OwlkaDownload
← Back to Owlka

Network requirements for IT teams

Last updated 2026-06-30. If your network filters traffic through a corporate proxy or firewall (Netskope, Zscaler, Palo Alto, Cisco Umbrella, and the like), this page lists exactly what Owlka needs to work. Everything is on port 443. There is a copy-paste block at the bottom you can send straight to whoever runs your network.

What to allow-list

Allow these three domains outbound on TCP port 443. Owlka makes no other outbound connections of its own. The only special requirement is that relay.owlka.com be allowed to open and hold a WebSocket connection.

relay.owlka.comHTTPS, then WebSocket (wss) · port 443
The live connection between the Mac app and the iPhone app. The desktop and phone each hold an outbound WebSocket open to the relay so messages flow in real time. This is the one endpoint that must allow WebSocket upgrades.
download.owlka.comHTTPS · port 443
The signed Mac app download and its updates. Only needs to be reachable when someone installs or updates Owlka.
api.owlka.comHTTPS · port 443
Account and pairing support requests from the apps. Standard request/response HTTPS, no WebSocket.

Protocols in use: HTTPS and WebSocket (wss), both on port 443. No other ports, and no UDP.

TLS inspection can stay on

Owlka works behind TLS-inspecting (man-in-the-middle) proxies. The message content that travels between the Mac app and the iPhone app is end-to-end encrypted at the application layer, on top of the transport TLS your proxy terminates. So a proxy can decrypt and inspect the transport TLS as usual, but it still cannot read the message content inside. You do not need to add an inspection bypass for Owlka. The domains simply need to be reachable, and the WebSocket upgrade on relay.owlka.com needs to be allowed rather than stripped.

Why this is safe

Owlka’s relay is a blind router. Messages are sealed on the sending device and only opened on the paired device that holds the key, so the relay, your proxy, and Owlka itself all move the same opaque bytes and none of them can read the conversation. Allowing these domains exposes no message content to anyone in the middle. For the full cryptographic detail, see the security page.

Send this to your IT team

Copy the block below and send it to whoever manages your proxy or firewall. It has everything they need.

Please allow the following domains through our proxy/firewall so I can use Owlka:

  relay.owlka.com      TCP 443   HTTPS + WebSocket (wss) — the live connection, must allow WebSocket upgrades
  download.owlka.com   TCP 443   HTTPS — the signed Mac app download and updates
  api.owlka.com        TCP 443   HTTPS — account and pairing requests

All traffic is on port 443 over HTTPS/WebSocket. TLS inspection can stay enabled:
Owlka's message content is end-to-end encrypted at the application layer, so the
proxy can terminate transport TLS but cannot read message content. The domains
just need to be reachable, with WebSocket allowed on relay.owlka.com.