Configuring a firewall, proxy server, or data perimeter for Kiro

If your network uses a firewall, proxy server, or data perimeter, you need to allowlist specific URLs so Kiro can reach its backend services. This page lists every domain Kiro contacts, grouped by function.

Network traffic overview

Kiro makes two types of outbound connections:

Agent traffic — Requests from Kiro Web to backend services (AI, telemetry, authentication).
Browser traffic — Sign-in uses your browser. This traffic uses your OS network stack.

Your firewall must allow both at the network level.

Core URLs

The following URLs are required by all Kiro products (IDE, CLI, and Web):

URL	Purpose
`app.kiro.dev`	Sign-in portal
`assets.app.kiro.dev`	Application assets

Every Kiro Web deployment also needs the following URLs. These cover AI services and telemetry.

URL	Purpose
`kaa-assets.app.kiro.dev`	Agent application assets
`kiro.dev`	Kiro website and documentation
`prod.us-east-1.auth.desktop.kiro.dev`	Token exchange, refresh, and logout
`kiro-prod-us-east-1.auth.us-east-1.amazoncognito.com`	Cognito authentication
`management.us-east-1.kiro.dev`	Configuration, access management
`q.*.amazonaws.com`	Kiro service endpoints
`prod.us-east-1.telemetry.kiro.aws.dev`	Telemetry and metrics
`prod.download.desktop.kiro.dev`	Downloads and updates
`a0.awsstatic.com`	AWS static assets
`dataplane.rum.us-east-1.amazonaws.com`	CloudWatch RUM (US East)
`dataplane.rum.eu-central-1.amazonaws.com`	CloudWatch RUM (Europe)
`prod.assets.shortbread.aws.dev`	Cookie consent assets
`prod.log.shortbread.aws.dev`	Cookie consent logging
`prod.tools.shortbread.aws.dev`	Cookie consent tools
`rendering.aperture-public-api.feedback.console.aws.dev`	Feedback form

If your network policy allows wildcard rules, you can allowlist *.kiro.dev and *.app.kiro.dev instead of the individual kiro.dev domains above. Note that some firewalls only match a single subdomain level, so *.kiro.dev would cover app.kiro.dev but not assets.app.kiro.dev. If your firewall behaves this way, also add *.app.kiro.dev or list multi-level subdomains explicitly. See Wildcard rules for a complete summary.

If you sign in with Google or GitHub, allowlist this additional endpoint for the Cognito identity federation flow.

URL	Purpose
`cognito-identity.us-east-1.amazonaws.com`	Federated identity for social sign-in

IAM Identity Center

If your organization uses AWS IAM Identity Center for authentication, allowlist these additional endpoints.

Replace idc-directory-id-or-alias with your IAM Identity Center instance's directory ID or alias, and sso-region with the AWS Region where your instance is enabled. For more information, see What is IAM Identity Center? in the IAM Identity Center User Guide.

URL	Purpose
`<region>.signin.aws`	AWS sign-in
`<sso-region>.signin.aws.amazon.com`	AWS sign-in (alternate)
`<idc-directory-id-or-alias>.awsapps.com`	IAM Identity Center portal
`portal.sso.<sso-region>.amazonaws.com`	SSO portal
`assets.sso-portal.<sso-region>.amazonaws.com`	SSO portal assets
`oidc.<sso-region>.amazonaws.com`	OIDC token exchange

External identity providers

If your organization uses an external identity provider (IdP) with IAM Identity Center, the sign-in flow redirects through your IdP's domain. You need to allowlist that domain too.

Identity provider	Domain to allowlist
Microsoft Entra ID	`login.microsoftonline.com`
Okta	`<your-org>.okta.com`

Check with your identity team for the exact domain if you are unsure which IdP is configured.

Subscription management

If you sign in with Google, GitHub, or AWS Builder ID, Kiro uses Stripe for subscription billing. Allowlist these domains to access the billing portal and upgrade plans.

URL	Purpose
`billing.stripe.com`	Billing portal for paid plans
`checkout.stripe.com`	Checkout for plan upgrades

Enterprise customers using IAM Identity Center don't need these domains.

Wildcard rules

If your network policy allows wildcard rules, you can simplify the allowlist:

Wildcard	Covers
`*.kiro.dev`	All single-level Kiro subdomains
`*.app.kiro.dev`	Application and CDN assets
`*.kiro.aws.dev`	Telemetry endpoints
`*.amazonaws.com`	All AWS service endpoints (Kiro service, RUM, OIDC, SSO, Cognito)
`*.shortbread.aws.dev`	Cookie consent
`*.signin.aws`	IAM Identity Center sign-in

Page updated: May 27, 2026

Data protection

Network traffic overview

Kiro makes two types of outbound connections:

Agent traffic — Requests from Kiro Web to backend services (AI, telemetry, authentication).
Browser traffic — Sign-in uses your browser. This traffic uses your OS network stack.

Your firewall must allow both at the network level.

Core URLs

The following URLs are required by all Kiro products (IDE, CLI, and Web):

URL	Purpose
`app.kiro.dev`	Sign-in portal
`assets.app.kiro.dev`	Application assets

Every Kiro Web deployment also needs the following URLs. These cover AI services and telemetry.

URL	Purpose
`kaa-assets.app.kiro.dev`	Agent application assets
`kiro.dev`	Kiro website and documentation
`prod.us-east-1.auth.desktop.kiro.dev`	Token exchange, refresh, and logout
`kiro-prod-us-east-1.auth.us-east-1.amazoncognito.com`	Cognito authentication
`management.us-east-1.kiro.dev`	Configuration, access management
`q.*.amazonaws.com`	Kiro service endpoints
`prod.us-east-1.telemetry.kiro.aws.dev`	Telemetry and metrics
`prod.download.desktop.kiro.dev`	Downloads and updates
`a0.awsstatic.com`	AWS static assets
`dataplane.rum.us-east-1.amazonaws.com`	CloudWatch RUM (US East)
`dataplane.rum.eu-central-1.amazonaws.com`	CloudWatch RUM (Europe)
`prod.assets.shortbread.aws.dev`	Cookie consent assets
`prod.log.shortbread.aws.dev`	Cookie consent logging
`prod.tools.shortbread.aws.dev`	Cookie consent tools
`rendering.aperture-public-api.feedback.console.aws.dev`	Feedback form

If you sign in with Google or GitHub, allowlist this additional endpoint for the Cognito identity federation flow.

URL	Purpose
`cognito-identity.us-east-1.amazonaws.com`	Federated identity for social sign-in

IAM Identity Center

If your organization uses AWS IAM Identity Center for authentication, allowlist these additional endpoints.

URL	Purpose
`<region>.signin.aws`	AWS sign-in
`<sso-region>.signin.aws.amazon.com`	AWS sign-in (alternate)
`<idc-directory-id-or-alias>.awsapps.com`	IAM Identity Center portal
`portal.sso.<sso-region>.amazonaws.com`	SSO portal
`assets.sso-portal.<sso-region>.amazonaws.com`	SSO portal assets
`oidc.<sso-region>.amazonaws.com`	OIDC token exchange

External identity providers

If your organization uses an external identity provider (IdP) with IAM Identity Center, the sign-in flow redirects through your IdP's domain. You need to allowlist that domain too.

Identity provider	Domain to allowlist
Microsoft Entra ID	`login.microsoftonline.com`
Okta	`<your-org>.okta.com`

Check with your identity team for the exact domain if you are unsure which IdP is configured.

Subscription management

If you sign in with Google, GitHub, or AWS Builder ID, Kiro uses Stripe for subscription billing. Allowlist these domains to access the billing portal and upgrade plans.

URL	Purpose
`billing.stripe.com`	Billing portal for paid plans
`checkout.stripe.com`	Checkout for plan upgrades

Enterprise customers using IAM Identity Center don't need these domains.

Wildcard rules

If your network policy allows wildcard rules, you can simplify the allowlist:

Wildcard	Covers
`*.kiro.dev`	All single-level Kiro subdomains
`*.app.kiro.dev`	Application and CDN assets
`*.kiro.aws.dev`	Telemetry endpoints
`*.amazonaws.com`	All AWS service endpoints (Kiro service, RUM, OIDC, SSO, Cognito)
`*.shortbread.aws.dev`	Cookie consent
`*.signin.aws`	IAM Identity Center sign-in

Page updated: May 27, 2026

Data protection

Configuring a firewall, proxy server, or data perimeter for Kiro

Configuring a firewall, proxy server, or data perimeter for Kiro

Network traffic overview

Core URLs

Social sign-in

IAM Identity Center

External identity providers

Subscription management

Wildcard rules

Network traffic overview

Core URLs

Social sign-in

IAM Identity Center

External identity providers

Subscription management

Wildcard rules