Auth0 IP Addresses for Allow Lists

If you have custom code executing in Auth0 that calls a service inside your network, or if you've configured an on-premise SMTP provider in Auth0, then you may need to configure your firewall to allow inbound traffic from Auth0.

Features that may require you to allow inbound traffic from Auth0 include:

• Actions

• Rules

• Hooks

• Custom Database Action Scripts

• Log Streams

• External STMP Email Providers

When Auth0 makes outbound calls, the IP addresses are static. Auth0 translates internal IP addresses to one of the displayed options when reaching out using NAT.

For Public Cloud tenants, the IP addresses that you must allow through your firewall are specific to the tenant's region.

You can access a machine-readable list of the IP CIDR ranges from Auth0 CDN: https://cdn.auth0.com/ip-ranges.json.

The machine-readable list contains the following properties:

You can detect changes to the machine-readable list programmatically based on the last_updated_at property or based on Auth0's response to a conditional HTTP request.

If you send a conditional HTTP request, you can use either the If-None-Match or If-Modified-Since header. If the list has been changed, Auth0 returns a 200 (OK) HTTP response with the updated list in the body. Otherwise, Auth0 returns a 304 (Not Modified) response without a body.

To learn more about conditional HTTP requests, read RFC 9110: HTTP Semantics on RFC Editor.

# The first request.
$ curl https://cdn.auth0.com/ip-ranges.json
HTTP/2 200
last-modified: Tue, 22 Apr 2025 07:50:08 GMT
etag: "1652cbe64a22099d62424fbec1022da5"
...

# Content has not changed, response is `HTTP 304`
$ curl https://cdn.auth0.com/ip-ranges.json \
       -H "If-None-Match: 1652cbe64a22099d62424fbec1022da5" 
HTTP/2 304
last-modified: Tue, 22 Apr 2025 07:50:08 GMT
etag: "1652cbe64a22099d62424fbec1022da5"
...

# Content has changed, response is `HTTP 200` with new `etag`:
$ curl https://cdn.auth0.com/ip-ranges.json \
       -H "If-None-Match: 1652cbe64a22099d62424fbec1022da5" 
HTTP/2 200
last-modified: Mon, 07 Jul 2025 01:04:18 GMT
etag: "8e58c97d39a67706c644cbe3b5c682d3"
...

# The first request.
$ curl https://cdn.auth0.com/ip-ranges.json
HTTP/2 200
last-modified: Tue, 22 Apr 2025 07:50:08 GMT
etag: "1652cbe64a22099d62424fbec1022da5"
...

# Content has not changed, response is `HTTP 304`
$ curl https://cdn.auth0.com/ip-ranges.json \
       -H "If-Modified-Since: Tue, 22 Apr 2025 07:50:08 GMT" 
HTTP/2 304
last-modified: Tue, 22 Apr 2025 07:50:08 GMT
etag: "1652cbe64a22099d62424fbec1022da5"
...

# Content has changed, response is `HTTP 200` with new `etag`:
$ curl https://cdn.auth0.com/ip-ranges.json \
       -H "If-Modified-Since: Tue, 22 Apr 2025 07:50:08 GMT"
HTTP/2 200
last-modified: Mon, 07 Jul 2025 01:04:18 GMT
etag: "8e58c97d39a67706c644cbe3b5c682d3"
...

The IP addresses for each region are listed below:

174.129.105.183, 18.116.79.126, 18.117.64.128, 18.191.46.63, 18.218.158.118, 18.218.26.94, 18.232.225.224, 18.233.90.226, 3.131.238.180, 3.131.55.63, 3.132.201.78, 3.133.18.220, 3.134.176.17, 3.19.44.88, 3.20.16.23, 3.20.244.231, 3.21.254.195, 3.211.189.167, 34.211.191.214, 34.233.19.82, 34.233.190.223, 35.160.3.103, 35.162.47.8, 35.166.202.113, 35.167.74.121, 35.171.156.124, 35.82.131.220, 44.205.93.104, 44.218.235.21, 44.219.52.110, 44.224.190.45, 44.246.144.93, 52.12.243.90, 52.14.149.14, 52.2.61.131, 52.204.128.250, 52.206.34.127, 52.33.36.223, 52.43.255.209, 52.88.192.232, 52.89.116.72, 54.145.227.59, 54.157.101.160, 54.200.12.78, 54.209.32.202, 54.245.16.146, 54.245.93.221, 54.68.157.8, 54.69.107.228

18.197.9.11, 18.198.229.148, 3.125.185.137, 3.65.249.224, 3.67.233.131, 3.68.125.137, 3.72.27.152, 3.74.90.247, 34.246.118.27, 35.157.198.116, 35.157.221.52, 52.17.111.199, 52.19.3.147, 52.208.95.174, 52.210.121.45, 52.210.122.50, 52.28.184.187, 52.30.153.34, 52.57.230.214, 54.228.204.106, 54.228.86.224, 54.73.137.216, 54.75.208.179, 54.76.184.103

13.210.52.131, 13.238.180.132, 13.55.232.24, 16.50.37.252, 16.51.137.244, 16.51.49.47, 54.153.131.0, 54.252.2.143, 54.79.31.78

15.222.97.193, 3.97.144.31, 40.176.144.225, 40.176.166.165, 40.177.34.170, 99.79.94.44

13.208.85.227, 15.152.185.222, 15.152.2.46, 15.152.28.221, 15.152.56.146, 15.152.95.63, 176.34.22.106, 35.74.30.168, 43.206.201.6, 46.51.243.250, 54.150.87.80, 54.248.192.141

18.135.40.36, 3.10.89.10, 3.8.59.62

For Private Cloud tenants, the IP addresses that you must allow through your firewall are unique to the tenant's environment. Auth0 may receive your tenant's private IP addresses if you enable features like Tenant Logs, Suspicious IP throttling, Custom Databases, and Actions that rely on them.

These IP addresses are known as Primary Egress IPs and are listed under the environment's configuration data available in the Auth0 Support Center.

IP addresses related to inbound calls to Auth0 may be variable due to the lack of fixed IP addresses on the load balancers. In this case, firewall rules should operate on the name of the service (for example: <YOUR_TENANT>.<YOUR_REGION>.auth0.com).

If your Auth0 subscription allows you to configure a self-managed custom domain, you can configure that custom domain to have a static IP address. Self-managed custom domains give you control over the network entry point and let you ensure that the IP address is fixed. For information on subscription plans, see Auth0 Pricing.

• Auth0 Public Cloud Service Endpoints
• Configure External SMTP Email Providers
• Custom Database Connection Security Best Practices