When you’re setting up Google Workspace, you need to add some host names to your allowlist so Google Workspace APIs work correctly.
Important:
- This information is subject to change without notice.
- For product-specific information about APIs, refer to the Help Center content for that product.
Step 1: Open connectivity ports
Open the following ports:
Port | Purpose |
---|---|
TCP port 443 (HTTPS) | Access the main URLs for authentication and API call |
TCP port 80 (HTTP) | Allow CRL and OCSP checks (Step 4 later on this page) |
Notes:
- Depending on your setup and the application, you might need to allow additional rules.
- If you're using a Microsoft Windows client, you might need to allow these rules on a per-application basis. For details, consult your Microsoft documentation.
Step 2: URLs to allow
Expand section | Collapse all & go to top
What's new?- January 17, 2023—Added URL for embedded YouTube videos within Google Workspace for Education services
Since this feature was rolled back, we’ve improved performance and quality and have begun rolling it out again in August 2024. If your organization currently allows or blocks YouTube videos within Google Workspace for Education services, you need to add “www.youtubeeducation.com” to these allowlists or blocklists. This will preserve the way your organization uses YouTube videos within Google Workspace for Education services.
- May 2, 2022—Added URLs for Google Chat
- March 31, 2021—Added URLs for Google Meet and marked Google Contacts as deprecated
Allow the following URLs for Google Workspace APIs:
Purpose | URL |
---|---|
Authentication
For more information, go to Using OAuth 2.0 for Web Server Applications. |
https://accounts.google.com/o/oauth2 https://www.googleapis.com/oauth2 https://oauth2.googleapis.com/token https://accounts.google.co.[your country identifier] For example https://accounts.google.co.jp |
Main API entry point | https://*.googleapis.com
(where * is any string not containing a period) |
In addition to the main API entry point: https://mail.google.com/mail |
|
Contacts and Global Address List (GAL) | https://www.google.com/m8 |
Google Workspace Admin Settings API | https://apps-apis.google.com/a |
Accounts and sign-ins | https://www.google.com/accounts/ClientLogin https://www.google.com/accounts/ |
Tip: You might also want to allow https://www.googleapis.com/generate_204, which can be used to check the HTTP status code (204).
For more control, you can also allow the following URLs:
Purpose | URL |
---|---|
More authentication URLs
You might not need all these URLs, depending on your setup. |
https://accounts.google.com/o/oauth2/auth https://accounts.google.com/o/oauth2/token https://accounts.google.com/o/oauth2/v2/auth https://oauth2.googleapis.com/token https://www.googleapis.com/oauth2/v3/token https://www.googleapis.com/oauth2/v4/token https://www.googleapis.com/oauth2/v2/tokeninfo https://www.googleapis.com/oauth2/v3/tokeninfo https://accounts.google.com/o/oauth2/revoke https://accounts.youtube.com https://www.google.com https://fonts.gstatic.com https://ssl.gstatic.com https://www.gstatic.com https://*.googleusercontent.com/* https://scf.usercontent.goog |
GmailGmail API | https://mail.google.com/mail https://www.googleapis.com/gmail https://www.googleapis.com/upload/gmail |
Google Calendar API | https://www.googleapis.com/calendar |
Google Chat | https://chat.google.com https://mail.google.com/chat |
Google Classroom API | https://classroom.googleapis.com |
Google Contacts API
(Deprecated. The People API is recommended.) |
https://www.google.com/m8/feeds |
Global Address List (GAL)
Google Workspace Admin SDKDomain Shared Contacts API |
https://www.google.com/m8/feeds/gal |
Google Drive APIs | https://www.googleapis.com/drive https://www.googleapis.com/upload/drive |
Google Drive Activity API | https://www.googleapis.com/appsactivity |
Google Meet | https://*.googlevideo.com/* https://*.youtube-nocookie.com/* https://*.ytimg.com/* |
Google Sheets API | https://sheets.googleapis.com |
Google Slides API | https://slides.googleapis.com |
Google Tasks API | https://www.googleapis.com/tasks |
Google Workspace Admin SDKData Transfer API | https://www.googleapis.com/admin/datatransfer |
Google Workspace Admin SDKDirectory API | https://www.googleapis.com/admin/directory |
Google Workspace Admin SDKEnterprise License Manager API | https://www.googleapis.com/apps/licensing |
Google Workspace Admin SDKGroups Migration API | https://www.googleapis.com/upload/groups |
Google Workspace Admin SDKGroups Settings API | https://www.googleapis.com/groups |
Google Workspace Admin SDKReports API | https://www.googleapis.com/admin/reports |
People API | https://people.googleapis.com |
Embedded YouTube videos within Google Workspace for Education services | https://www.youtubeeducation.com |
Note for Education admins: The URL for embedded YouTube videos in Google Workspace for Education services is only relevant to Google Workspace for Education administrators. You only need to add www.youtubeeducation.com to your allowlist or blocklist if you use a third-party service to allow or block certain domains.
Step 3: Review Google IP address ranges
Review how to find Obtain Google IP address ranges. Any of the Google URLs specified in step 2 can use the Google IP addresses.
You can also test the connection from the Google Admin Toolbox.
Step 4: Allow checks
Expand section | Collapse all & go to top
CRL checkA Certificate Revocation List (CRL) is a list of digital certificates revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. These certificates shouldn't be trusted.
An HTTP (not HTTPS) URL on the CA website typically sends a CRL. The CRL distribution points are visible in the certificate X509v3 details.
The following are the current CRL distribution points that are in use for Google services:
- http://crl.pki.goog
- http://crls.pki.goog
- http://c.pki.goog
For details, go to Google Trust Services.
The Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.
The current OCSP distribution point in use for Google services is http://ocsp.pki.goog.
Related topics
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.