403 - Blocked Egress after updating mainfest.yml

Hi, my previously working forge app fails after i made an update to the manifest.yml. I first made some unrelated changes to the manifest, which first threw this error. but then I reversed these changes, and now the deployed and tunneled app fails at an api request that should not even be egress in my opinion. All the necessary scopes for this are applied, especially the - readonly:content.attachment:confluence
This is the api call in question:

const response_test = await api.asUser().requestConfluence(route`/wiki/rest/api/content/${contentId}/child/attachment/`, {
    headers: {
      'Accept': 'application/json'

when executing this call, the tunnel logs the following:

ERROR   16:12:02.925  97aa8f4b-57ef-4062-ab69-417438c1c684  PROXY_ERR: Forge platform failed to process runtime HTTP request - 403 - BLOCKED_EGRESS
    at handleProxyResponseErrors (/tmp/tunnel-7460-yjwSbXHtsquR/bundled/index.js:124:15)
    at /tmp/tunnel-7460-yjwSbXHtsquR/bundled/index.js:112:9
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /tmp/tunnel-7460-yjwSbXHtsquR/bundled/index.js:10162:20
    at async Object.resolve [as handler] (/tmp/tunnel-7460-yjwSbXHtsquR/bundled/index.js:2877:28)
    at async /tmp/tunnel-7460-yjwSbXHtsquR/index.js:1:192362
    at async process.<anonymous> (.nvm/versions/node/v20.8.0/lib/node_modules/@forge/cli/node_modules/@forge/node-runtime/out/sandbox/sandbox-runner.js:8:20) {
  status: 403,
  errorCode: 'BLOCKED_EGRESS'

i have previously had that error, and it resolved itself miraculously after some time, but i need to understand why this happens as it severely limits my work. Any help is appreciated!

I see that you’re using the native Node.js runtime for this app. Have you updated @forge/api to the latest version?

yes i updated using npm install -g @forge/api@latest, that should suffice right?

Sorry, that’s not the right command. (It installs @forge/api globally on your machine, which is harmless but not necessary.)

You need to update the version used in your Forge app:

  • npm install @forge/api@latest if using NPM
  • yarn upgrade @forge/api@latest in using Yarn

Then check that the version you have for it in package.json matches the current version on NPM.

Did that, still no change:/
"@forge/api": "^2.20.0",

That’s the correct version. Could you please check that:

  • It’s actually installed (cat node_modules/@forge/api/package.json)
  • You have restarted your tunnel

If the error still persists, can you please DM me your app ID so I can take a look?

I’m having the same issue, please let me know if you find a solution. Other API calls are working for me - creating issues, getting Issue Transitions, Transitioning Issues, Getting Server Info, getting Attachment Thumbnails, but attempting to get Attachment Content returns 403 BLOCKED_EGRESS.

The code:

export async function getAttachment(attachmentId) {
  console.log('getting attachment')
  const response = await api
    .requestJira(route`/rest/api/3/attachment/content/${attachmentId}`, {
      headers: {
        Accept: 'application/json',

  console.log(`Response: ${response.status} ${response.statusText}`)
  return await response.json()

My manifest.yml Permissions (note: I added read:attachment:jira as part of troubleshooting, but I don’t think it’s needed?):

    - read:jira-work
    - read:attachment:jira
    - write:jira-work
    - storage:app

I have verified that the latest version of @forge/api is installed as well

Sorry, I’ve missed one more limitation of the Node runtime that’s likely causing this: the egress rules for redirects.

Requests for Confluence attachments redirect to https://api.media.atlassian.com/..., and for now you’ll have to add that domain to your app’s egress permissions.


I seem to get the same error but when I’m using storage.get(). Is there a domain I should include in my manifest.yml to be able to use it in native Node environment?

Cheers, Mark

I’ve created this so it can be tracked separately from this topic.

1 Like