Network & Security
IP allowlisting & network configuration
This is the most common technical question during ERP integration setup. The short answer: you probably don't need to allowlist any IPs — here's why, and what to do if you do.
No static egress IPs by default
ERPOps runs on Supabase Edge Functions — a globally distributed serverless runtime. Outbound calls from ERPOps do not originate from a single stable IP address or publishable CIDR range. If your ERP's firewall requires an IP allowlist for inbound connections, you have three options below: use a webhook push pattern (no IP needed), use credential-based trust (no IP needed), or request Enterprise static-IP egress routing.
Your four options
Tenant-initiated outbound — HMAC webhook
Your ERP or middleware pushes signed events outbound to ERPOps at https://api.erpops.ai/functions/v1/receive-event. ERPOps never initiates a TCP connection into your network. No IP allowlisting is needed on your perimeter firewall.
How it works
Trust is established via HMAC-SHA256 signature on each request. ERPOps generates a unique secret per connector. Your ERP includes X-ERPOps-Signature: sha256=<hash> and X-ERPOps-Connector-Id on every POST. See the API Reference for the full signature spec.
Suitable for: Most cloud and on-premises ERPs with outbound HTTP capability — PeopleSoft Integration Broker, Workday Studio, MuleSoft, Akana, Dell Boomi, Informatica IICS.
Credential / certificate-based trust
ERPOps polls your ERP's API using OAuth 2.0 client credentials, API keys, or mutual TLS (mTLS) certificates. Your firewall validates ERPOps by credential identity, not by IP address.
How it works
Provision an OAuth client or integration user in your ERP with read-only API access. Enter credentials in the ERPOps connector setup — they are encrypted at rest using AES-256 and never logged in plaintext. mTLS certificates are stored in Supabase Vault.
Suitable for: Workday REST API, Oracle HCM Cloud, SAP SuccessFactors OData, NetSuite SuiteQL, Microsoft Dynamics 365, ADP API, UKG Pro REST.
Static-IP egress proxy
ERPOps routes outbound API polling calls through a dedicated static-IP egress proxy (QuotaGuard SOCKS5 or customer-supplied proxy). This gives your firewall team a fixed IP CIDR range to allowlist.
How it works
Important: Supabase Edge Functions — which power ERPOps's backend — run on a globally distributed serverless runtime with no fixed egress IPs. Without a proxy layer, there is no stable IP to allowlist. Enterprise tenants can request static-IP egress configuration, which routes polling traffic through a pair of dedicated static IPs via a SOCKS5 proxy. Contact sales@erpops.ai to enable this.
Suitable for: On-premises PeopleSoft with perimeter firewall, federal agency networks with strict egress controls, Oracle EBS behind a DMZ.
Self-hosted relay agent
A lightweight agent runs inside your network and initiates all connections outbound to ERPOps — eliminating the IP allowlisting problem entirely. The agent handles credential management, local buffering, and TLS termination.
How it works
On the roadmap for air-gapped federal environments and organizations where no outbound API access from ERPOps is acceptable. Contact sales@erpops.ai to register interest and influence prioritization.
Suitable for: Air-gapped networks, classified environments, organizations with zero inbound-to-ERP traffic policies.
Hostnames and ports to allowlist
For Pattern A (webhook push), your ERP needs outbound access to these hosts on port 443:
| Hostname | Purpose | Port |
|---|---|---|
| api.erpops.ai | Webhook inbound endpoint — tenants POST events here | 443 (HTTPS) |
| app.erpops.ai | Admin application | 443 (HTTPS) |
| *.supabase.co | Backend infrastructure (auth, database, Edge Functions) | 443 (HTTPS) |
All connections use TLS 1.2 or higher. Self-signed certificates are not accepted on any ERPOps endpoint.
Data residency
- ERPOps's Supabase project is hosted in the US East region by default.
- Enterprise customers may request EU-region hosting. Contact sales@erpops.ai.
- Integration metadata (connector health scores, error codes, job timings) is stored in ERPOps's database. Employee PII is never ingested — see the HR & Data Protection page.
- Connector credentials are stored in Supabase Vault (encrypted at rest, AES-256). They are decrypted only inside Edge Functions during polling calls and are never logged.
Questions about your specific network topology? sales@erpops.ai — or contact our team.