Set up a Google Workspace host name allowlist

When you’re setting up Google Workspace, you need to add some host names to your allowlist so Google Workspace APIs work correctly.


  • This information is subject to change without notice.
  • For product-specific information about APIs, refer to the Help Center content for that product.

Step 1: Open connectivity ports

Open the following ports:

Port Purpose
TCP port 443 (HTTPS) Access the main URLs for authentication and API call
TCP port 80 (HTTP) Allow CRL and OCSP checks (Step 4 below)


  • Depending on your setup and the application, you might need to allow additional rules.
  • If you're using a Microsoft Windows client, you might need to allow these rules on a per-application basis. For details, consult your Microsoft documentation.

Step 2: URLs to allow

Expand section  |  Collapse all & go to top

What's new?
  • May 2, 2022: Added URLs for Google Chat.
  • March 31, 2021: Added URLs for Google Meet and marked Google Contacts as deprecated.
Top-level URLs

Allow the following URLs for Google Workspace APIs:

Purpose URL

For more information, go to Using OAuth 2.0 for Web Server Applications.
Main API entry point https://*

(where * is any string not containing a period)

Email In addition to the main API entry point:
Contacts and Global Address List (GAL)
Google Workspace Admin Settings API
Accounts and sign-ins


Tip: You might also want to allow which can be used to check the HTTP status code (204).

(Optional) URLs for additional control

For more control, you can also allow the following URLs:

Purpose URL
More authentication URLs

You might not need all these URLs, depending on your setup.
Gmailand thenGmail API
Google Calendar API
Google Chat
Google Classroom API
Google Contacts API

(Deprecated. The People API is recommended.)
Global Address List (GAL)

Google Workspace Admin SDKand thenDomain Shared Contacts API
Google Drive APIs
Google Drive Activity API
Google Meet https://**
Google Sheets API
Google Slides API
Google Tasks API
Google Workspace Admin SDKand thenData Transfer API
Google Workspace Admin SDKand thenDirectory API
Google Workspace Admin SDKand thenEnterprise License Manager API
Google Workspace Admin SDKand thenGroups Migration API
Google Workspace Admin SDKand thenGroups Settings API
Google Workspace Admin SDKand thenReports API
People API

Step 3: Review Google IP address ranges

Review how to find Obtain Google IP address ranges. Any of the Google URLs specified in step 2 can use the Google IP addresses.

You can also test the connection from the Google Admin Toolbox.

Step 4: Allow checks

Expand section  |  Collapse all & go to top

CRL check

A Certificate Revocation List (CRL) is a list of digital certificates revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. These certificates should not be trusted.

An HTTP (not HTTPS) URL on the CA website typically sends a CRL. The CRL distribution points are visible in the certificate X509v3 details.

Here are the current CRL distribution points that are in use for Google services:


For details, go to Google Trust Services.

OCSP check

The Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Current OCSP distribution point in use for Google services:

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center