Set up a Google Workspace host name allowlist

When you’re setting up Google Workspace, you need add some host names to your allowlist so Google Workspace APIs work correctly.

Important:

  • This information is subject to change without notice.
  • For product-specific information about APIs, refer to the Help Center content for that product.

Step 1: Open connectivity ports

Open the following ports:

Port Purpose
TCP port 443 (HTTPS) Access the main URLs for authentication and API call
TCP port 80 (HTTP) Allow CRL and OCSP checks (Step 4 below)

Notes:

  • Depending on your setup and the application, you might need to allow additional rules.
  • If you're using a Microsoft Windows client, you might need to allow these rules on a per-application basis. For details, consult your Microsoft documentation.

Step 2: URLs to allow

What's new?
  • March 31, 2021: Added URLs for Google Meet and marked Google Contacts as deprecated.
Top-level URLs

Allow the following URLs for Google Workspace APIs:

Purpose URL
Authentication

For more information, go to Using OAuth 2.0 for Web Server Applications.

https://accounts.google.com/o/oauth2
https://www.googleapis.com/oauth2
https://oauth2.googleapis.com/token
Main API entry point https://*.googleapis.com

(where * is any string not containing a period)

Email In addition to the main API entry point:
https://mail.google.com/mail
Contacts and Global Address List (GAL) https://www.google.com/m8
Google Workspace Admin Settings API https://apps-apis.google.com/a
Accounts and sign-ins https://www.google.com/accounts/ClientLogin
https://www.google.com/accounts/

 

Tip: You might also want to allow https://www.googleapis.com/generate_204 which can be used to check the HTTP status code (204).

(Optional) URLs for additional control

For more control, you can also allow the following URLs:

Purpose URL
More authentication URLs

You might not need all these URLs, depending on your setup.

https://accounts.google.com/o/oauth2/auth
https://accounts.google.com/o/oauth2/token
https://accounts.google.com/o/oauth2/v2/auth
https://oauth2.googleapis.com/token
https://www.googleapis.com/oauth2/v3/token
https://www.googleapis.com/oauth2/v4/token
https://www.googleapis.com/oauth2/v2/tokeninfo
https://www.googleapis.com/oauth2/v3/tokeninfo
https://accounts.google.com/o/oauth2/revoke
https://accounts.youtube.com
https://www.google.com
https://fonts.gstatic.com
https://ssl.gstatic.com
https://www.gstatic.com
https://*.googleusercontent.com/*
Gmail and then Gmail API https://mail.google.com/mail https://www.googleapis.com/gmail https://www.googleapis.com/upload/gmail
Google Calendar API https://www.googleapis.com/calendar
Google Classroom API https://classroom.googleapis.com
Google Contacts API

(Deprecated. The People API is recommended.)

https://www.google.com/m8/feeds
Global Address List (GAL)

Google Workspace Admin SDK and then Domain Shared Contacts API

https://www.google.com/m8/feeds/gal
Google Drive APIs https://www.googleapis.com/drive https://www.googleapis.com/upload/drive
Google Drive Activity API https://www.googleapis.com/appsactivity
Google Meet https://*.googlevideo.com/*
https://*.youtube-nocookie.com/*
https://*.ytimg.com/*
Google Sheets API https://sheets.googleapis.com
Google Slides API https://slides.googleapis.com
Google Tasks API https://www.googleapis.com/tasks
Google Workspace Admin SDK and then Data Transfer API https://www.googleapis.com/admin/datatransfer
Google Workspace Admin SDK and then Directory API https://www.googleapis.com/admin/directory
Google Workspace Admin SDK and then Enterprise License Manager API https://www.googleapis.com/apps/licensing
Google Workspace Admin SDK and then Groups Migration API https://www.googleapis.com/upload/groups
Google Workspace Admin SDK and then Groups Settings API https://www.googleapis.com/groups
Google Workspace Admin SDK and then Reports API https://www.googleapis.com/admin/reports
People API https://people.googleapis.com

Step 3: Review Google IP address ranges

Review how to find Obtain Google IP address ranges. Any of the Google URLs specified in step 2 can use the Google IP addresses.

You can also test the connection from the Google Admin Toolbox.

Step 4: Allow checks

CRL check

A Certificate Revocation List (CRL) is a list of digital certificates revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. These certificates should not be trusted.

An HTTP (not HTTPS) URL on the CA website typically sends a CRL. The CRL distribution points are visible in the certificate X509v3 details.

Here are the current CRL distribution points that are in use for Google services:

  • http://crl.geotrust.com/crls/secureca.crl
  • http://crl.pki.goog/GTS1O1core.crl
  • http://crl.pki.goog/GTSGIAG3.crl
  • http://crl.pki.goog/gsr2/gsr2.crl
  • http://g.symcb.com/crls/gtglobal.crl
  • http://pki.google.com/GIAG2.crl
  • http://pki.goog/gsr2/GTSGIAG3.crt

For details, go to Google Trust Services.

OCSP check

The Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Here are the current OCSP distribution points that are in use for Google services:

  • http://clients1.google.com/ocsp
  • http://g.symcd.com
  • http://ocsp.pki.goog/gts1o1core
  • http://ocsp.pki.goog/GTSGIAG3
  • http://ocsp.pki.goog/gsr2

Related topics

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false