If your network uses a firewall, proxy server, or data perimeter, you need to allowlist specific URLs so Kiro can reach its backend services. This page lists every domain Kiro contacts, grouped by function.
Kiro makes two types of outbound connections:
Your firewall must allow both at the network level.
Every Kiro installation needs the following URLs. These cover sign-in, chat and code assistance, telemetry, and auto-updates.
| URL | Purpose | Traffic type |
|---|---|---|
app.kiro.dev | Sign-in portal | Browser |
prod.us-east-1.auth.desktop.kiro.dev | Token exchange, refresh, and logout | IDE |
prod.us-east-1.telemetry.desktop.kiro.dev | Telemetry | IDE |
prod.download.desktop.kiro.dev | Auto-updates, Powers registry, and icons | IDE |
q.us-east-1.amazonaws.com | Kiro service (US East) | IDE |
q.eu-central-1.amazonaws.com | Kiro service (Europe) | IDE |
If your network policy allows wildcard rules, you can allowlist *.kiro.dev instead of the first four individual domains.
If your organization uses AWS IAM Identity Center for authentication, allowlist these additional endpoints.
Replace idc-directory-id-or-alias with your IAM Identity Center instance's directory ID or alias, and sso-region with the AWS Region where your instance is enabled. For more information, see What is IAM Identity Center? in the IAM Identity Center User Guide.
| URL | Purpose |
|---|---|
<idc-directory-id-or-alias>.awsapps.com | IAM Identity Center portal |
oidc.<sso-region>.amazonaws.com | OIDC token exchange |
If your organization uses an external identity provider (IdP) with IAM Identity Center, the sign-in flow redirects through your IdP's domain. You need to allowlist that domain too.
| Identity provider | Domain to allowlist |
|---|---|
| Microsoft Entra ID | login.microsoftonline.com |
| Okta | <your-org>.okta.com |
Check with your identity team for the exact domain if you are unsure which IdP is configured.
If you use AWS GovCloud (US), allowlist these FIPS-compliant endpoints instead of the commercial Kiro service endpoints in the Core URLs table:
q-fips.us-gov-east-1.amazonaws.comq-fips.us-gov-west-1.amazonaws.comIf you sign in with Google, GitHub, or AWS Builder ID, Kiro uses Stripe for subscription billing. Allowlist these domains to access the billing portal and upgrade plans.
| URL | Purpose |
|---|---|
billing.stripe.com | Billing portal for paid plans |
checkout.stripe.com | Checkout for plan upgrades |
Enterprise customers using IAM Identity Center don't need these domains.
You only need these if you use the corresponding Kiro feature. Skip any that don't apply to your environment.
| URL | Feature | Purpose |
|---|---|---|
open-vsx.org | Extensions | Search and metadata |
openvsx.eclipsecontent.org | Extensions | Icons and VSIX downloads |
github.com | Powers / MCP | Repository cloning |
raw.githubusercontent.com | Powers / MCP | Config files and readme images |
Kiro respects standard proxy environment variables for all IDE traffic:
HTTP_PROXYHTTPS_PROXYNO_PROXYYou can also configure proxy settings in Settings > Proxy inside Kiro.
If you use data perimeters on AWS to restrict access to trusted identities and resources, make sure your policies allow Kiro's service principals to reach the endpoints listed on this page. For VPC-level controls, see VPC endpoints (AWS PrivateLink).
Configuring a firewall, proxy server, or data perimeter for Kiro