Network endpoints
Hosts EasyCC reaches at runtime — for firewall allowlists.
A complete list of every host EasyCC can reach. Use this for firewall allowlists, proxy config, and air-gap planning.
Required (always reached in default config)
| Host | Port | Purpose | Required |
|---|---|---|---|
api.anthropic.com | 443 | Claude API (chat, tool use) | Yes — unless using a custom gateway |
<your-supabase-project>.supabase.co | 443 | Sign-in, account management | Yes |
raw.githubusercontent.com | 443 | Update manifest fetch (default endpoint) | Yes — unless using a self-hosted mirror |
objects.githubusercontent.com | 443 | Update binary download (CDN) | Yes — unless using a self-hosted mirror |
The minimum allowlist for an out-of-the-box deploy:
api.anthropic.com
<your-supabase-project>.supabase.co
raw.githubusercontent.com
objects.githubusercontent.comConditional (reached based on configuration)
| Host | Port | When |
|---|---|---|
huggingface.co | 443 | First time the user opts into Prompt injection detection (one-time model download). Skipped if safety_custom_model_url_base is set. |
cdn-lfs.huggingface.co | 443 | Same — large file CDN |
<your custom gateway URL> | 443 | When provider.type = customGateway. Replaces api.anthropic.com. |
bedrock-runtime.<region>.amazonaws.com | 443 | When provider.type = bedrock. |
<region>-aiplatform.googleapis.com | 443 | When provider.type = vertex. |
<your foundry endpoint> | 443 | When provider.type = foundry. |
<your self-hosted update mirror> | 443 | When update_endpoint is set. Replaces GitHub hosts. |
<your MCP server URLs> | per server | When MCP servers are configured. |
<your telemetry endpoint> | 443 | When telemetry is on. Default telemetry.easycc.app. |
oauth2.googleapis.com, etc. | 443 | When users sign in with cloud connectors via Claude.ai. |
Sign-in flow — Microsoft
When users sign in with Microsoft:
| Host | Port | What |
|---|---|---|
login.microsoftonline.com | 443 | Microsoft auth endpoint |
graph.microsoft.com | 443 | User profile fetch |
Standard Microsoft 365 endpoints. If your tenant restricts these (it usually doesn't), Microsoft sign-in won't work in EasyCC.
Update flow
Default (GitHub-hosted):
GET https://raw.githubusercontent.com/<repo>/main/release/latest.json
GET https://objects.githubusercontent.com/<...>/EasyCC.<arch>.<archive>Self-hosted mirror:
GET https://updates.your-org.example/easycc/latest.json
GET https://updates.your-org.example/easycc/<binary>Replace with your actual mirror URL.
Connectivity check
A simple test for whether EasyCC can reach the required hosts:
Windows:
@('api.anthropic.com', 'raw.githubusercontent.com', 'objects.githubusercontent.com', 'your-supabase-project.supabase.co') | ForEach-Object {
$result = Test-NetConnection $_ -Port 443 -WarningAction SilentlyContinue
"$_`t$($result.TcpTestSucceeded)"
}macOS:
for host in api.anthropic.com raw.githubusercontent.com objects.githubusercontent.com your-supabase-project.supabase.co; do
nc -zv -w 5 $host 443
doneIf any host fails, allowlist it (or check your proxy config).
Proxy support
EasyCC respects the system HTTP proxy (set via OS settings or env vars):
| Var | What |
|---|---|
HTTPS_PROXY | Proxy URL for HTTPS calls |
HTTP_PROXY | Proxy URL for HTTP calls (rarely needed; EasyCC uses HTTPS exclusively) |
NO_PROXY | Hosts that should bypass the proxy |
Set these in the user's environment (or via your MDM) before EasyCC launches.
For Microsoft Entra users behind an authenticated proxy: ensure the proxy passes Microsoft sign-in headers correctly. Modern proxies usually do.
Air-gapped deploy
For zero outbound traffic except to your own infrastructure, you'll need:
- Custom gateway (replace
api.anthropic.com) - Self-hosted update mirror (replace GitHub hosts)
- Self-hosted Supabase (or work with us — Supabase is harder to self-host)
- Self-hosted safety scanner model mirror (only if you enable detection)
For specifics, see Air-gapped fleets.
Optional but commonly allowlisted
For productivity, also consider allowlisting:
| Host | Why |
|---|---|
claude.ai | If users sign in via Anthropic account, the OAuth flow goes through claude.ai. |
| Common MCP server hosts | GitHub, Linear, Slack, Notion, etc. — depends on your bundle's MCP servers. |
easycc.app | The product website. Not strictly needed at runtime, but users may visit for help. |
docs.easycc.app | This documentation site. Same. |
What about ports other than 443?
EasyCC uses HTTPS exclusively for outbound traffic. No HTTP, no custom ports.
The only non-443 traffic is from MCP servers configured to use stdio transport (no network) or whatever ports an HTTP MCP server uses.
TLS versions
EasyCC requires TLS 1.2 or higher for all calls. TLS 1.0 / 1.1 / SSL 3.0 are not supported.
For older corporate proxies that only do TLS 1.1: upgrade your proxy. EasyCC won't fall back.
Updating this list
When EasyCC adds a new endpoint (a new provider, a new safety service, etc.), this page is updated to reflect it. For the always-current view, see this page.
For a one-shot dump of every host EasyCC has reached on a given device, the EasyCC log includes outbound URLs. Search for [net] entries in %LOCALAPPDATA%\com.easycc.app\logs\ (Win) or ~/Library/Logs/com.easycc.app/ (Mac).
How is this guide?