Control Network Access to Gemini Code Assist with User Domain Restrictions
Stay organized with collections
Save and categorize content based on your preferences.
This document provides instructions for network administrators to configure
their networks to restrict access to Gemini Code Assist based on
user domains. This feature allows organizations to control which users within
their network can utilize Gemini Code Assist, enhancing security
and preventing unauthorized access.
Overview
You can configure Gemini Code Assist to enforce user domain
restrictions using a Person-in-the-Middle (PITM) proxy approach. This involves
injecting a custom HTTP header,
X-GeminiCodeAssist-Allowed-Domains, into requests made to
Gemini Code Assist. The header specifies a list of allowed
domains, and the Gemini Code Assist backend only processes
requests from users whose authenticated domain matches one of the allowed
domains.
To configure a proxy in your IDE, follow these steps:
VS Code
Navigate to File > Settings (for Windows), or Code
> Settings > Settings (for macOS).
In the User tab, navigate to Application > Proxy.
In the box under Proxy, enter the address of your proxy server. For
example http://localhost:3128.
Optional: To configure Gemini Code Assist to ignore
certificate errors, under Proxy Strict SSL, select or deselect the
checkbox. This setting applies to all profiles.
IntelliJ
Navigate to File > Settings (for Windows) or IntelliJ
IDEA > Settings (for macOS).
Navigate to Appearance & Behavior > System Settings
> HTTP Proxy.
Select Manual proxy configuration, and then select HTTP.
In the Host name field, enter the hostname of your proxy server.
In the Port number field, enter the port number of your proxy server.
Optional: To configure Gemini Code Assist to ignore
certificate errors, in the sidebar, click Tools > Server
Certificates and then select or deselect Accept non-trusted certificates
automatically.
To configure your PITM proxy, follow these steps:
Make sure your network utilizes a PITM proxy capable of intercepting and
modifying HTTPS traffic.
Configure the proxy to intercept all outgoing requests to the
Gemini Code Assist endpoint
(https://cloudcode-pa.googleapis.com). Don't use wildcards (*) when you
specify the Gemini Code Assist endpoint.
Configure the proxy to inject the X-GeminiCodeAssist-Allowed-Domains
header into each request. The header should contain a comma-separated list
of allowed domains (e.g., example.com, yourcompany.net).
Make sure that domain names are separated by commas and
don't include the @ symbol.
If headers aren't resolved into at least one valid domain, restrictions
won't apply. For example, an empty header won't apply any restrictions.
domain won't apply any restrictions as it isn't a valid domain name.
When a user tries to access Gemini Code Assist from a domain not
included in the header list, they see a message telling them that they're
restricted from using Gemini Code Assist on their domain by their
administrator.
SSL/TLS interception
If your proxy needs to decrypt HTTPS traffic to inject the header, make sure
it's configured for SSL/TLS interception. This typically involves:
Gemini Code Assist automatically validates the
X-GeminiCodeAssist-Allowed-Domains header and enforces the restrictions.
If the header doesn't resolve to at least one valid domain, the validation
won't be performed.
If the domain associated with the user's authentication isn't in the allowed
list, the request is rejected. For example if the user logs in with a gmail
account and only example.com is on the allowed list, the request is rejected.
What's next
To learn more about blocking access to consumer accounts, see
Block access to consumer accounts.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-25 UTC."],[[["\u003cp\u003eNetwork administrators can restrict access to Gemini Code Assist based on user domains via a Person-in-the-Middle (PITM) proxy.\u003c/p\u003e\n"],["\u003cp\u003eA custom HTTP header, \u003ccode\u003eX-GeminiCodeAssist-Allowed-Domains\u003c/code\u003e, is injected into requests to specify a comma-separated list of allowed domains.\u003c/p\u003e\n"],["\u003cp\u003eThe PITM proxy must intercept HTTPS traffic and be configured to inject the custom header into each request.\u003c/p\u003e\n"],["\u003cp\u003eGemini Code Assist validates the \u003ccode\u003eX-GeminiCodeAssist-Allowed-Domains\u003c/code\u003e header, rejecting requests from users whose domains are not on the allowed list.\u003c/p\u003e\n"],["\u003cp\u003eIf the header doesn't resolve to at least one valid domain, then the validation won't be performed, meaning restrictions will not apply.\u003c/p\u003e\n"]]],[],null,["This document provides instructions for network administrators to configure\ntheir networks to restrict access to Gemini Code Assist based on\nuser domains. This feature allows organizations to control which users within\ntheir network can utilize Gemini Code Assist, enhancing security\nand preventing unauthorized access.\n\nOverview\n\nYou can configure Gemini Code Assist to enforce user domain\nrestrictions using a Person-in-the-Middle (PITM) proxy approach. This involves\ninjecting a custom HTTP header,\n`X-GeminiCodeAssist-Allowed-Domains`, into requests made to\nGemini Code Assist. The header specifies a list of allowed\ndomains, and the Gemini Code Assist backend only processes\nrequests from users whose authenticated domain matches one of the allowed\ndomains.\n\nConfigure a proxy in your IDE\n\nTo configure a proxy in your IDE, follow these steps: \n\nVS Code\n\n1. Navigate to **File** \\\u003e **Settings** (for Windows), or **Code**\n \\\u003e **Settings** \\\u003e **Settings** (for macOS).\n\n2. In the **User** tab, navigate to **Application** \\\u003e **Proxy**.\n\n3. In the box under **Proxy** , enter the address of your proxy server. For\n example `http://localhost:3128`.\n\n4. Optional: To configure Gemini Code Assist to ignore\n certificate errors, under **Proxy Strict SSL**, select or deselect the\n checkbox. This setting applies to all profiles.\n\nIntelliJ\n\n1. Navigate to **File** \\\u003e **Settings** (for Windows) or **IntelliJ\n IDEA** \\\u003e **Settings** (for macOS).\n\n2. Navigate to **Appearance \\& Behavior** \\\u003e **System Settings**\n \\\u003e **HTTP Proxy**.\n\n3. Select **Manual proxy configuration** , and then select **HTTP**.\n\n4. In the **Host name** field, enter the hostname of your proxy server.\n\n5. In the **Port number** field, enter the port number of your proxy server.\n\n6. Optional: To configure Gemini Code Assist to ignore\n certificate errors, in the sidebar, click **Tools** \\\u003e **Server\n Certificates** and then select or deselect **Accept non-trusted certificates\n automatically**.\n\nConfigure PITM proxy\n\nTo configure your PITM proxy, follow these steps:\n\n1. Make sure your network utilizes a PITM proxy capable of intercepting and\n modifying HTTPS traffic.\n\n2. Configure the proxy to intercept all outgoing requests to the\n Gemini Code Assist endpoint\n (`https://cloudcode-pa.googleapis.com`). Don't use wildcards (`*`) when you\n specify the Gemini Code Assist endpoint.\n\n3. Configure the proxy to inject the `X-GeminiCodeAssist-Allowed-Domains`\n header into each request. The header should contain a comma-separated list\n of allowed domains (e.g., `example.com`, `yourcompany.net`).\n Make sure that domain names are separated by commas and\n don't include the `@` symbol.\n\n If headers aren't resolved into at least one valid domain, restrictions\n won't apply. For example, an empty header won't apply any restrictions.\n `domain` won't apply any restrictions as it isn't a valid domain name.\n\nWhen a user tries to access Gemini Code Assist from a domain not\nincluded in the header list, they see a message telling them that they're\nrestricted from using Gemini Code Assist on their domain by their\nadministrator.\n\nSSL/TLS interception\n\nIf your proxy needs to decrypt HTTPS traffic to inject the header, make sure\nit's configured for SSL/TLS interception. This typically involves:\n\n- Generating a certificate for the proxy.\n\n- Installing the proxy's certificate on user devices to establish trust and\n avoid certificate errors.\n\nHeader validation\n\n- Gemini Code Assist automatically validates the\n `X-GeminiCodeAssist-Allowed-Domains` header and enforces the restrictions.\n\n- If the header doesn't resolve to at least one valid domain, the validation\n won't be performed.\n\n- If the user's domain isn't in the allowed list, the request is rejected.\n\nWhat's next\n\nTo learn more about blocking access to consumer accounts, see\n[Block access to consumer accounts](https://support.google.com/a/answer/1668854)."]]