Cloud-hosted connectors: application allowlisting
If you use C1’s cloud-hosted connectors and your SaaS or cloud applications enforce IP-based allowlisting, add the following IP addresses to those applications’ allowlists. This allows C1’s connectors and functions to reach your integrated systems — for example, if Okta network zones restrict which source IPs can call the Okta API.Connector egress IPs
Cloud-hosted connectors use the following source IP addresses when syncing data and provisioning accounts:Function egress IPs
Functions use the following source IP addresses:Self-hosted connectors: outbound access to C1
Self-hosted connectors have the following network behavior:- The connector initiates all connections to C1 — no inbound ports are required.
- Works behind NAT and most firewalls without additional configuration.
*.conductorone.com.
Web application and MCP: corporate device access
If users access the C1 web application or MCP server from corporate devices behind a proxy, content filter, or firewall, add the following hostnames to your allowlist:| Hostname | Port | Purpose |
|---|---|---|
assets.ctr1.net | 443 | CDN — JavaScript, CSS, and images for the web application |
<tenantName>.conductor.one | 443 | Web application and API endpoints |
<tenantName>-mcp.conductor.one | 443 | AI traffic (MCP protocol) |
accounts.conductor.one | 443 | Login and SSO flow |
<tenantName> with your organization’s C1 tenant name.
Staying informed of changes
IP addresses and hostnames are subject to change. To stay informed:- Subscribe to the release notes RSS feed for announcements about infrastructure changes including IP address updates.
- Check status.conductorone.com for real-time operational status and subscribe to status page notifications.
- Contact your account team if you need advance notice of IP changes for compliance programs such as SOX and SOC 2.