IP allowlisting

Static egress IP addresses for ElevenLabs services.

Overview

If your infrastructure requires IP-based access controls, you can add ElevenLabs’ static egress IP addresses to your firewall allowlist. All outbound requests from ElevenLabs services—including webhooks, WebSocket connections, and MCP server requests—originate from these addresses.

Static egress IPs

The following IP addresses are used for all ElevenLabs services:

RegionIP Address
US (Default)34.67.146.145
US (Default)34.59.11.47
EU35.204.38.71
EU34.147.113.54
Asia35.185.187.110
Asia35.247.157.189

Data residency IPs

If you are using a data residency region, outbound requests use the following IPs:

RegionIP Address
EU Residency34.77.234.246
EU Residency34.140.184.144
India Residency34.93.26.174
India Residency34.93.252.69
Singapore Residency34.87.23.17
Singapore Residency34.126.179.103

These static IPs are used across all ElevenLabs services and will remain consistent. If ElevenLabs adds new IPs, we will communicate changes in advance through the changelog.

When to use IP allowlisting

IP allowlisting is useful when:

  • Your webhook endpoints are behind a firewall that restricts inbound traffic
  • Your Speech Engine server only accepts connections from known sources
  • Your MCP server integration requires IP-based access controls
  • Your SIP trunk provider requires IP allowlisting for authentication

Services that use these IPs

The static egress IPs apply to all outbound requests from ElevenLabs, including:

  • Post-call webhooks: Notifications sent after ElevenAgents calls complete. See post-call webhooks.
  • Speech Engine: WebSocket connections from ElevenLabs to your server. See Speech Engine.
  • MCP server requests: Requests to your Model Context Protocol servers. See MCP security.
  • Webhook tools: Outbound calls from agent webhook tools.

Security recommendations

Combine IP allowlisting with other authentication mechanisms for defense in depth.

For webhook endpoints, use IP allowlisting together with HMAC signature validation to verify that requests originate from ElevenLabs.

For Speech Engine servers, IP allowlisting can replace or supplement JWT verification. If your server sits behind infrastructure that restricts traffic to ElevenLabs’ egress IPs, you can disable JWT verification by setting disableAuth: true (TypeScript) or disable_auth=True (Python). See the JavaScript SDK reference or Python SDK reference for details.

Only disable authentication if you have IP allowlisting or equivalent network-level restrictions in place. Without one, anyone on the internet can open a session and consume your resources.

API key IP restrictions

You can also restrict your ElevenLabs API keys to only work from specific IP addresses. This is a separate feature from egress IP allowlisting and controls which IPs can make requests to the ElevenLabs API.

See API key IP allowlisting for details.