `BungeeGuard.jar` to `plugins/`.
  </Step>

  <Step>
    Install on every backend [#install-on-every-backend]

    Upload the same `BungeeGuard.jar` to `plugins/` on **every** backend server in your network.
  </Step>

  <Step>
    Restart the proxy [#restart-the-proxy]

    Restart your BungeeCord proxy from **Console**. This generates the secret token in `plugins/BungeeGuard/config.yml` on the proxy.
  </Step>

  <Step>
    Copy the secret token [#copy-the-secret-token]

    On the proxy, open `plugins/BungeeGuard/config.yml` in **Files**:

    ```yaml
    token: "your-generated-secret-token-here"
    ```

    Copy this token.
  </Step>

  <Step>
    Configure each backend [#configure-each-backend]

    On each backend, edit `plugins/BungeeGuard/config.yml` and paste the token under `allowed-tokens`:

    ```yaml
    allowed-tokens:
      - "your-generated-secret-token-here"
    ```
  </Step>

  <Step>
    Restart all backends [#restart-all-backends]

    Restart each backend server. Players who try to connect directly (not through the proxy) will be kicked.
  </Step>
</Steps>

Verify It Works [#verify-it-works]

Try connecting directly to a backend server's IP and port. You should see:

```
BungeeGuard - No valid token was provided!
```

If you can still connect directly, check that:

* The token matches **exactly** between the proxy and every backend
* BungeeGuard is installed on **all** servers (proxy + every backend)
* All servers were restarted after configuration

Why This Matters [#why-this-matters]

> Without BungeeGuard, your network is vulnerable to UUID spoofing — a player connecting directly can claim to be anyone, including OPs and admins. This is a critical security plugin for any BungeeCord setup.

Alternative: Velocity Modern Forwarding [#alternative-velocity-modern-forwarding]

[Velocity](/docs/minecraft/velocity-guide) has built-in modern forwarding security with a shared secret — no separate plugin needed. If you're starting a new network, consider Velocity instead of BungeeCord + BungeeGuard.

Related Guides [#related-guides]

* [BungeeCord Guide](/docs/minecraft/bungeecord-guide)
* [BungeeCord IP Forwarding](/docs/minecraft/bungeecord-ip-forwarding)
* [BungeeCord Troubleshooting](/docs/minecraft/bungeecord-troubleshooting)
* [Velocity Guide](/docs/minecraft/velocity-guide)