Enhanced app permissions with Forge egress controls

Hello, Forge developers!

As we’ve touched on in the past, security and trust are significant aspects of why we build Forge. We continue to aim to create a transparent platform between Atlassian, Partners, and our customers. One important aspect of this is what we call “informed consent”. We want customers to be aware of what information they are sharing, and not only that, where that information can go.

The first step towards this goal was in the initial design of Forge where we made the decision for API requests to authenticate via OAuth instead of session auth. We wanted apps to have access to everything they needed, but nothing more. That way, our customers knew what an app was capable of.

Our next step on this journey is what we are announcing today, Egress controls.

Egress controls allow customers to see more about how an app interacts with the internet, or in other words, how their data can leave the Atlassian cloud.

We are now allowing developers to declare egress permissions in their app manifests and we will begin enforcing this by blocking all un-declared domains on 14 July 2020. We recommend that you declare your domains today, to prevent any issues come the day of enforcement. An example of this in an app manifest looks like the following:

        - 'www.google-analytics.com'
        - '*.ingest.sentry.io'`

Read more in the reference docs.

If you have any questions or feedback, please leave a response in the thread. We’d love to hear from the community! :slight_smile:

The Ecosystem Platform


We have one feature in our Forge app where we do external calls to user-provided URLs. The feature is basically collecting links from a user’s Confluence page and then doing HTTP HEAD requests to see if the linked page is still available.
Is it possible to just declare something like this with these settings? As far as I understand this section it would not possible to wildcard every domain with a single entry.


Hi Thomas,

You are able to declare the following in the manifest configuration:

        - "*"

We will update our documentation to include it.
Thanks for reporting it :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.