Guide

Biometric Attendance Without Static IP: How Cloud APIs Solve the Network Problem

Biometric attendance without static IP is now possible using cloud REST APIs. No port forwarding, no VPN, no static IP — just real-time attendance from any internet connection.

PunchConnect Team·Mar 17, 2026·6 min read

The Static IP Problem That Blocks Every Biometric Integration

Every traditional biometric attendance system assumes your ZKTeco device has a static, publicly routable IP address. Your server polls the device at that IP, pulls attendance logs, and syncs them.

This assumption breaks in the real world:

- Dynamic IPs. Most ISPs rotate your IP regularly. One reboot and your integration is dead.
- CGNAT. Many ISPs share one public IP among hundreds of customers. Port forwarding doesn't work at all.
- Remote offices. 15 branch offices = 15 static IPs, 15 firewall configs, 15 things that break independently.
- Mobile/4G connections. Construction sites, farms, pop-up offices — always dynamic, always behind NAT.

Static IP problem illustration — Traditional polling needs a static IP. Most real-world setups don't have one.

The Fix: Reverse the Connection Direction

Instead of your server reaching into the device's network (which requires knowing its IP), the device reaches out to the cloud (which has a known, stable endpoint).

This is how PunchConnect works. The device initiates an outbound HTTPS connection — the same way your phone connects to the internet. No static IP needed. No ports to open. No firewalls to configure.

The data flow:

Device on any network → outbound HTTPS → PunchConnect Cloud → Webhook → Your Application

The entire chain uses outbound connections only. No inbound ports need to be opened. Anywhere.

Cloud push architecture — The device connects outbound. Your app receives webhooks. No static IP anywhere.

What This Means in Practice

Your office with a regular ISP connection? Works.

Branch office with 4G backup internet? Works.

Construction site with a mobile hotspot? Works.

50 locations across different ISPs and countries? One webhook endpoint handles them all.

Each device connects independently. Adding a new site means configuring one device in the PunchConnect dashboard — no network changes, no IT tickets, no VPN setup.

Setting Up Biometric Attendance Without Static IP

Step 1: Register Your Device

bash

curl -X POST https://api.punchconnect.com/v1/devices \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"serial_number": "CZKE2234F0039", "name": "Main Office", "location": "Building A"}'

Step 2: Configure the Device

Follow the PunchConnect dashboard instructions for your device model. Takes ~5 minutes. The device connects to the cloud automatically.

Step 3: Set Up Webhooks

python

import requests

requests.post("https://api.punchconnect.com/v1/webhooks", headers={
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
}, json={
    "url": "https://your-app.com/api/attendance/webhook",
    "events": ["attendance.created"],
    "secret": "your_webhook_secret"
})

Step 4: Receive Real-Time Attendance

Every fingerprint scan triggers a POST to your webhook:

No static IP involved at any step. The device in Lagos and the device in Manila both push to the same cloud endpoint.

json

{
  "event": "attendance.created",
  "device_serial": "CZKE2234F0039",
  "employee_id": "1042",
  "timestamp": "2026-03-17T08:32:15Z",
  "punch_type": "check_in",
  "verification": "fingerprint"
}

Comparing Approaches

Static IP + polling: $20-80/month per site for a static IP. Port forwarding config. Firewall rules. Breaks when ISP changes. 10-30 min data delay. Per-site maintenance.

VPN tunnels: Solves the IP problem but adds complexity. VPN server to maintain. Client config per site. Single point of failure. When the VPN drops, all attendance stops.

Dynamic DNS: Partial fix. Doesn't work behind CGNAT. DNS propagation delays. Still needs port forwarding.

PunchConnect cloud API: No per-site cost. No network config. Works behind CGNAT, dynamic IPs, mobile connections. Real-time webhooks. $200/device one-time.

Real-World Scale

PunchConnect runs in production with 24,000+ active employees across 50+ sites. Different ISPs, different countries, different network setups. One cloud, one API, zero network headaches. Read the AgriWise case study →

Integrates with Odoo, ERPNext, or any system that accepts HTTP requests.

Pricing

$200 per device — one-time. Compare that to $20-80/month for a static IP at each location, plus the engineering time to maintain VPNs and firewall rules. The API pays for itself in month 2.

Frequently Asked Questions

Can I use biometric attendance without a static IP on ZKTeco devices? Yes. PunchConnect uses outbound-only connections from the device. No static IP, no port forwarding, no VPN needed. Works with any ISP, any connection type.

Does it work behind CGNAT? Yes. CGNAT blocks inbound connections, but PunchConnect only uses outbound connections from the device. CGNAT is invisible.

What happens if the device loses internet temporarily? ZKTeco devices store records locally (50,000-100,000 records). When connectivity returns, everything syncs automatically. No data lost.

Is a cloud approach less secure than direct LAN connections? No — it's typically more secure. PunchConnect uses TLS 1.3 encryption for all data in transit. Direct LAN polling often runs unencrypted. And you don't need to open inbound firewall ports.

How many devices can I connect without static IPs? No limit. Each device connects independently. Currently handling 100+ devices across 50+ sites in production.

Stop Fighting Your Network

Start your free 7-day trial — no credit card. Register your device in 5 minutes and receive your first attendance webhook in seconds. No static IP required. No network changes needed.

Tutorial