A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client device. The system determines that an API request lacks a form of authentication including a token where the first API request cannot be authenticated. The API request is denied, and a challenge is transmitted to the client device. A subsequent API request from the client device is determined to include a presented token as the form of authentication. The presented token of the second API request is verified based on attributes of the presented token. The system permits the second API request in response to the presented token being verified. An IP-token pair is stored and the permitted second API request is transmitted to the host device for servicing.