Deployments and Testing/Deploy to Production

Public Static IPs

This guide covers how to configure your environment to work with Descope's static IPs. All outbound requests from Descope services will originate from the following IP addresses. This includes both:

  • Project static IPs - used for all Descope core services.
  • Connector static IPs - used for outbound traffic from static connectors you configure.

Note

Static IPs for connectors are a Pro+ tier feature. Learn more about upgrading your tier in our pricing overview.

Why Static IPs?

All outbound requests from Descope services originate from a fixed set of static IP addresses. This ensures predictable network behavior and makes it straightforward to configure firewalls, access controls, and monitoring tools.

Using static IPs allows you to control which traffic reaches your servers, APIs, or databases by allowlisting only Descope's addresses. This approach is also commonly required in regulated environments such as SOC 2, HIPAA, or PCI, where IP allowlisting is part of compliance.

In addition to securing your own infrastructure, static IPs are often necessary when federating into other customers' identity providers or when accessing applications deployed inside restricted networks that use solutions like Zscaler. Having a defined set of IPs ensures smooth integration in these environments.

Descope Static IPs

If you're using a Private Cloud Deployment of Descope, please reach out to your assigned CSE for your list of static IPs.

Below are the static IPs for projects and connectors, separated by region.

US (United States)

  • Project Static IPs

    • 35.170.24.133
    • 3.212.215.29
    • 52.44.167.251

  • Connector Static IPs

    • 98.80.81.66
    • 35.170.219.147
    • 44.205.77.119

EU (European Union)

  • Project Static IPs

    • 3.72.207.40
    • 3.74.59.88
    • 3.121.31.67

  • Connector Static IPs

    • 3.121.64.40
    • 3.70.65.75
    • 18.158.86.156

How to Use Static IPs

Add the appropriate Descope IPs for your project's region to your firewall or security group:

  • Project IPs: Always required to allow Descope backend services (such as OAuth/SSO login) to communicate with your systems.
  • Connector IPs: Required if you configure connectors that need outbound communication (e.g., custom APIs or SaaS systems).

Example (US project):

# Example AWS Security Group inbound rule
Type: HTTPS
Source: 35.170.24.133/32, 3.212.215.29/32, 52.44.167.251/32
Was this helpful?

Custom Domain

Guide describing how to configure CNAME and manage sessions within cookies with Descope.

Managing Environments

Learn how to manage your Descope environments and migrate your configurations between non-production and production environments.

On this page