Do users install anything?

Yes. Users need the BusinessProxy Chrome extension. The point is that there is no OS-level agent and no device-wide VPN client. For enforced deployments, admins should push the extension and managed settings through Chrome Enterprise or MDM.

Why does the extension request access to all sites?

Chrome requires the all-sites host permission so the extension can receive and answer proxy-authentication challenges for requests that Chrome routes through the configured proxy. The extension has no content scripts and does not inject into pages or modify page content.

Are proxy credentials the account password?

No. Account login and proxy access use different secrets. Proxy credentials are random, short-lived session secrets. BusinessProxy validates them with a server-side keyed one-way digest and does not store the raw proxy secret or reuse the account password.

Chrome Proxy

A managed Chrome proxy, issued by policy

BusinessProxy uses a Chrome extension to request a short-lived proxy session, apply the workspace routing policy, and answer proxy-auth challenges automatically. Users never type a reusable proxy password. Install the extension, set or receive the API URL, sign in, and connect.

Set up the extension

Install the BusinessProxy Chrome extension (in the current beta, the package we provide), open Options and set the API URL unless it is pushed by policy, sign in from the popup, then click Connect. The extension registers the device key if needed and requests short-lived proxy credentials.

Install the extension
Set or receive the API URL
Sign in and verify email
Connect — policy applies automatically

A controlled session flow

The proxy session is device-bound and short-lived. Sensitive session endpoints are signed with a device ID, timestamp and ECDSA P-256 signature. The session response returns a proxy node, routing policy and random credentials with their own expiry.

Device-signed session request (ECDSA P-256)
Backend-issued routing policy
Random short-lived credentials (~2 min TTL)
Heartbeat, rotate and end

Your account password is never the proxy password

Account login and proxy access use different secrets. The extension receives random proxy credentials for the current session only. BusinessProxy validates those credentials server-side with a keyed one-way digest; the raw proxy secret is not stored.

Permission	Purpose
`proxy`	Configure Chrome proxy settings while BusinessProxy is connected.
`storage`	Store minimal extension state and read Chrome Enterprise managed settings.
`alarms`	Run heartbeat, expiry and cleanup checks for the proxy session.
`webRequest`	Receive proxy-authentication challenge events for routed browser requests.
`webRequestAuthProvider`	Respond to proxy-auth challenges with short-lived session credentials.
`host_permissions: <all_urls>`	Allows Chrome to deliver proxy-auth challenges for requests routed through the configured proxy, regardless of destination site.

Permission

Purpose

proxy

Configure Chrome proxy settings while BusinessProxy is connected.

storage

Store minimal extension state and read Chrome Enterprise managed settings.

alarms

Run heartbeat, expiry and cleanup checks for the proxy session.

webRequest

Receive proxy-authentication challenge events for routed browser requests.

webRequestAuthProvider

Respond to proxy-auth challenges with short-lived session credentials.

host_permissions: <all_urls>

Allows Chrome to deliver proxy-auth challenges for requests routed through the configured proxy, regardless of destination site.