### Forwarding client IP for security rules and rate limits

When using Next.js with Frontegg authentication, security rules and rate limits typically rely on the server’s IP address instead of the actual client’s IP. This can cause issues when enforcing authentication methods such as Multi-Factor Authentication (MFA), SMS-based verification, or rate limiting.

To ensure that Frontegg receives the correct client IP, add the following features to your `.env.local` file:


```ini
FRONTEGG_FORWARD_IP=true
FRONTEGG_SHARED_SECRET=your-shared-secret-here
```

Feature activation required
This feature must be enabled for your environment by the Frontegg team. To request activation, contact [support](mailto:support@frontegg.com).

br
Prerequisites
@frontegg/nextjs@9.2.2

br
The **shared secret** is a security key used to secure your requests to Frontegg. You can retrieve it in one of the following ways:

### Option 1: From the Frontegg portal

1. Go to **Configurations → Applications**
2. Select or create a **Next.js** application
3. Scroll down to the **Shared secret** section


![login-style-1](/assets/shared-secret-next.52e157b478d9a06f1ead6c614800203be96906ada8a82ecd9c2458a73de0b6bc.fc8abb39.png)

### Option 2: Using the API

Make a **GET** request to the [Get Application Client Credentials API](https://developers.frontegg.com/api/applications/applications-settings/getapplicationclientcredentials) using your [environment token](https://developers.frontegg.com/api/vendor-service/other/authenticate_vendor).