Network allowlist for IT administrators
Nani Translate uses standard HTTPS for the web app and desktop app. If a corporate network or security product blocks Nani, allow only the traffic below instead of disabling security controls.
Network requirements
- Allow outbound HTTPS over TCP 443.
- Nani does not require dedicated inbound ports, static IP allowlisting, or VPN tunnels.
- If HTTP/3 (QUIC) causes issues with your proxy or filtering product, make sure HTTPS over TCP 443 is allowed.
Nani-managed domains
All domains below are operated by Nani. The core features of Nani work with these four domains alone, so start by allowlisting them. The underlying IP addresses are not static, so allow traffic by domain rather than by IP address.
| Endpoint | Purpose | When needed |
|---|---|---|
https://nani.now |
Web app, signed-in usage, main API, translation and proofreading API, public pages | Normal web and desktop app usage |
https://nani.kiok.jp |
Alternate API domain and connectivity checks | Desktop app API communication |
https://nani-desktop.kiok.jp |
Official macOS app downloads, auto-update checks, and update file delivery | macOS installation and update checks after launch |
https://translatorassets.kiok.jp |
Static assets such as images, videos, and icons | Rendering web pages and app UI |
Third-party domains for specific actions
The domains below belong to external services outside Nani's control and are contacted only for specific actions such as sign-in and payment. If you do not use these features, allowing them is not required. Most corporate networks already allow these domains.
| Endpoint | Purpose | When needed |
|---|---|---|
https://accounts.google.com |
Google OAuth sign-in | When signing in with a Google account |
https://appleid.apple.com |
Apple OAuth sign-in | When signing in with an Apple account |
https://checkout.stripe.com |
Stripe Checkout | When purchasing a paid plan |
https://billing.stripe.com |
Stripe Billing Portal | When managing billing and subscriptions |
Desktop app distribution
Nani for macOS is distributed from the official download URL, signed with a Developer ID certificate and notarized by Apple.
| Item | Purpose | When needed |
|---|---|---|
Nani |
Product name | App identification |
jp.kiok.nani |
macOS Bundle ID | Identification in MDM, EDR, and allow policies |
https://nani-desktop.kiok.jp/artifacts/nani-mac-latest.dmg |
Official download URL | Initial macOS installation |
https://nani-desktop.kiok.jp/artifacts/latest-mac.yml |
Update metadata | Auto-update checks |
Auto-update downloads versioned update files listed in latest-mac.yml from the same artifacts/ path. If you allowlist by URL, allow everything under https://nani-desktop.kiok.jp/artifacts/ instead of individual URLs.
Notes for proxy, VPN, and TLS inspection environments
If requests are blocked, modified, or time out on a corporate network, Nani may show errors like the following.
Failed to fetchERR_NETWORK_CHANGEDERR_CONNECTION_REFUSEDERR_QUIC_PROTOCOL_ERROR
If these errors occur, check whether URL filtering, SSL/TLS inspection, proxy, VPN, or EDR policies are blocking Nani-managed domains.
Information to include when contacting support
You can check whether Nani itself is having an outage on the status page. If no outage is reported, include the following information when possible to help isolate the cause.
- Environment: web app or Mac app
- Nani app version and OS version
- Network: company VPN, office network, home network, or tethering
- Name of any VPN, proxy, EDR, antivirus, or URL filtering product in use
- Time of occurrence and time zone
- Error message shown on screen and logs if available
- Whether your IT team can allowlist the Nani-managed domains