Hedy Can't Connect (VPN, Firewall, Corporate Network)

If Hedy can’t sign in, summaries fail to generate, sessions won’t sync, or the app hangs on “connecting,” the most likely cause on a corporate network or VPN is that one or more of Hedy’s outbound connections is being blocked. This page lists the hostnames to allowlist and the features each one supports — so you can either share it with your IT team or use it to diagnose the problem yourself.

Quick Test: Try on a Non-Corporate Network

Before allowlisting anything, confirm a network filter is actually the issue:

1. Disconnect from your corporate VPN

2. Switch to a personal hotspot (your phone’s data, a home network)

3. Try the failing action again

If it works on a different network, you’ve confirmed the issue is your corporate network or VPN — proceed with the allowlist below. If it still fails everywhere, the problem isn’t network filtering.

Which Features Need the Cloud

Not every Hedy feature needs network access. Knowing which feature is failing helps narrow down which endpoint is being blocked.

Feature	Cloud-dependent?
Local Whisper transcription	No — fully offline
Local Parakeet transcription (iOS/Mac)	No — fully offline
Local AI summary generation	No — fully offline
Cloud STT (Deepgram, OpenAI)	Yes — requires the provider’s API host
Cloud AI summary generation	Yes — requires Hedy’s AI providers
Sign-in (Google or Apple)	Yes — requires the OAuth provider plus Hedy’s auth endpoints
Cloud Sync between devices	Yes — requires Hedy’s API and Firebase
Hedy support chat (Intercom widget)	Yes — requires Intercom’s hosts
App updates (Windows auto-updater)	Yes — requires Hedy’s distribution endpoint

If you’re working in a high-security environment and only need recording + transcription, you can switch to local Whisper + local AI in Settings and skip most of the allowlist. See Local AI Processing.

Hosts to Allowlist

Hedy uses HTTPS (port 443) for all of these. WebSocket connections (for live cloud STT) are also on port 443 (wss://). The only exception is the desktop OAuth callback for Google Sign-in, which uses a short-lived local HTTP listener on 127.0.0.1 with a dynamic port — that’s local-only and doesn’t need to be allowlisted on a corporate firewall.

The wildcards below cover everything most teams will need. If your firewall doesn’t support wildcards, or your security team requires a complete itemized list of exact subdomains, contact support@hedy.bot — we’ll send you the current authoritative list. We don’t publish every internal subdomain here because the surface changes over time and we want to give your IT team the most current data, scoped to your data residency.

Core Hedy (always required)

• *.hedy.bot — Hedy APIs and sign-in

• *.hedy.ai — Hedy CDN and web companion

• *.firebaseapp.com, *.appspot.com, *.googleapis.com — Firebase and Vertex AI

• *.a.run.app — Hedy Cloud Run services

• *.cloudfunctions.net — Hedy Cloud Functions

Sign-in providers

• accounts.google.com, oauth2.googleapis.com — Google Sign-in

• Apple Sign-in uses Hedy’s auth domain on Windows and the native OS on iPhone, iPad, and Mac

Cloud Speech Recognition (user-supplied API key)

• api.openai.com — OpenAI STT

• api.deepgram.com — Deepgram STT

Subscriptions and Billing

• api.revenuecat.com, pay.rev.cat — subscriptions and checkout

Local AI models (only if user downloads)

• huggingface.co — local AI model downloads

What Happens When Cloud STT Is Blocked

If you’ve configured Deepgram or OpenAI as your speech recognition provider and Hedy can’t reach the provider’s host, it doesn’t fail silently. You’ll see one of:

• “Using Local Transcription — Cloud provider not available. Using on-device transcription instead.” — Hedy automatically falls back to local Whisper for the session.

• “Configuration Required — Please configure an API key for your speech recognition provider in Settings.” — Hedy can’t find a valid API key (separate issue from network blocking).

• “Cloud transcription failed: [error]. Using on-device transcription.” — Mid-session fallback if the provider’s WebSocket drops and reconnect attempts fail.

The local fallback is automatic — if local STT is also unavailable, the session ends with “Local Transcription Unavailable — Unable to switch to on-device transcription after cloud failure. Ending session.”

Common VPN and Proxy Issues

TLS Inspection / SSL Bombing

Many corporate firewalls perform TLS inspection — they intercept the encrypted connection, decrypt it, and re-encrypt with the firewall’s own certificate. Some of Hedy’s underlying SDKs (Firebase, Google Sign-In, RevenueCat) may reject TLS-inspected connections because of how they validate certificates. If you suspect TLS inspection is the issue, ask your IT team to exempt Hedy’s hosts from the inspection (not the same as allowlisting — exemption skips the man-in-the-middle entirely) and see if behavior changes.

Split Tunnel VPN

Some corporate VPNs route all traffic through the corporate network (“full tunnel”), even when the destination has nothing to do with corporate resources. If Hedy works on personal Wi-Fi but not on VPN, ask IT to add Hedy’s hosts to the split tunnel exclusion list so they bypass the VPN.

DNS-Based Blocking

If your network uses a DNS-based content filter (Cisco Umbrella, OpenDNS, Cloudflare Gateway, etc.), it may block domains based on category. Hedy’s hosts will need to be allowlisted in the filter’s policy.

Apple Sign-In on Windows

If Apple Sign-In specifically returns “connection refused” on Windows, that’s a different issue — see Windows: Apple Sign-In “Connection Refused”.

Sharing This with Your IT Team

If you need to ask your network admin to allowlist Hedy, share this page or paste the summary below:

Hedy AI needs HTTPS (port 443) and WSS (port 443) access to:

Always required:

• *.hedy.bot, *.hedy.ai
• *.firebaseapp.com, *.appspot.com, *.googleapis.com
• *.a.run.app, *.cloudfunctions.net
• accounts.google.com, oauth2.googleapis.com (for Google Sign-in)
• api.revenuecat.com, pay.rev.cat (subscriptions)

If user has configured cloud speech recognition:

• api.openai.com (OpenAI)
• api.deepgram.com (Deepgram)

If user downloads local AI models:

• huggingface.co

If your firewall doesn’t support wildcards, contact Hedy support for the exact current subdomain list scoped to your data residency.

Related Articles

• Local AI Processing — for fully offline operation

• Data Residency — choose between US and EU data hosting

• Sessions Not Syncing Between Devices — if sync specifically is failing

• Windows: Apple Sign-In “Connection Refused” — Windows-specific Apple OAuth issue

Still having trouble? Contact us through the chat widget (or hello@hedy.bot if the widget itself is blocked). Include the feature that’s failing, the exact error message, and whether you’re behind a VPN or corporate firewall.