Loading image...Kiro
  • CLI
  • Web
  • Powers
  • Enterprise
  • Pricing
  • Docs
SIGN INDOWNLOADS
Loading image...Kiro
Loading image...Kiro
Product
  • About Kiro
  • CLI
  • Web
  • Powers
  • Pricing
  • Downloads
For
  • Enterprise
  • Startups
  • Students
Community
  • Overview
  • Ambassadors
  • Showcase
  • Discord
  • Events
Resources
  • Documentation
  • Blog
  • Changelog
  • FAQs
  • Report a bug
  • Suggest an idea
  • Billing support
Social
Site TermsLicenseResponsible AI PolicyLegalPrivacy PolicyCookie Preferences
  1. Docs
  3. Web
  5. Firewalls

Configuring a firewall, proxy server, or data perimeter for Kiro

If your network uses a firewall, proxy server, or data perimeter, you need to allowlist specific URLs so Kiro can reach its backend services. This page lists every domain Kiro contacts, grouped by function.

Network traffic overview

Kiro makes two types of outbound connections:

  • IDE traffic — Requests from the Kiro IDE process (chat, completions, telemetry, updates, extensions). This traffic respects your proxy settings.
  • Browser traffic — Sign-in opens your default browser. This traffic uses your OS network stack and bypasses IDE proxy settings.

Your firewall must allow both at the network level.

Core URLs

The following URLs are required by all Kiro products (IDE, CLI, and Autonomous Agent):

URLPurpose
app.kiro.devSign-in portal
assets.app.kiro.devApplication assets

Every Kiro installation also needs the following URLs. These cover chat and code assistance, telemetry, and auto-updates.

URLPurposeTraffic type
prod.us-east-1.auth.desktop.kiro.devToken exchange, refresh, and logoutIDE
prod.us-east-1.telemetry.desktop.kiro.devTelemetryIDE
prod.download.desktop.kiro.devAuto-updates, Powers registry, and iconsIDE
q.us-east-1.amazonaws.comKiro service (US East)IDE
q.eu-central-1.amazonaws.comKiro service (Europe)IDE
runtime.us-east-1.kiro.devKiro service (US East)IDE
runtime.eu-central-1.kiro.devKiro service (Europe)IDE
management.us-east-1.kiro.devConfiguration, access management (US East)IDE
management.eu-central-1.kiro.devConfiguration, access management (Europe)IDE
telemetry.us-east-1.kiro.devTelemetry (US East)IDE
telemetry.eu-central-1.kiro.devTelemetry (Europe)IDE
Info

The q.<region>.amazonaws.com endpoints are legacy and will be deprecated in a future release. New deployments should use the runtime, management, and telemetry endpoints listed above.

If your network policy allows wildcard rules, you can allowlist *.kiro.dev instead of the individual kiro.dev domains above. Note that some firewalls only match a single subdomain level, so *.kiro.dev would cover app.kiro.dev but not assets.app.kiro.dev. If your firewall behaves this way, also add *.app.kiro.dev or list multi-level subdomains explicitly.

Social sign-in

If you sign in with Google or GitHub, allowlist this additional endpoint for the Cognito identity federation flow.

URLPurpose
cognito-identity.us-east-1.amazonaws.comFederated identity for social sign-in

IAM Identity Center

If your organization uses AWS IAM Identity Center for authentication, allowlist these additional endpoints.

Replace idc-directory-id-or-alias with your IAM Identity Center instance's directory ID or alias, and sso-region with the AWS Region where your instance is enabled. For more information, see What is IAM Identity Center? in the IAM Identity Center User Guide.

URLPurpose
<region>.signin.awsAWS sign-in
<idc-directory-id-or-alias>.awsapps.comIAM Identity Center portal
oidc.<sso-region>.amazonaws.comOIDC token exchange

External identity providers

If your organization uses an external identity provider (IdP) with IAM Identity Center, the sign-in flow redirects through your IdP's domain. You need to allowlist that domain too.

Identity providerDomain to allowlist
Microsoft Entra IDlogin.microsoftonline.com
Okta<your-org>.okta.com

Check with your identity team for the exact domain if you are unsure which IdP is configured.

AWS GovCloud

If you use AWS GovCloud (US), allowlist these FIPS-compliant endpoints instead of the commercial Kiro service endpoints in the Core URLs table:

  • q-fips.us-gov-east-1.amazonaws.com
  • q-fips.us-gov-west-1.amazonaws.com
Info

GovCloud regions do not support kiro.dev DNS names. Only the q-fips.*.amazonaws.com endpoints are available.

Subscription management

If you sign in with Google, GitHub, or AWS Builder ID, Kiro uses Stripe for subscription billing. Allowlist these domains to access the billing portal and upgrade plans.

URLPurpose
billing.stripe.comBilling portal for paid plans
checkout.stripe.comCheckout for plan upgrades

Enterprise customers using IAM Identity Center don't need these domains.

Optional URLs

You only need these if you use the corresponding Kiro feature. Skip any that don't apply to your environment.

URLFeaturePurpose
open-vsx.orgExtensionsSearch and metadata
openvsx.eclipsecontent.orgExtensionsIcons and VSIX downloads
github.comPowers / MCPRepository cloning
raw.githubusercontent.comPowers / MCPConfig files and readme images

Proxy configuration

Kiro respects standard proxy environment variables for all IDE traffic:

  • HTTP_PROXY
  • HTTPS_PROXY
  • NO_PROXY

You can also configure proxy settings in Settings > Proxy inside Kiro.

Browser-based sign-in bypasses proxy settings

When you sign in, Kiro opens your default browser to app.kiro.dev. This browser traffic uses your operating system's network stack, not the IDE's proxy configuration. Your firewall must allow the IAM Identity Center URLs and app.kiro.dev at the network level regardless of how the IDE proxy is configured.

Data perimeters

If you use data perimeters on AWS to restrict access to trusted identities and resources, make sure your policies allow Kiro's service principals to reach the endpoints listed on this page. For VPC-level controls, see VPC endpoints (AWS PrivateLink).

Page updated: May 6, 2026
Data protection