| title | Enterprise network configuration |
|---|---|
| source | https://code.claude.com/docs/en/network-config |
| category | code |
| generated | true |
Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt Use this file to discover all available pages before exploring further.
Configure Claude Code for enterprise environments with proxy servers, custom Certificate Authorities (CA), and mutual Transport Layer Security (mTLS) authentication.
Claude Code supports various enterprise network and security configurations through environment variables. This includes routing traffic through corporate proxy servers, trusting custom Certificate Authorities (CA), and authenticating with mutual Transport Layer Security (mTLS) certificates for enhanced security.
All environment variables shown on this page can also be configured in [`settings.json`](./code-settings.md).Claude Code respects standard proxy environment variables:
# HTTPS proxy (recommended)
export HTTPS_PROXY=https://proxy.example.com:8080
# HTTP proxy (if HTTPS not available)
export HTTP_PROXY=http://proxy.example.com:8080
# Bypass proxy for specific requests - space-separated format
export NO_PROXY="localhost 192.168.1.1 example.com .example.com"
# Bypass proxy for specific requests - comma-separated format
export NO_PROXY="localhost,192.168.1.1,example.com,.example.com"
# Bypass proxy for all requests
export NO_PROXY="*"If your proxy requires basic authentication, include credentials in the proxy URL:
export HTTPS_PROXY=http://username:password@proxy.example.com:8080By default, Claude Code trusts both its bundled Mozilla CA certificates and your operating system's certificate store. Enterprise TLS-inspection proxies such as CrowdStrike Falcon and Zscaler work without additional configuration when their root certificate is installed in the OS trust store.
CLAUDE_CODE_CERT_STORE accepts a comma-separated list of sources. Recognized values are bundled for the Mozilla CA set shipped with Claude Code and system for the operating system trust store. The default is bundled,system.
To trust only the bundled Mozilla CA set:
export CLAUDE_CODE_CERT_STORE=bundledTo trust only the OS certificate store:
export CLAUDE_CODE_CERT_STORE=systemIf your enterprise environment uses a custom CA, configure Claude Code to trust it directly:
export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pemFor enterprise environments requiring client certificate authentication:
# Client certificate for authentication
export CLAUDE_CODE_CLIENT_CERT=/path/to/client-cert.pem
# Client private key
export CLAUDE_CODE_CLIENT_KEY=/path/to/client-key.pem
# Optional: Passphrase for encrypted private key
export CLAUDE_CODE_CLIENT_KEY_PASSPHRASE="your-passphrase"Claude Code requires access to the following URLs. Allowlist these in your proxy configuration and firewall rules, especially in containerized or restricted network environments.
| URL | Required for |
|---|---|
api.anthropic.com |
Claude API requests |
claude.ai |
claude.ai account authentication |
platform.claude.com |
Anthropic Console account authentication |
downloads.claude.ai |
Plugin executable downloads; native installer and native auto-updater |
storage.googleapis.com |
{/* max-version: 2.1.115 */}Native installer and native auto-updater on versions prior to 2.1.116 |
bridge.claudeusercontent.com |
Claude in Chrome extension WebSocket bridge |
raw.githubusercontent.com |
Changelog feed for /release-notes and the release notes shown after updating; plugin marketplace install counts |
If you install Claude Code through npm or manage your own binary distribution, end users may not need access to downloads.claude.ai or storage.googleapis.com.
Claude Code also sends optional operational telemetry by default, which you can disable with environment variables. See Telemetry services for how to disable it before finalizing your allowlist.
When using Amazon Bedrock, Google Vertex AI, or Microsoft Foundry, model traffic and authentication go to your provider instead of api.anthropic.com, claude.ai, or platform.claude.com. The WebFetch tool still calls api.anthropic.com for its domain safety check unless you set skipWebFetchPreflight: true in settings.
Claude Code on the web and Code Review connect to your repositories from Anthropic-managed infrastructure. If your GitHub Enterprise Cloud organization restricts access by IP address, enable IP allow list inheritance for installed GitHub Apps. The Claude GitHub App registers its IP ranges, so enabling this setting allows access without manual configuration. To add the ranges to your allow list manually instead, or to configure other firewalls, see the Anthropic API IP addresses.
For self-hosted GitHub Enterprise Server instances behind a firewall, allowlist the same Anthropic API IP addresses so Anthropic infrastructure can reach your GHES host to clone repositories and post review comments.