What to ask your IT team to allow
Granola relies on secure HTTPS and WebSocket connections. If your organization filters traffic, ask your IT team to allow direct connections to the domains below and avoid rewriting, redirecting, or SSL/TLS-intercepting them. Not every customer needs every domain below. The exact list depends on which Granola features you use.Core Granola app access
These are the most important domains for signing in, loading notes, and connecting the desktop app to Granola services.| Domain | What it’s used for |
|---|---|
api.granola.ai | Main Granola API |
*.api.granola.ai | Granola API subdomains, including streaming endpoints such as stream.api.granola.ai |
notes.granola.ai | Granola web app, shared notes, and some desktop sign-in handoff flows |
join.granola.ai | Workspace join links |
meet.granola.ai | Meeting consent pages |
recipes.granola.ai | Recipe and template sharing |
granola.ai | Main website, including install and demo links |
www.granola.ai | Main website alias |
App downloads and updates
Allow these if users need to download Granola, reinstall it, or receive in-app updates.| Domain | What it’s used for |
|---|---|
download.granola.ai | Granola download service |
dr2v7l5emb758.cloudfront.net | Current file delivery CDN for Windows downloads and updates |
go.granola.ai | Short links used for download and install flows |
go.granola.so | Short links used in some download and documentation flows |
Transcription and voice features
Allow these if users need live transcription or voice dictation to work.| Domain | What it’s used for |
|---|---|
api.deepgram.com | Primary Deepgram transcription endpoint |
*.api.deepgram.com | Covers dedicated Deepgram endpoints used in some configurations |
streaming.assemblyai.com | AssemblyAI transcription endpoint |
api.groq.com | Voice dictation formatting |
*.lambda-url.us-east-1.on.aws | Fallback or legacy AWS-hosted transcription-related routes that may still be needed in some environments |
Sign-in, SSO, and calendar sync
Allow the providers your organization uses.| Domain | What it’s used for |
|---|---|
auth.granola.ai | Granola sign-in and SSO (custom domain hosted by WorkOS) |
mcp-auth.granola.ai | Auth for Granola MCP and API access |
api.workos.com | Granola sign-in and SSO broker |
*.workos.com | Additional WorkOS auth flows used during sign-in |
accounts.google.com | Google sign-in |
www.googleapis.com | Google profile and Google Calendar access |
login.microsoftonline.com | Microsoft sign-in |
graph.microsoft.com | Microsoft Graph and Outlook calendar access |
cognito-identity.us-east-1.amazonaws.com | AWS Cognito Identity, used during authentication |
Notifications
| Domain | What it’s used for |
|---|---|
api.knock.app | In-app notification delivery |
Documentation and help center
| Domain | What it’s used for |
|---|---|
docs.granola.ai | Granola help center and API documentation |
status.granola.ai | Granola service status page |
Optional shared-note collaboration
Most users do not need this section for basic note-taking or transcription. Allow it if you use shared notes or folders with live collaboration.| Domain | What it’s used for |
|---|---|
*.granola.club | Real-time collaboration services for shared notes and folders |
DNS CNAME targets for SASE and advanced DNS filtering
Most organizations do not need this section. If your network security solution inspects DNS CNAME chains (common with SASE products such as Zscaler, Netskope, and Palo Alto Prisma Access), you may also need to allow the underlying DNS targets that Granola domains resolve to.| Domain | What it’s used for |
|---|---|
cname.workos-dns.com | DNS target for auth.granola.ai (sign-in and SSO) |
cname.mintlify-dns.com | DNS target for docs.granola.ai (help center and documentation) |
What blocked or redirected requests can look like
When network security software blocks, redirects, or inspects these requests, Granola may fail in ways that do not obviously look like a networking problem. Common symptoms include:- Sign-in never completes — the Google, Microsoft, or SSO browser flow loops, stalls, or fails to return to Granola.
- Calendar sync fails — meetings do not appear in Coming up, or calendars do not stay connected.
- Transcription never starts — the live transcript stays empty even when audio permissions and devices are correct.
- Transcription starts, then disconnects — Granola connects briefly and then drops or repeatedly retries.
- Notes or shared links do not load — shared note pages, desktop notes, or note content stay stuck loading.
- Updates or reinstalls fail — the app cannot download an update, or the installer download is blocked.
- Granola only fails on one network — the app works on a home network or hotspot but not on your office network, VPN, or filtered Wi-Fi.
- Certificate or secure connection errors — TLS inspection, untrusted certificates, or HTTPS rewriting can prevent Granola from opening secure API or WebSocket connections.
- Unexpected login or warning pages appear — some filtering products redirect blocked requests to an HTML warning page or captive portal, which breaks sign-in, downloads, and real-time connections.
Common things to try
If you’re not sure whether the issue is network-related, these checks usually help narrow it down quickly:- Try another network — for example, a mobile hotspot or home Wi-Fi. If Granola works there, the issue is likely your company network, VPN, proxy, or filter.
- Temporarily disable VPN or proxy software — if allowed by your organization, test Granola without it.
- Ask IT to exclude the domains above from SSL/TLS inspection — secure WebSocket connections used for transcription can fail even when the domains are technically reachable.
- Check whether blocked traffic is being redirected — if your security tool replaces requests with a warning page or login page, Granola may show blank pages, loading states, or failed sign-in.
- Test DNS resolution — some users find the issue is their DNS resolver rather than the app itself. As a temporary test, try a public DNS resolver such as
8.8.8.8. - Remove untrusted certificates — if your machine has a certificate installed for HTTPS inspection and it is not trusted by the system, Granola may fail to establish secure connections.
When to use this guide vs other troubleshooting articles
- If Granola is not capturing audio correctly, see Transcription issues.
- If events are missing from Coming up, also see Calendar sync troubleshooting.
- If the app itself is blocked from installing or updating, see Reinstalling Granola for macOS and Windows.