For school IT, network, and email-filter teams
VESPA Academy — Network & Email Allowlist
Allow outbound HTTPS (TCP 443) and WSS to the domains below. Exclude them from SSL inspection where possible. Student activity issues are usually caused by blocking Skiv, slides.com, or CDN hosts — not the main app.
← Full IT setup guide (SSO, policies) · Extended setup guide · Technical admin portal
1. Core platform Required
| Domain | Purpose |
|---|---|
*.vespa.academy | App, marketing site, activity assets, PDFs, slide decks (app.vespa.academy, vespa.academy, notifications.vespa.academy) |
app.vespa.academy | Staff and student portal (if wildcards not supported) |
vespa.academy | Documentation, IT guides, hosted activity resources under /assets/ |
qcdcdzfanrlvdcagmwmg.supabase.co | Database, authentication, API, realtime WebSockets |
*.supabase.co | Alternative if your filter supports Supabase wildcards |
2. Videos — Skiv Required
All VESPA coaching videos are hosted on Skiv (not YouTube). This must be allowed for students to watch activity and portal videos.
| Domain | Purpose |
|---|---|
skiv.com | Video player embeds and views (/embed/, /vc/, /vd/, /vt/) |
*.skiv.com | Use if your filter supports subdomain wildcards |
3. Student activities — slides & documents Required for activities
| Domain | Purpose |
|---|---|
cdn.jsdelivr.net | JavaScript libraries (Reveal.js and activity dependencies) |
cdnjs.cloudflare.com | Additional CDN libraries |
slides.com | Embedded activity slide presentations |
fonts.googleapis.com | Web fonts in portal UI |
fonts.gstatic.com | Font file delivery |
Activity PDFs and handbook HTML are served from vespa.academy (covered above).
4. Single sign-on
| Domain | Purpose |
|---|---|
login.microsoftonline.com | Microsoft 365 sign-in (most UK schools) |
graph.microsoft.com | Microsoft 365 directory sync (technical admin only) |
accounts.google.com | Google sign-in (if used) |
oauth2.googleapis.com | Google OAuth (if used) |
*.googleapis.com | Google APIs / SSO (if using Google) |
5. Legacy / optional
Allow these if older activities still reference them. New content uses Skiv instead of YouTube.
| Domain | Purpose |
|---|---|
www.youtube.com | Legacy activity video embeds |
www.youtube-nocookie.com | Privacy-enhanced YouTube embeds |
img.youtube.com | YouTube thumbnails |
muse.ai | Legacy video embeds in some older slide HTML |
docs.google.com | Google Slides embeds (if any activities use them) |
*.googleusercontent.com | Google Slides embedded assets |
6. Email safelisting
| What to safelist | Details |
|---|---|
noreply@notifications.vespa.academy | Password resets, welcome emails, questionnaire notifications |
@vespa.academy | All VESPA Academy mail (support, admin) |
@notifications.vespa.academy | Notification subdomain |
*.vespa.academy | Wildcard domain safelist (if supported) |
7. Network notes
- Ports: HTTPS TCP 443 only. Secure WebSockets (WSS) over 443 for Supabase realtime.
- SSL inspection: Excluding the domains above from HTTPS inspection often fixes on-site access issues.
- CORS: Permit OPTIONS as well as GET and POST for API hosts.
- No desktop install: VESPA is entirely browser-based.
8. Troubleshooting
- Portal works, activities blocked: Usually
skiv.com,slides.com, or CDN domains — check Securely / web filter logs. - Works off-site, not on-site: Blocked hostname, SSL inspection, or filtered API traffic.
- Password emails missing: Check quarantine and safelist section 6.
- Share blocked URLs with support@vespa.academy — we can identify the hostname quickly.