If your network uses a firewall, proxy server, or data perimeter, you need to allowlist specific URLs so Kiro can reach its backend services. This page lists every domain Kiro contacts, grouped by function.
Kiro makes two types of outbound connections:
Your firewall must allow both at the network level.
Every Kiro Autonomous Agent deployment needs the following URLs. These cover the agent application, sign-in, AI services, and telemetry.
| URL | Purpose |
|---|---|
app.kiro.dev | Sign-in portal |
assets.app.kiro.dev | Agent application assets (primary) |
kaa-assets.app.kiro.dev | Agent application assets (primary) |
kiro.dev | Kiro website and documentation |
prod.us-east-1.auth.desktop.kiro.dev | Token exchange, refresh, and logout |
kiro-prod-us-east-1.auth.us-east-1.amazoncognito.com | Cognito authentication |
management.us-east-1.kiro.dev | Configuration, access management |
q.*.amazonaws.com | Kiro service endpoints |
prod.us-east-1.telemetry.kiro.aws.dev | Telemetry and metrics |
prod.download.desktop.kiro.dev | Downloads and updates |
a0.awsstatic.com | AWS static assets |
prod.assets.shortbread.aws.dev | Cookie consent assets |
prod.log.shortbread.aws.dev | Cookie consent logging |
prod.tools.shortbread.aws.dev | Cookie consent tools |
rendering.aperture-public-api.feedback.console.aws.dev | Feedback form |
If your network policy allows wildcard rules, you can allowlist *.kiro.dev instead of the individual kiro.dev domains above.
If you sign in with Google or GitHub, allowlist this additional endpoint for the Cognito identity federation flow.
| URL | Purpose |
|---|---|
cognito-identity.us-east-1.amazonaws.com | Federated identity for social sign-in |
If your organization uses AWS IAM Identity Center for authentication, allowlist these additional endpoints.
Replace idc-directory-id-or-alias with your IAM Identity Center instance's directory ID or alias, and sso-region with the AWS Region where your instance is enabled. For more information, see What is IAM Identity Center? in the IAM Identity Center User Guide.
| URL | Purpose |
|---|---|
<region>.signin.aws | AWS sign-in |
<idc-directory-id-or-alias>.awsapps.com | IAM Identity Center portal |
oidc.<sso-region>.amazonaws.com | OIDC token exchange |
If your organization uses an external identity provider (IdP) with IAM Identity Center, the sign-in flow redirects through your IdP's domain. You need to allowlist that domain too.
| Identity provider | Domain to allowlist |
|---|---|
| Microsoft Entra ID | login.microsoftonline.com |
| Okta | <your-org>.okta.com |
Check with your identity team for the exact domain if you are unsure which IdP is configured.
If you sign in with Google, GitHub, or AWS Builder ID, Kiro uses Stripe for subscription billing. Allowlist these domains to access the billing portal and upgrade plans.
| URL | Purpose |
|---|---|
billing.stripe.com | Billing portal for paid plans |
checkout.stripe.com | Checkout for plan upgrades |
Enterprise customers using IAM Identity Center don't need these domains.
If your network policy allows wildcard rules, you can simplify the allowlist:
| Wildcard | Covers |
|---|---|
*.kiro.dev | All Kiro domains |
*.kiro.aws.dev | Telemetry endpoints |
q.*.amazonaws.com | Kiro service endpoints |
*.shortbread.aws.dev | Cookie consent |
*.signin.aws | IAM Identity Center sign-in |
Configuring a firewall, proxy server, or data perimeter for Kiro