Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.noxus.ai/llms.txt

Use this file to discover all available pages before exploring further.

Use this as a checklist when writing firewall/egress rules. Everything here is outbound unless stated otherwise. You only need the rows for features you actually use — enable incrementally.
Hostnames reflect the platform’s defaults and may evolve as providers change. Treat per-provider model and integration hosts as “enable the ones you use”, not “allow them all”.

Inbound (edge)

PortServiceSourceRequired
443 (80 redirect)Reverse proxy → frontend, api., relay. hostsUsers’ browsers / API clientsYes (can be private/VPN)
443 on relay. hostRelay serviceExternal SaaS webhooks (WhatsApp, Teams, Telegram, generic, Google Chat webhook mode)Only for push channels — must be public
All other service ports (workers 8080, plugin server 8500, sandbox) are internal only and must not be exposed.

Outbound — model providers

ProviderHost(s)Notes
OpenAIapi.openai.com
Anthropicapi.anthropic.com
Google Gemini (API)generativelanguage.googleapis.com
Google Vertex AI*-aiplatform.googleapis.com, cloudresourcemanager.googleapis.com, oauth2.googleapis.comRegional inference host + GCP auth/IAM
Azure OpenAI<your-resource>.openai.azure.comYour Azure resource host (configurable)
AWS Bedrockbedrock-runtime.<region>.amazonaws.com, sts.amazonaws.comRegional; plus STS for auth
Mistralapi.mistral.ai
Groqapi.groq.com
Perplexityapi.perplexity.ai
DeepSeekapi.deepseek.com
Grok (xAI)api.x.ai
OpenRouteropenrouter.ai
Embeddings and rerankers use the same provider hosts (e.g. OpenAI / Vertex embedding endpoints). Allowlisting a provider covers its embedding models too. For an air-gapped setup, point a provider’s base_url at an in-network OpenAI-compatible server and skip these entirely.

Outbound — integrations & OAuth

Enable only the providers you connect. Each typically needs an authorize host (browser), a token host (backend, outbound), and an API host (nodes/tools, outbound).
ProviderHosts
Google (Drive, Gmail, Sheets, Docs, Calendar)accounts.google.com, oauth2.googleapis.com, *.googleapis.com, www.googleapis.com
Microsoft (Teams, SharePoint, OneDrive, Excel)login.microsoftonline.com, graph.microsoft.com
Slackslack.com, api.slack.com
Notionapi.notion.com
GitHubgithub.com, api.github.com
Airtableairtable.com
Linearlinear.app, api.linear.app
Calendlyauth.calendly.com, api.calendly.com
Typeformapi.typeform.com
By default managed-provider OAuth is brokered by NCS (below). If you use NCS brokering you still need egress to each provider’s API host to run its nodes, but the OAuth token exchange goes via NCS. With direct OAuth apps, you also need the token host above.

Outbound — platform services & storage

PurposeHostRequiredNotes
Noxus Control Service (OAuth broker, web tools, on-prem checkin/upgrade)ncs.app.noxus.aiOptionalOutbound-only. Drop for air-gap (lose auto-upgrade + NCS-brokered OAuth/web tools)
Object storage (GCS)storage.googleapis.comOne of theseOr…
Object storage (S3)s3.<region>.amazonaws.com (or your MinIO host)One of these…an in-network S3-compatible store
Managed Noxus backendbackend.noxus.aiSaaS onlyNot used by self-hosted deployments

Outbound — web tools

ToolHostNotes
Web searchgoogle.serper.devOften relayed via NCS
Web scrapeapp.scrapingbee.comOften relayed via NCS
Logo enrichmentlogo.clearbit.comUsed by some enrichment helpers

Outbound — telemetry (optional)

All optional; leave unset to send nothing.
PurposeHost
Error tracking (Sentry)*.ingest.de.sentry.io
Product analytics (Mixpanel)api.mixpanel.com
OpenTelemetry exportYour configured collector (set to an in-network host)

Outbound — build / plugin install (as needed)

Only relevant if you build images in-network or install plugins at runtime.
PurposeHost
Python packagespypi.org, files.pythonhosted.org
Node packagesregistry.npmjs.org
Container imagesyour registry (gcr.io, ghcr.io, Docker Hub…)

Outbound — your own callbacks

PurposeHost
Run completion webhooksWhatever callback_url you pass on a run
Channel reply deliveryThe channel provider’s API (covered above)

Minimal-egress checklist

For a tightly restricted deployment, the smallest viable egress set is usually:
  • One model endpoint (in-network OpenAI-compatible, or a single public provider)
  • Object storage (in-network S3-compatible, or one cloud storage host)
  • The specific integration API hosts you actually enable
  • (Optional) an in-network OTel collector
  • Nothing else — NCS, telemetry, web tools, and unused providers can stay blocked
See Outbound → Running with minimal egress for the step-by-step.