Hi,
these are mainly questions for @AngelinaIgnatova and/or team regarding egress permissions for Forge apps in general actually, but specifically referring to the changes made during the introduction phase of Runs on Atlassian. The documentation section in question is here: https://developer.atlassian.com/platform/forge/runs-on-atlassian/#removal-of-egress
Q1 Host product
Custom UI apps now allow-list the host product
This specifically lists *.atlassian.net, but some older cloud instances are apparently still hosted under *.jira.com and *.jira-dev.com (based on the recommended allowlist from ACE)
Are these not relevant or should the list be expanded or are the docs wrong?
Q2 api.atlassian.com
We briefly talked during AtlasCamp about egress to api.atlassian.com. There are many APIs Atlassian offers such as the Cloud Admin API, or some Jira and Confluence APIs that only work with an API token, that could be called if you were to allow api.atlassian.com for fetch egress traffic.
I would argue that that host is Atlassian’s and should be on the allowlist for Runs on Atlassian. In Brussels you said this was already allowed, but it’s not on that referenced and I am wondering if this was a misunderstanding (api.media.atlassian.com? no hard feelings if this is the case, it was loud and hectic 
) or a docs issue as well.
Thanks in advance!
Cheers,
Tobi from resolution
(Public post since this might be interesting for others as well or I might have tagged the wrong person and it might need to be redirected)
