Skip to main content
This page lists the domains your network/security team may need to allow for outbound access (egress) so your systems and users can reach the Resistant Documents API, Web UI, OAuth token service, and file upload/download endpoints.

Do you need this?

You typically need these allowlist rules if:
  • Your backend runs behind a corporate proxy / firewall with restricted outbound traffic, or
  • Your users access the Web UI from a restricted corporate network.
If your services and users have unrestricted outbound access, you may not need allowlisting.

Placeholders

  • {tenant-org}: your tenant subdomain (provided during provisioning).
  • {region.}: either empty (EU / eu-1) or inserted as a subdomain (e.g., us-1., ca-1., ap-2., ap-3.).
  • {aws-region}: AWS region identifier used in storage endpoints (e.g., eu-west-1).

Cell to AWS region mapping

Use this table to translate between:
  • {region.}: the hostname prefix (empty for EU / eu-1, otherwise <cell>.)
  • {aws-region}: the AWS region identifier used for storage endpoints
Cell{region.} prefix in hostnames{aws-region} (storage endpoints)
eu-1 (EU, Dublin)(empty)eu-west-1
us-1 (US, West Virginia)us-1.us-east-1
ca-1 (CA, Montreal)ca-1.ca-central-1
ap-2 (AP, Mumbai)ap-2.ap-south-1
ap-3 (AP, Sydney)ap-3.ap-southeast-2
testing (EU only)(empty)eu-west-1
If your tenant is provisioned only in a subset of cells, allowlist only those cells’ domains.

Production allowlist

A) Documents API (required for API integrations)

  • api.{region.}documents.resistant.ai — Resistant Documents API
  • api.tenants.resistant.ai — Tenant Management API (only if you use it)

B) OAuth token retrieval (required to obtain access tokens)

  • eu.id.resistant.ai — Okta OAuth2 token host
  • *.okta.com — Okta authentication assets
  • *.oktacdn.com — Okta authentication assets

C) File upload/download (required for presigned URLs)

By default, file upload/download uses AWS S3 endpoints.
  • *.s3.{aws-region}.amazonaws.com
  • *.s3-object-lambda.{aws-region}.amazonaws.com

D) Web UI

  • {tenant-org}.{region.}documents.resistant.ai — Web UI static assets
  • *.productfruits.com — UI product tours (only if enabled)

Testing allowlist

Testing is currently available only in AWS eu-west-1. Use the testing domains below only for your testing tenant(s).
For testing, {aws-region} is always eu-west-1.

A) Documents API (required for API integrations)

  • api.documents.testing.resistant.ai — Resistant Documents API (Testing)
  • api.tenants.testing.resistant.ai — Tenant Management API (Testing, only if used)

B) OAuth token retrieval (required to obtain access tokens)

  • eu.id.resistant.ai
  • *.okta.com
  • *.oktacdn.com

C) File upload/download (required for presigned URLs)

  • *.s3.{aws-region}.amazonaws.com
  • *.s3-object-lambda.{aws-region}.amazonaws.com

D) Web UI

  • {tenant-org}.documents.testing.resistant.ai — Web UI static assets (Testing)
  • *.productfruits.com — UI product tours (only if enabled)

Examples

Example: Production EU (eu-1)

  • Documents API: api.documents.resistant.ai
  • Web UI: {tenant-org}.documents.resistant.ai
  • OAuth token host: eu.id.resistant.ai
  • Upload/download (S3): *.s3.eu-west-1.amazonaws.com
  • Upload/download (S3 Object Lambda): *.s3-object-lambda.eu-west-1.amazonaws.com

Example: Production US (us-1)

  • Documents API: api.us-1.documents.resistant.ai
  • Web UI: {tenant-org}.us-1.documents.resistant.ai
  • OAuth token host: eu.id.resistant.ai
  • Upload/download (S3): *.s3.us-east-1.amazonaws.com
  • Upload/download (S3 Object Lambda): *.s3-object-lambda.us-east-1.amazonaws.com

Notes

If your policy requires bucket-level allowlisting, replace the wildcard with the specific bucket hostname provided during provisioning. Prefer wildcard domains when allowed to avoid future allowlist updates if buckets migrate.

Custom domains add-on (avoiding S3 allowlisting)

Custom domains is an add-on feature and is not enabled by default.
This add-on does not change the Web UI domain. Instead, it is used to avoid direct allowlisting of AWS S3 domains for file upload/download, by routing upload/download through customer-approved domain(s) as configured for your deployment. If you have this feature enabled:
  • allowlist the custom upload/download domain(s) provided during provisioning
  • you typically do not need to allowlist *.s3.{aws-region}.amazonaws.com / *.s3-object-lambda.{aws-region}.amazonaws.com for the upload/download path (confirm with your Resistant AI contact)
  • Still required: Documents API, eu.id.resistant.ai, .okta.com_, _.oktacdn.com, and Web UI domains (if you use the UI).
If you’re unsure whether custom domains is enabled for you, assume it is not and use the standard S3 allowlist rules above.

Need help validating your allowlist?

If your organization uses a strict proxy/firewall, share your proposed allowlist configuration with your Resistant AI contact or support team for confirmation.