Calling external API from forge app - CORS issue and is that "from URL" changing?

Hi guys,
I’m new at Forge apps and I’m creating this app that will call an endpoint to retrieve data.
I’m facing a CORS issue but I’m not sure what is the right URL to add in my server whitelist.
When I check the logs with the CORS issue I can see the following from URL https://[uuid]

So, I have a few questions:

  1. What is this uuid? Is that changing? It will be a different value for every confluence instance that has the app installed?
  2. Is there a best practice to deal with those CORS issues? For example, should I do the request from the frontend resource or from the backend with the fetch from @forge/api?

I would like to avoid using wildcard for the uuid like that *, I wonder if there is another way to do it.



The following addresses IP addresses and domains for allow listing like CORS:

Outgoing connections from forge apps dont come from those IP addresses, I have whitelisted everything there and still gets blocked.

Sorry to say this, but I’m not sure this is a sufficient answer.

If you were to allow CORS for e.g. * as in the original suggestion that means you’re opening your gates to every single app hosted at the Atlassian Forge, with no more granular control available. I don’t know if Atlassian reviews those (I’d assume not, because… well… scale) but if they aren’t reviewed then introducing malicious code is as easy as uploading an app to the forge.

Would it be possible to elaborate a bit on what Atlassian’s suggestion is here for their customers willing to implement CORS on their sites?

Addendum: I am aware that the linked article does not mention that specific entry; that’s because everything listed in your support page is even more permissive.

Welcome to the Atlassian developer community @GhostLyrics,

My post is the only resource I know where Atlassian addresses CORS. That said, I see from your response and that of @IanWorthington and @JoaoVS that something is missing when it comes to Forge. To get more published information (and/or a Forge feature), I’ll have to file a FRGE issue but I’m not entirely clear on how your Forge apps are interacting with CORS. Can you give me a little more information about the kinds of APIs you are trying to call from your Forge app? And if you had an ideal solution, what would that look like?

Hi Ian, I am trying to host a secure webservice endpoint that has IP whitelisting restrictions so that only my forge app can access it. This is a far more secure model than allowing any IP on the internet to access my endpoint.

To do this I would need to know what the IP address(es) of my forge app is coming from. I have tested and the list in that article does not seem to be accurate. So, whilst this is not strictly a CORS issue, my comment was relating to the outgoing IPs of forge apps being unknown and therefore not being able to IP block my webservice.

Hope that makes sense.

1 Like

CORS is one of the main blockers for us migrating a Connect app to Forge.

See here for details: