Hosts, IP ranges, and TLS inspection notes for enterprise firewall or egress proxy allowlists.

The values below are what an enterprise firewall or egress proxy typically needs to allow so your users can reach LeaseWizard, complete SSO, and exchange tokens. All traffic is over HTTPS (TCP/443).

Hosts your users' browsers need to reach

Host	Purpose	Owner
`app.leasewizard.ai`	Main web application	LeaseWizard
`auth.leasewizard.ai`	Authentication host (OAuth/OIDC redirect target, token exchange, callbacks)	LeaseWizard
`leasewizard.ai`, `www.leasewizard.ai`	Landing page (optional)	LeaseWizard
`login.microsoftonline.com`	Microsoft Entra ID authorization + token endpoints	Microsoft
`challenges.cloudflare.com`	Cloudflare Turnstile bot verification on public forms (e.g. login)	Cloudflare

Hosts your users' browsers need to reach for in-app features

Host	Purpose
Cloudflare R2 presigned URLs — scheme: `https://<bucket>.r2.cloudflarestorage.com/…`	Direct browser PUT (upload) and GET (download) of lease PDFs via pre-signed URLs. Required if users upload or download lease files from the browser.

IP ranges

If your security policy requires IP-based allowlisting rather than host-based, please contact security@leasewizard.ai

Proxy / TLS inspection notes

The OIDC flow uses standard TLS; any TLS-inspecting proxy must leave auth.leasewizard.ai and login.microsoftonline.com untouched or present a certificate trusted by modern browsers.
The OAuth state and nonce parameters, and the LeaseWizard bridge state, are validated end-to-end. Any proxy that rewrites query strings will break login.

Network & firewall whitelisting

Hosts your users' browsers need to reach

Hosts your users' browsers need to reach for in-app features

IP ranges

Proxy / TLS inspection notes

On this page