Proxies for Instagram and TikTok Scraping: What Works in 2026

Instagram and TikTok are the two hardest mainstream targets in scraping — harder than Google, harder than Amazon. Both run aggressive IP scoring, both fingerprint your client at multiple layers, and both are famous for the soft block: instead of a clean 403, you get login walls, empty JSON, "challenge_required", or silently truncated results. Your scraper "works" and your data is garbage.

This guide covers how each platform actually blocks you in 2026, the proxy setup that survives, and the request patterns that keep accounts and sessions alive. (For multi-account management rather than scraping, see our AdsPower/Multilogin and GoLogin/Dolphin Anty guides.)

How Instagram Blocks You

• IP reputation first. Datacenter ASNs hit the login wall almost immediately on web, and the private API returns challenge_required. Instagram's tolerance for shared/abused residential IPs is also low — pool quality matters more here than almost anywhere.
• Per-IP request budgets. Anonymous web requests get roughly 100–200 pageloads per IP per hour before the login wall; the GraphQL endpoints are tighter. The budget is per-IP and per-session-cookie, tracked separately.
• Logged-in scraping ties risk to the account. An account seen from 5 IPs in an hour gets checkpointed, not the IPs. If you scrape logged-in, one account = one sticky IP, period.
• Device/TLS fingerprints. The mobile-API route (posing as the app) checks TLS fingerprint against known app stacks — raw httpx dies here; see curl_cffi impersonation.

How TikTok Blocks You

• Signed requests. TikTok's web API requires X-Bogus/signature parameters generated by obfuscated JavaScript. Pure-HTTP scraping means reverse-engineering signatures that rotate every few weeks — most teams run a real browser (Playwright) instead and intercept the JSON responses.
• Geo-partitioned content. TikTok content, trends, and even availability differ by country of the exit IP. Scraping "US TikTok" from EU IPs gives you different data, not just blocked data — a silent correctness bug. Match proxy country to target market.
• Datacenter IP = instant captcha. The slider/whirl captcha appears on first load from cloud ASNs. Residential exits mostly skip it.
• Behavioral scoring in the webapp. Scroll cadence and watch-time signals feed risk models; a browser that paginates a profile at machine speed gets its session poisoned (empty itemList responses that look like "no more content").

The Setup That Works

1. Residential, geo-matched, sticky per identity

# One identity = one sticky session, country-pinned
socks5h://USERNAME:[email protected]:913

Rotating-per-request is fine for anonymous public pages at low volume. The moment a session cookie or login is involved, switch to sticky — cookie and IP must move as one identity (why).

2. Public Instagram via GraphQL, through the proxy

from curl_cffi import requests

PROXY = {"https": "socks5h://USERNAME:[email protected]:913"}

# Public profile JSON (no login) - impersonate Chrome's TLS
r = requests.get(
    "https://www.instagram.com/api/v1/users/web_profile_info/?username=nasa",
    impersonate="chrome",
    headers={"X-IG-App-ID": "936619743392459"},
    proxies=PROXY,
)
data = r.json()["data"]["user"]
print(data["edge_followed_by"]["count"])

Watch the response, not the status code: a 200 with {"data": null} or a redirect to /accounts/login/ means this IP's budget is spent — rotate the identity, back off, and resume.

3. TikTok via Playwright + response interception

from playwright.sync_api import sync_playwright

with sync_playwright() as p:
    browser = p.chromium.launch(proxy={
        "server": "us.jibaoproxy.com:913",
        "username": "USERNAME", "password": "PASSWORD",
    })
    page = browser.new_page()
    items = []
    # Let TikTok's own JS sign the requests; we just read the answers
    page.on("response", lambda res:
        items.extend(res.json().get("itemList", []))
        if "/api/post/item_list" in res.url else None)
    page.goto("https://www.tiktok.com/@nasa")
    for _ in range(5):
        page.mouse.wheel(0, 2500)
        page.wait_for_timeout(1800)   # human-ish scroll cadence
    print(len(items), "videos captured")

This sidesteps signature reverse-engineering entirely: the page generates valid X-Bogus itself, and you harvest the JSON. The proxy must be set at browser launch — auth quirks are covered in Playwright proxy authentication.

4. Pace like a human, monitor for soft blocks

• Budget ~1 request / 2–4 s per Instagram identity; add jitter. TikTok scroll cadence 1.5–3 s.
• Alert on content signals, not HTTP codes: login-wall redirects, challenge_required, empty itemList with hasMore: true.
• Retire an identity after ~150 requests (IG) / ~30 profile pages (TikTok); cooldown 24h.
• Run a control probe (a known profile) each batch — if the control comes back wrong, the whole batch is suspect.

Quick Reference

	Instagram	TikTok
Best access path	Web GraphQL/API endpoints, curl_cffi	Playwright + response interception
Proxy type	Residential sticky per identity	Residential, geo-matched to market
Datacenter IPs	Login wall / challenge	Instant captcha
Soft-block signal	login redirect, challenge_required, null data	empty itemList, captcha page
Geo sensitivity	Moderate	High — content differs by country

Summary

• Both platforms soft-block: validate response content, never trust 200 OK.
• Residential is mandatory; sticky sessions whenever a cookie or login exists; geo-match TikTok to the market you're measuring.
• Instagram: web API + curl_cffi impersonation, ~150 requests per identity, then rotate.
• TikTok: let a real browser sign requests, intercept JSON, scroll at human cadence.
• Logged-in scraping binds risk to the account — one account, one IP, no exceptions.